picoCTF Solutions
PathPart of the Reverse Engineering path · Step 2 of 5: Reading x86 Assembly
picoGym ExclusiveReverse EngineeringMedium

Bit-O-Asm-3

Published: March 5, 2024

Description

Trace the arithmetic in the third disassembly file: move 0x9fe1a into EAX, multiply by 4, and add 0x1f5. Convert the final value into decimal.

Setup

Assembly readingDownload disassembler-dump0_c.txt

Open the dump and focus on the MOV/IMUL/ADD sequence in main.

wget https://artifacts.picoctf.net/c/530/disassembler-dump0_c.txt
cat disassembler-dump0_c.txt

Solution

  1. Step 1Translate each constant
    EAX first becomes 0x9fe1a, then is multiplied by 0x4, and finally 0x1f5 is added. Perform the arithmetic exactly as shown.
    Learn more

    This step introduces multi-instruction arithmetic tracing. Compilers routinely decompose high-level expressions like result = x * 4 + 501 into a sequence of assembly instructions, each modifying the same register. Reading the dump requires treating the register as an accumulator that changes with every instruction and tracking its value through the entire sequence.

    IMUL (Integer Multiply) multiplies the register by an immediate value and stores the product back in the same register. ADD adds an immediate value to the register. Both instructions modify EAX in place, so the order matters: multiply first, then add - not the other way around.

    This pattern mirrors the way compilers implement array indexing and struct field access. For instance, accessing array[i] where each element is 4 bytes compiles to something like mov eax, i; imul eax, 4; add eax, base_address. Recognizing these idioms lets you reconstruct the original high-level logic from the raw assembly, which is the core skill of reverse engineering.

  2. Step 2Output the decimal flag
    Compute (0x9fe1a * 4) + 0x1f5 = 2,619,997. Wrap picoCTF{...}.
    python3 - <<'PY'
print((0x9fe1a * 4) + 0x1f5)
PY
    Learn more

    Python is an excellent calculator for this kind of arithmetic because it understands hex literals natively. Writing 0x9fe1a * 4 + 0x1f5 directly in Python gives the correct result without any manual conversion - you work in the same notation as the assembly listing.

    The here-document syntax (<<'PY' ... PY) passes a multi-line script to Python from the command line without needing a temporary file. This is a useful shell technique for quick computations in CTF work and scripting generally. Alternatively, python3 -c "print((0x9fe1a * 4) + 0x1f5)" achieves the same result on one line.

    Choosing the right tool for arithmetic conversions matters when time is limited in a CTF. Python handles arbitrarily large integers, understands hex and binary literals, and is available on virtually every Linux system - making it the default choice for quick calculations in competitive security contexts.

Flag

picoCTF{...}

The dump intentionally includes unused instructions; only the highlighted arithmetic matters for the flag.

Want more picoGym Exclusive writeups?

Browse picoGym ExclusiveFull library

Useful tools for Reverse Engineering

Related reading

Do these first

What to try next