Description
What integer does this ARM assembly program return when given arguments 182476535 and 3742084308? Flag format: picoCTF{XXXXXXXX} -- 8 lowercase hex characters representing a 32-bit value.
Setup
Download chall.S.
Solution
- Step 1Read and understand the assemblyOpen chall.S. The function receives two 32-bit arguments (passed in registers w0 and w1 on AArch64). It compares them with cmp and returns the larger of the two -- a max(a, b) function. With arguments 182476535 and 3742084308, it returns 3742084308.cat chall.S
Learn more
AArch64 ARM (64-bit ARM) passes the first four integer arguments in registers
x0–x3. Thew-prefixed registers (w0, w1) are the lower 32 bits of the correspondingxregisters. The assembly usescmpto set flags, then a conditional branch to pick the larger value and store it inw0(the return value register). - Step 2Convert the result to 8-digit hex3742084308 in hexadecimal is 0xdf0bacd4. The flag format requires 8 lowercase hex characters representing the 32-bit result.python3 -c "print(hex(3742084308))"# Optionally run with QEMU to verify:aarch64-linux-gnu-gcc -static -o chall chall.Sqemu-aarch64-static ./chall 182476535 3742084308
Learn more
QEMU (Quick Emulator) can emulate AArch64 binaries on an x86 host with
qemu-aarch64-static. Combined with theaarch64-linux-gnu-gcccross-compiler, you can assemble and run ARM code without physical ARM hardware. This is the standard approach for ARM CTF challenges on a typical Linux CTF workstation.Alternatively, tracing the logic manually:
cmp w0, w1sets flags; a conditional move or branch returns the larger. Since 3742084308 > 182476535, the function returns 3742084308, which is0xdf0bacd4in 32-bit hex.
Flag
picoCTF{...}
The assembly compares two 32-bit values and returns the larger -- 3742084308 > 182476535, giving 0xdf0bacd4.