picoCTF Solutions
PathPart of the Reverse Engineering path · Step 2 of 5: Reading x86 Assembly
picoGym ExclusiveReverse EngineeringMedium

ASCII FTW

Published: March 5, 2024

Description

The asciiftw binary constructs the flag byte-by-byte using movb instructions. Extract those literals from the disassembly and convert them from hex to ASCII.

Setup

Disassembly parsingDownload asciiftw

Download the PIE binary, mark it executable, and run objdump -d to disassemble main.

Filter for movb instructions-each contains the next byte of the flag.

wget https://artifacts.picoctf.net/c/508/asciiftw
chmod +x asciiftw
objdump -d asciiftw | grep movb

Solution

  1. Step 1Collect the bytes
    Pipe objdump's output through grep/cut to isolate the immediate operand passed to movb. Concatenate them into a single hex string.
    objdump -d asciiftw | grep movb | grep -oE '0x.*, ' | tr -d ',\\n'
    Learn more

    objdump is a command-line utility that displays information about object files and executables. The -d flag disassembles executable sections, converting the raw machine-code bytes back into human-readable assembly mnemonics. This is one of the most fundamental tools in binary reverse engineering.

    The movb instruction (move byte) copies a single 8-bit value into a memory location or register. When a program constructs a string or flag at runtime by writing one character at a time, each character appears as an immediate operand - a literal hex value embedded directly in the instruction. Filtering the disassembly for movb lines reveals every byte the program is about to write.

    The pipeline here combines several Unix tools: grep -oE extracts only the matching portion of each line using a regex, and tr -d deletes unwanted characters (commas and newlines) to produce a clean hex stream. This kind of shell pipeline - chaining small, focused tools - is a core skill in CTF forensics and everyday systems work.

  2. Step 2Convert from hex
    Send the aggregated hex into xxd -p -r to turn it back into ASCII text.
    objdump -d asciiftw | grep movb | grep -oE '0x.*, ' | xxd -r -p
    Learn more

    xxd is a hex dump utility that can both produce and consume hexadecimal representations of binary data. When run with -r (reverse) and -p (plain hex without formatting), it reads a stream of hex digits and outputs the corresponding raw bytes - effectively decoding hex back into ASCII text.

    The reason this works is that every printable ASCII character has a well-defined hex equivalent (for example, 'A' is 0x41, and 'p' is 0x70). The movb immediates are just these values stored directly in the binary. By collecting and decoding them in order, you reconstruct the string the program would have placed in memory at runtime.

    This technique generalizes broadly: any binary that builds a sensitive string (key, flag, password) byte-by-byte through immediate stores is vulnerable to static extraction via disassembly. Real-world malware analysts use the same method to extract hardcoded C2 domains or decryption keys from obfuscated samples.

Flag

picoCTF{ASCII_IS_EASY_8960...}

Any pipeline that extracts the movb immediates and feeds them into a hex→ASCII converter produces the same flag.

Want more picoGym Exclusive writeups?

Browse picoGym ExclusiveFull library

Useful tools for Reverse Engineering

Related reading

What to try next