Bit-O-Asm-1 picoGym Exclusive Solution

Published: March 5, 2024

Description

Inspect the provided assembly dump and report the value placed into EAX. Convert the hexadecimal literal into decimal before wrapping it in picoCTF{...}.

Grab the assembly dump and open it in your editor.

Locate the MOV that writes a constant into EAX.

bash
wget https://artifacts.picoctf.net/c/509/disassembler-dump0_a.txt
bash
cat disassembler-dump0_a.txt

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Find the immediate value
    Observation
    I noticed the challenge asks for the value placed into EAX, which suggested scanning the disassembly dump for a MOV instruction writing a constant into that register near the function epilogue.
    The dump shows mov eax, 0x30, so the register ends with hexadecimal 0x30 at function exit.
    Learn more

    x86 assembly is the human-readable representation of the machine code that runs on Intel and AMD processors. Instructions take the form mnemonic destination, source. The MOV instruction simply copies a value from the source into the destination - it is arguably the most common instruction in any program.

    EAX is a 32-bit general-purpose register. In the x86 calling convention, EAX holds a function's return value when it exits. So when a function ends with mov eax, 0x30 and then ret, the caller receives the value 0x30. Reading register assignments near a function's epilogue is the fastest way to determine what a function returns without running it.

    Being able to read disassembly without running a binary is called static analysis. It is safer than dynamic analysis (actually executing the binary) because it eliminates any risk of triggering malicious behavior, and it works on any architecture even without the original hardware. Tools like objdump, Ghidra, IDA Pro, and Binary Ninja all present disassembly in this form.

  2. Step 2
    Convert to decimal
    Observation
    I noticed the dump contained the hex literal 0x30 and the flag format requires a decimal integer, which suggested converting 0x30 to its decimal equivalent (48) using printf or Python before wrapping it in picoCTF{}.
    Translate 0x30 to decimal (48) via printf, python, or any converter, then format picoCTF{...}.
    bash
    printf "picoCTF{%d}\n" 0x30

    Expected output

    picoCTF{48}
    What didn't work first

    Tried: Wrapping the raw hex value directly as picoCTF{0x30} without converting to decimal.

    The challenge explicitly asks for the decimal representation of the register value. Submitting picoCTF{0x30} fails because the flag checker expects picoCTF{48}. The printf command with %d handles the conversion in one step, printing the decimal integer that corresponds to 0x30.

    Tried: Using python -c "print(0x30)" and accidentally reading the output as the full flag without the picoCTF{} wrapper.

    Python correctly prints 48, but the flag format requires it wrapped as picoCTF{48}. Submitting just 48 or the raw output without the wrapper is rejected. The printf one-liner builds the wrapper into the format string automatically, reducing the chance of this mistake.

    Learn more

    Hexadecimal (base 16) and decimal (base 10) are two different ways of expressing the same number. Processors and disassemblers use hex because each hex digit represents exactly four binary bits, making the relationship between hex and raw binary very clean. Humans often prefer decimal for the final answer because it is more intuitive.

    The printf utility in bash supports the %d format specifier, which interprets its argument as an integer and prints it in decimal - it even understands the 0x prefix to indicate hexadecimal input. Python's int(0x30) or int("0x30", 16) accomplish the same thing. The key insight is that 0x30 == 48; both refer to the same value stored in the register.

    Fluent base conversion is one of the most basic skills in reverse engineering and exploitation. You will encounter hex constantly: memory addresses, byte values, bitmasks, offsets. Practicing conversion until it feels natural - and knowing which tools (printf, python, bc, CyberChef) are quickest in a given situation - pays off across every area of security.

Interactive tools
  • Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
  • Number Base ConverterConvert numbers between binary, octal, decimal, and hexadecimal instantly. Enter any value and see all four bases update in real time.

Flag

Reveal flag

picoCTF{...}

Every challenge in the Bit-O-Asm series hides the answer in a MOV/arith instruction-reading the dump carefully is all you need.

Key takeaway

Reading x86 assembly is the foundation of both reverse engineering and binary exploitation. The MOV instruction and register conventions (EAX for return values, ESP/EBP for the stack frame) are universal across compiled C and C++ programs on x86 platforms, so understanding them transfers directly to malware analysis, license bypass, and vulnerability research. Static analysis of a disassembly dump lets you determine program behavior without executing potentially hostile code, making it the safe first step in any binary analysis workflow.

Related reading

Want more picoGym Exclusive writeups?

Useful tools for Reverse Engineering

Do these first

What to try next