 What's up guys this is John Hammond still looking at Pico CTF 2017 now moving into the reverse engineering category in level two the first challenge is called a thing called the stack so the challenge prompt is a friend was stacking dinner plates and hinted you this saying something about a stack can you find the difference between the value of ESP at the end of the code and location of the saved return address assume a 32-bit system submit the answer as hexadecimal number blah blah blah for example okay so I have to put a disclaimer here that I am probably not the best person to be trying to teach this or talk about this things may get a little bit fuzzy but I'll explain it to my best understanding and honestly I am confident that you guys that are watching this that do know a little bit more are willing to share your opinion share your voice or just kind of correct me in the comments but I will do what I can to explain this and in the best way possible so if you actually take a look at this file that they provide for us we can W get it so we download it it's just some assembly code and we can open it up in sublime text and we have this segment of code that we are to dissect or in reverse engineer so the challenge prompt is telling us try to find the difference between the value of ESP and the location of the saved return address so you may be wondering what the heck is ESP well in computer memory in the um like abysmal uh strange weird amorphous memory thing that we talk about in computers that where how we store uh programmed data and information um there is a structure that organizes this memory and called a stack and that stack is what we're looking at right now and you're obviously doing very very in-depth uh kind of on-the-wire low-level stuff with it when you're working in assembly and that stack has bits of information that are stored in what are called registers and they may have some special registers as well uh in a 32-bit system those registers can be things like eax or ebx ecx etc etc and that is in 32-bit system but in a 64-bit system you have similar registers except they are bigger obviously uh with more bits so they're called r rax rbx etc that is the preceding front instead of ex so just things to note uh at least as the basics that we're that we're getting at and along with these e registers we also have the special things like ebp and esp so esp is special and that's it's like a stack pointer it is pretty much if i try to develop something here on the side it's a pointer or like an arrow as to what way thing that we are looking at on the stack because the stack is essentially a long line or like a vertical little literally a stack of uh memory addresses data things so stack function frame if you were to google this there is a ton of resources but sometimes it's very confusing so if we just actually look at some of the pictures of what stack frames look like you get an idea and you'll understand this a little bit more probably in a better way than what i'm trying to explain here um but the stack can be anywhere in memory essentially but it is a essentially a piece of paper that has just has a bunch of information on it and okay obviously i'm not going to have eight bits or whatever correct number here but just for the purpose of example and illustration i want to say that lower addresses are here at the very bottom and higher addresses are here at the top so any the stack and what you're looking at in the stack could be anywhere in that range of lower numbers or higher numbers so when you invoke a function in your program like if you're working in c or c plus plus uh in a low level programming language in the stack a new stack frame is created and that stack frame has uh specific decorators and things that denote that okay it is this it is our stack frame that we're working for for this specific function so it sets up a frame by using ebp or register specific anchor points to denote the return address or where the function will go back to once this function is complete so that's what pico ctf is referring to when they say the location of the save return address that is ebp or our base pointer in the stack and we can see this in the in the hints here so we can essentially start our own stack frame let's say let's put it at oh i was saying e at ebp and that should be esp oh my goodness i i was wrong i said a whole wrong thing the whole time esp is what moves ebp will not move because that is the anchor for whatever we are doing inside that specific stack frame anywhere in memory on the stack okay so now esp will move after we have pushed ebp onto the stack in some location that push function is an operation in the stack or in assembly that will increment or essentially decrement in a strange way because the stack grows downwards when we push something onto the stack our esp moves essentially down so here let me move all these so that's our pointer our stack pointer moves down we don't need to know that exactly in this case because we just need to know the difference but so esp is going to move down those four bytes or the size of a register every time we end up pushing something so when we have this original push we kind of have that on the stack and then we move down so we've got four bytes that will essentially move on and ebp will take up that space these four bytes so now esp is waiting at 12 when all of these other lines have been filled up by that base pointer so now our stack pointer has moved the very top of this ebp so that's taken up four bytes the move operation that's not actually going to affect our stack pointer it's not going to change the location of what we're pointing at or trying to indicate in the stack it's just simply setting essentially setting a value to something it's like kind of setting a variable in a programming language like it's saying x equals 10 but in an interesting way and I want to point this out to you what we're looking at right now this is assembly code but it's written in an interesting way because assembly code can come in two different flavors like atnt as one syntax and intel as another syntax so you can denote the differences by seeing okay atnt has dollar signs and noting are proceeding at kind of a constant typically has percent signs in front of a register or anything specific and those kind of add up it makes it not the prettiest thing to look at also a very very strange thing for intel and atnt is the way that you read it so the direction of operands is different in intel and atnt in intel you look at something like the move operator or operand and that says that okay eax will now equal ecx essentially in this example just we're looking at here however you read it from left to right for intel syntax like x equals 10 as we saw in our example over on the side here but atnt it's kind of backwards you're saying okay i want 10 to equal x you read it the other way around so uh intel syntax is kind of what we are used to and is what i would say better and is is a better option for reading assembly code so interesting thing to to keep in mind but we know that that move operation will not change anything about our stack pointer but since we're going to see more push operations we'll actually subtract down again four bytes and lower things in in the memory that we're seeing here so we can subtract again because we know we're going to get up to 20 uh subtracting four bytes we're doing more of this operation so by the time you see okay we've done four operations four push statements that are going to like move by a difference of four bytes because that's the size of register so in total we'll have a 16 bytes difference between the start of ebp and our esp our stack pointer again i'm really sorry about having that labeled wrong when i was originally mentioning these now the next line is sub or subtract so assembly sub and again be sure to google this be sure to understand it be sure to um just do your own research because that's the best way to learn is just doing your own uh self-learning so that subtraction is subtracting from esp so we know that okay on the stack we'd move down again whatever this value is and this number may be different from your challenge from my challenge that's okay again that's pico cts randomization so we know that this difference is also going to be impact move will not do anything to it so now we've got all the pieces that will change our esp and our ebp difference let's open this up in python and let's say okay we know we're going to start with that 16 difference from all the push statements and then we're going to subtract that value in hex so we'll put those together find the difference and we have 264 in decimal but now let's convert that to hex because that's what the challenge wants it in 0x 108 cool go ahead and submit this and i've already solved this because i tried to record this earlier and realized my audio wasn't on so i got really upset um but that was the correct answer for this one and again those numbers may be different in your case but that is what i wanted to showcase a little bit of that understanding of a thing called the stack i hope my uh sublime text demonstration was kind of okay uh and that sure i'm going to be using this vertical line as our play pretend stack and the stack frame that's created for a function may be anywhere in memory but again and from what you see on pictures on google from your own reading and understanding you can use ebp as a reference point to access other variables like local variables for the function that are created in the function or arguments or parameters or pass to it etc and it's all based off that base pointer in the stack cool all right i want to give a special shout out for the people that support me on patreon you guys are fantastic i cannot thank you enough that's why i do this one dollar a month on patreon will give you a special shout out just like this at the end of every video five dollars a month will give you early access to anything that i create and release on youtube hey if you did like this video please you press that like button maybe leave a comment let me know what i did wrong let me know what is a better way to explain this etc uh i'm a little bit fuzzy on the stack explanation so please i would appreciate your constructive criticism if you're willing to subscribe and please hang out with us on the discord server link in the description and if you're willing to check me out on patreon i would really really appreciate it thanks see you next video