picoCTF Solutions
PathPart of the Reverse Engineering path · Step 2 of 5: Reading x86 Assembly
picoGym ExclusiveReverse EngineeringMedium

Bit-O-Asm-1

Published: March 5, 2024

Description

Inspect the provided assembly dump and report the value placed into EAX. Convert the hexadecimal literal into decimal before wrapping it in picoCTF{...}.

Setup

Assembly readingDownload disassembler-dump0_a.txt

Grab the assembly dump and open it in your editor.

Locate the MOV that writes a constant into EAX.

wget https://artifacts.picoctf.net/c/509/disassembler-dump0_a.txt
cat disassembler-dump0_a.txt

Solution

  1. Step 1Find the immediate value
    The dump shows mov eax, 0x30, so the register ends with hexadecimal 0x30 at function exit.
    Learn more

    x86 assembly is the human-readable representation of the machine code that runs on Intel and AMD processors. Instructions take the form mnemonic destination, source. The MOV instruction simply copies a value from the source into the destination - it is arguably the most common instruction in any program.

    EAX is a 32-bit general-purpose register. In the x86 calling convention, EAX holds a function's return value when it exits. So when a function ends with mov eax, 0x30 and then ret, the caller receives the value 0x30. Reading register assignments near a function's epilogue is the fastest way to determine what a function returns without running it.

    Being able to read disassembly without running a binary is called static analysis. It is safer than dynamic analysis (actually executing the binary) because it eliminates any risk of triggering malicious behavior, and it works on any architecture even without the original hardware. Tools like objdump, Ghidra, IDA Pro, and Binary Ninja all present disassembly in this form.

  2. Step 2Convert to decimal
    Translate 0x30 to decimal (48) via printf, python, or any converter, then format picoCTF{...}.
    printf "picoCTF{...}\n" 0x30
    Learn more

    Hexadecimal (base 16) and decimal (base 10) are two different ways of expressing the same number. Processors and disassemblers use hex because each hex digit represents exactly four binary bits, making the relationship between hex and raw binary very clean. Humans often prefer decimal for the final answer because it is more intuitive.

    The printf utility in bash supports the %d format specifier, which interprets its argument as an integer and prints it in decimal - it even understands the 0x prefix to indicate hexadecimal input. Python's int(0x30) or int("0x30", 16) accomplish the same thing. The key insight is that 0x30 == 48; both refer to the same value stored in the register.

    Fluent base conversion is one of the most basic skills in reverse engineering and exploitation. You will encounter hex constantly: memory addresses, byte values, bitmasks, offsets. Practicing conversion until it feels natural - and knowing which tools (printf, python, bc, CyberChef) are quickest in a given situation - pays off across every area of security.

Flag

picoCTF{...}

Every challenge in the Bit-O-Asm series hides the answer in a MOV/arith instruction-reading the dump carefully is all you need.

Want more picoGym Exclusive writeups?

Browse picoGym ExclusiveFull library

Useful tools for Reverse Engineering

Related reading

Do these first

What to try next