 Hello, everyone. My name is John Hammond and welcome back to some more Pico CTF tutorials and videos I know I've been away from this for a little bit, so I'm happy to jump back in. Hopefully I can keep this momentum going This challenge is called programmers assemble It is the next challenge in the reverse engineering category for level 2 75 points challenge from here as you found a text file With some really low-level code some value at the beginning has been x out Can you figure out what that value should have been to make the main return value 0 x 1? So just one as hexadecimal submit the answer is hexadecimal number with no extra any zeros blah blah blah The hints here all the commands can be found here along with they do it may be useful to be able to run the code with test values All right, so this is a Wikipedia page for the assembly language. We can go ahead and W get this file I'm just going to copy the URL. I've got a folder set up for it So let's W get it here, and then we should be able to open up this Assembly dot s file and we do have some code written in assembly So you may have heard me discuss a little bit before we have two different flavors of syntax and how the language really looks in Assembly we have the Intel syntax and the AT&T syntax This is AT&T syntax and that it has dollar signs representing constants and percent signs before registers Before before discusses registers, you can see that just here dollar signs dollar signs and percent signs for our registers Eax ebx and ecx are registers that we can use for a 32-bit system and we can look through this a little bit more We've got that reference available to us and we'll totally totally take a look at that for some of the Specific instructions does it actually cover some of these instructions? Skulling through it not that much. Okay, whatever. We'll Google around as we need to so let's take a look at this right here I am going to split the screen so I can talk about some of these these instructions as we work through it Dot global dot global main. This is just trying to define a section and Main is just where we're going to start the assembly code runs in a procedural matter Procedural fashion so that means top to bottom Etc until we get to certain labels which are these notions here of a name followed by a colon a label that can represent a certain kind of subroutine or a certain process just given that Indicator here it's essentially a Spaghetti code reference and that we can jump to a specific label as you can see that right here in this jump instruction And let's get to it So the main label where we will start with starts by setting ea x register to some value And we don't know what whatever we'll just note that by question marks Ebx I'm not actually writing code here keep in mind I'm just taking notes so we can kind of reverse engineer it line by line Ebx is set to zero and remember I this reads kind of backwards because it is AT&T syntax That's the direction of the operands here so Intel is a little bit nicer to read because it's what we're used to from kind of left to right declaring variables like that But since this is AT&T we'll work backwards and understand it So ecx the next register is set to zero x4 so for an exo decimal and then we continue we move on to this next loop We aren't entering that or anything specific. We're still going in a procedural fashion But since it has a label we can get to different positions in the code based off things like jump Same thing with JZ this instruction here because what this command does or with this instruction is it's testing Eax with Eax and that essentially just test is this here is Eax equal to zero so test if Eax is equal to zero and What JZ does is it will jump if that condition is not met to fin Or maybe actually is that let's go ahead and check the beauty of this is that we can research we can Google So they give an example here the JZ instruction is a conditional jump that follows a test is It's a commonly used to explicitly test for something being equal to zero where JE is commonly found after CMP instruction or compare So we've got an example here even very very similar to what we're looking at where it's testing Eax and Eax if these two things If test test if Eax is equal to zero and if that condition is met It will jump to a location to a location and in our case. It is jumping to fin. So testing if Eax is equal to zero jump to fin or Finish in our case the very very end But in this case we're going to assume that Eax is not set to zero So we would continue on we would not take this jump and we just continue on line by line in that procedural form so what we do is we add ECX and EBX and that EBX is going to have that ECX value added to it So that means that ECX will be Or EBX sorry will be plus equal four Because we know that ECX is the value of four and EBX is just going to add that value to it again And kind of reading backwards because of that AT&T syntax now that deck instruction will decrement Eax Eax so that means that value will subtract one and will continue We will jump to the loop as in we'll go back up to Loop so we'll do this over and over and over again Adding four to EBX and decreasing Eax slowly slowly slowly until Eax equals zero and once it does It'll go to the finish right down here at this label now This will go ahead and determine with that compare instruction as we saw here in the reference Don't know why I lost connection there. Okay. It's back used to perform comparison So we can compare one and the other Compare one and the other and if they are not zero Or if that condition is met where they are the same it will jump if equal to good So good is another label over here Otherwise, it will set move zero Yeah, yeah, so Finish if ebx is equal to this value in hex Sorry jump to good else Eax equals zero and jump to end Which will just end the program with a return statement So we want as the challenge prop suggested our Eax to actually end up with This one as its value So that means we want eventually our ebx to equal this value So the way that ebx actually changes is because of this loop, right? So what can we do to make this happen? Well, let's look at what this loop is doing It's adding over and over and over again the value of ebx four times dependent on the value of eax so You hear me saying that like that is trying to say Addition multiple times over and over again, and what does that sound like that sounds like multiplication? so What that means is we've got something multiplied by four to equal What we want This value in hex so to figure out what this value is we can do some simple algebra and just divide four out of that Great, so let's figure out what that is It's gonna fire up idle here take this value in hex go ahead and divide it by four and We have three eight eight two these numbers may be different from your side because Again Pico CTF does random challenge generation, but I think the logic is still the same So the numbers may be different but hopefully you still understand what we're doing here and all we are doing is that simple division to figure out that Original value of Eax, so let's go ahead and convert that to hex and I've got zero X F2 a I'll go ahead and submit that See what we've got done at the very bottom And we solved it awesome 75 points and we're moving up on the scoreboard cool I hope that made sense. I hope that was a little bit interesting to walk through and learn It's just assembly. I say just assembly with significant disclaimer because I am not by any means good at reverse engineering Especially in large amounts. This is a nice small dosage where I could piece it together But reverse engineering whole binary is kind of hard for me because it's just very overwhelming So I've got to get better at that, but that is what it takes to solve the programmers assemble challenge I hope you guys enjoyed that. Please do feel free to Google research look things up Especially if you just don't know what an instruction will do or see what other Autodes and idiosyncrasies of them have because like the JZ thing that sets The zero flag etc. etc. There's a lot more to read about and learn But these are all good resources online if you're just willing to Google Quick shout out to the people that support me on patreon. Thank you guys so much I cannot say it enough one dollar a month or more on patreon I'll give you a special shout out just like this at the end of every video five dollars or more on patreon I'll give you a special early access folder where you can see all the videos that are released on YouTube before they go live Because I normally record in bulk and then let them upload gradually day by day in that way if you don't want to wait That's the best way to do it. Please if you did like this video Please do like comment and subscribe join our discord server link in the description It's an awesome community full of CTF players programmers and hackers if you want to hang out with me and other cool people That's the best way to do it. I'd love to see you guys on patreon. Thank you Thank you, and I'd love to see you in the next video. Thanks