picoCTF 2018 assembly-3 Reversing

Description

What does asm3(0xb3fb1998,0xfe1a474d,0xd5373fd4) return?
Submit the flag as a hexadecimal value (starting with '0x').

NOTE: Your submission for this question will NOT be in the normal flag format.
Source located in the directory at /problems/assembly-3_0_64e940c92852f106e798ceac9b22aa25.

end_asm_rev.S:

.intel_syntax noprefix
.bits 32

.global asm3

asm3:
    push    ebp
    mov     ebp,esp
    mov eax,0x62
    xor al,al
    mov ah,BYTE PTR [ebp+0xa]
    sal ax,0x10
    sub al,BYTE PTR [ebp+0xd]
    add ah,BYTE PTR [ebp+0xe]
    xor ax,WORD PTR [ebp+0x10]
    mov esp, ebp
    pop ebp
    ret

Writeup

from pwn import *

context.arch = 'i386'

asm3 = '''
asm3:
    push    ebp
    mov     ebp,esp
    mov eax,0x62
    xor al,al
    mov ah,BYTE PTR [ebp+0xa]
    sal ax,0x10
    sub al,BYTE PTR [ebp+0xd]
    add ah,BYTE PTR [ebp+0xe]
    xor ax,WORD PTR [ebp+0x10]
    mov esp, ebp
    pop ebp
    ret
'''

s = ''
# asm3(0xb3fb1998,0xfe1a474d,0xd5373fd4)
s += shellcraft.push(0xd5373fd4)
s += shellcraft.push(0xfe1a474d)
s += shellcraft.push(0xb3fb1998)
s += 'call asm3\n'
# write result
s += shellcraft.push('eax')
s += shellcraft.write(1, 'esp', 4)
# exit
s += shellcraft.exit()
# asm3
s += asm3

p = run_assembly(s)
print hex(u32(p.recvall()))

# python a.py
[*] '/tmp/pwn-asm-OhUG0g/step3'
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x10000000)
    RWX:      Has RWX segments
[+] Starting local process '/tmp/pwn-asm-OhUG0g/step3': pid 76154
[+] Receiving all data: Done (4B)
[*] Process '/tmp/pwn-asm-OhUG0g/step3' stopped with exit code 0 (pid 76154)
0x256d

al : 제일 오른쪽의 1바이트

ah : 제일 오른쪽에서 2번째에 있는 1바이트

BYTE PTR [ebp+?]: 해당 스택에서 1바이트만 가져옴

sub: 빼기