picoCTF Solutions
PathPart of the Reverse Engineering path · Step 2 of 5: Reading x86 Assembly
picoGym ExclusiveReverse EngineeringMedium

Bit-O-Asm-2

Published: March 5, 2024

Description

Follow the memory references in the second disassembly dump to recover the value moved into EAX, then convert it from hexadecimal to decimal.

Setup

Assembly readingDownload disassembler-dump0_b.txt

Fetch the dump and inspect the MOV that assigns DWORD PTR [rbp-0x4] to EAX.

wget https://artifacts.picoctf.net/c/510/disassembler-dump0_b.txt
cat disassembler-dump0_b.txt

Solution

  1. Step 1Resolve the stored constant
    The dump shows 0x9fe1a being written to [rbp-0x4], and that value is later moved into EAX.
    Learn more

    This challenge introduces stack-based local variables. Rather than placing a constant directly into EAX, the compiler first stores the value in a stack slot ([rbp-0x4]) and then loads it back into the register. This pattern is extremely common when the compiler preserves intermediate values across function calls or when the source variable has its address taken.

    RBP is the base pointer register, which typically points to the base of the current stack frame. Negative offsets from RBP (like rbp-0x4) address local variables. DWORD PTR indicates a 4-byte (32-bit) memory access, consistent with writing to a 32-bit variable. Tracing the data flow - from the immediate literal through the stack slot and back into EAX - is the key skill in this step.

    In real reverse engineering, following these data-flow chains is called value tracking or taint analysis. Automated tools (like the taint tracking in Ghidra's decompiler or tools like DynamoRIO) do this programmatically, but manual tracing is essential for understanding what the tools produce and for analyzing obfuscated code where automation struggles.

  2. Step 2Convert 0x9fe1a to decimal
    Translate 0x9fe1a into decimal (654874) using printf or python, then format the flag as picoCTF{...}.
    printf "picoCTF{...}\n" 0x9fe1a
    Learn more

    Converting a multi-digit hex number to decimal requires summing each digit's value multiplied by the appropriate power of 16. For 0x9fe1a: 9×16&sup4; + 15×16³ + 14×16² + 1×16 + 10 = 654874. In practice, no one does this by hand - you reach for printf, Python, or a calculator.

    The printf "%d" 0x9fe1a command works because bash's printf inherits C's integer-literal conventions: the 0x prefix signals a hexadecimal value. Python's built-in int() function similarly accepts a base argument: int("9fe1a", 16) gives the same result. Both are standard tools to keep in muscle memory.

    The broader skill here is recognizing that hex and decimal are representations, not different numbers. The CPU stores a single bit pattern; how humans write it is a matter of convention. Whenever you see a constant in a disassembly listing, ask yourself: is this a count? A character code? An address offset? A bitmask? The representation choice often hints at the intent.

Flag

picoCTF{...}

Each Bit-O-Asm stage reinforces reading registers and stack slots straight from the disassembly.

Want more picoGym Exclusive writeups?

Browse picoGym ExclusiveFull library

Useful tools for Reverse Engineering

Related reading

Do these first

What to try next