ARMssembly 2

Description

Solution

1. Step 1Trace the loop logic
   Open chall_2.S. The assembly implements a loop that runs N times (where N is the input argument) and adds 3 on each iteration, accumulating a result starting from 0. This is equivalent to multiplying the input by 3.
   cat chall_2.SCopied!
   Learn more

   The loop pattern in ARM assembly looks like: initialize a counter and accumulator, compare counter to zero, add the constant, decrement the counter, and branch back if not zero. Recognizing this as simple repeated addition lets you replace the loop with a single multiplication.

   Working registers on AArch64 are 64 bits wide, but when the result is stored in a w register (32-bit), it is automatically truncated to the lower 32 bits -- equivalent to % (2^32). This is important: the mathematical result of 2403814618 * 3 exceeds 2^32 and must be masked.

2. Step 2Compute the result with 32-bit truncation
   Multiply the input by 3 and take the lower 32 bits. The full result is 7211443854, which truncated to 32 bits gives 0xadd5e68e.
   python3 -c "print(hex((2403814618 * 3) & 0xffffffff))"Copied!
   Learn more

   & 0xffffffff masks to the lower 32 bits, simulating 32-bit integer overflow. In Python, integers are arbitrarily large by default -- you must explicitly apply the mask to match the behavior of C uint32_t or ARM w register arithmetic.

   7211443854 in binary is 0x1ADD5E68E. The leading 1 is bit 32 and gets discarded, leaving 0xADD5E68E -- which in lowercase hex is add5e68e.

Flag

picoCTF{...}

The loop accumulates additions -- multiply input by 3 then mask to 32 bits for the wrapped result.