 What's up YouTube? This is another video write-up for the challenge assembly 2 in the reverse engineering category of Pico CTF 2018 So the challenge problem here is what does ASM 2 with these arguments return? Submit the flag is a hexadecimal value etc. We've kind of seen this thing before so we're given some source code Let's go ahead and copy it download it and I'll just W get it into the current directory here Looks like we have it there. I'm gonna open up in sublime text I'll zoom in a little bit so you can see this and I'm gonna change the syntax highlighting to assembly So what I'm gonna do is actually create a new script that will kind of recreate this in Python So let's do like recreation.py or something or whatever we particularly want I use the file header plugin for sublime text to get that boilerplate stuff at the very top there But okay, what we do is Analyzing the assembly let's say this is Function prologue, I'll keep Zooming out. Hopefully you can still see Function prologue and then we set EAX to the second argument zero X C, right? Because EBP plus four on the stack is just going to be our return address I believe ABP plus zero X 8 will be the first argument zero X plus X C is the second argument again incrementing by four because that's the size of the data type there Let's just include this as a comment So we know that EAX will equal a second argument zero X 21 So let's say Python can do that as well and let's do the next line where we're setting EBP minus zero X 4 So a local variable set to EAX, which we know to be Zero X 21 still and let's just say that can be EAX and the Python code will do the same for The next argument so EAX can equal Just the first argument and we give it zero X 8 and just using not not not using this because that's the same value here But using it because it's the first argument that we're passing this function EBP with a base pointer plus zero X 8 so Once we set EAX will do the exact same thing just as we did previously with a new local variable we can say EBP minus zero 8 will be equal to equal zero X 8 in this case and We'll do that just as we did earlier in Python Set it equal to EAX before we do that. We have to set EAX to equal in this So that's just creating these local variables for us in our stack or from the stack in the very start of the function And then we jump to part B. So go to Part B. So part B what it's doing is it's testing has a compare statement here or compare instruction and Less than or equal to so let's do if EBP Plus zero X 8 so our argument here. We actually don't have a variable for that yet. So let's go ahead and create one Because underscores are going to be minus in this case. Let's do minus here and minus So now we can have EBP minus or plus sorry for arguments That can go ahead and equal first argument that we give it second argument that we give it 21 and in fact we could have just be setting these here rather than Using the hard-coded values Okay, so now let's test if EBP Plus zero X 8 is less than or equal to this value If it is we are jumping to part a otherwise We are setting EAX to equal EBP Minus zero X 4 and then we will just print out you X to see what we as we actually need here Because that's the end of the function, right? There's our function epilogue down at the very bottom Okay, so part a we need to actually look at now what it's doing is it's setting EBP minus zero X 4 so that local variable and it's adding one to it. So plus equals So part a will take EBP minus zero X 4 plus equals 1 and then EBP plus zero X 8 will also be added with a zero X a 9 so it's just incrementing It's it looks like it's trying to do some kind of loop Looks like it's trying to do some kind of division. I think because it's testing. Okay, whether it's Factor this however many times blah blah blah, but since our Python code should be able to handle it Just fine. Let's go ahead and run it after we set EBP plus zero X 8 Plus equals zero X a 9. So when I run this we get 8 Okay Let's see what we look like here is EBP correctly being set here Looks like If we try and debug this here. No, it's not. So something is wrong in our code. We are Let's check out what EBP minus zero X 4 is 33 and that should be 0x21 so that works just fine for us Now we do the same thing with Minus zero X 8 for local variable and that's 8 just as we would expect So now we're taking if EBP plus zero X 8, which we know is 8 is less than or equal to This thing so let's print in the loop. Okay, that only happens once so that must be why of course It has to go back to part B once part a is done. We just didn't have that procedural loop in there So we can do a while one here Actually, just to loop it because we know that that's good. Just going to return back to that other part B test So once we print EAX or once we actually have that else be returned true Let's print EAX and then return. So now we'll break actually because we're not inside of a function So we'll stop looping. So we have 120 as our final answer. Okay, let's see what that is in hex On this zero X 7 8 perfect sounds like a plausible answer. Let's go ahead and submit it and we got it, right? Okay, cool. So all that we really did there was Recreated this assembly code in Python. So it's something we can easily kind of understand and manage We step through it just with our comments on the side and we just try to recreate something that we can run very easily Maybe we could do this with Nazem if you just wanted to compile it and run it if you are that much of an assembly guy Sweet more power to you But I just figured okay, I'll step through it and try to understand a little bit The while one thing or the loop is interesting remember because we immediately jump to part B And then if it's less than or equal to a Which for the first couple iterations, we know it is it'll move up here And then after it runs through each of these commands It continues back into part B because it's assembly a spaghetti code, right? So you're just dial back into it Okay So before I go I want to give a quick shout out to the people that support me on patreon Thank you guys so much. I cannot say this enough $1 a month on patreon will give you a special shout out just like this at the end of every video Just kind of get your name up in lights here or just kind of added this list And maybe it's a warm fuzzy feeling inside that you're just helping help another bro out So thank you $5 a month on patreon will give you early access to all of my videos before I release them on YouTube I'll put them in a shared Google Drive folder And you'll be able to access them before they get uploaded on a scheduled kind of gradual release cycle on YouTube I need to get better at actually releasing and preparing some content in advance So take it with a grain of salt, but I'm always grateful for your support. So if you're willing to do that Thank you so much. If you did like this video, please do a like comment and subscribe Join our discord server link in the description is a cool committee full of ctf players programmers and hackers You can hang it with me and a lot of other super smart people much smarter than me and hey I love you guys. I hope to see in the next video. Thanks. Hope to see you on patreon later