 What's up YouTube this is a video right up for the challenge a tour of x86 part one from seesaw CTF in the reversing category It says it noobs only and it gives us a netcat command to connect to remote service and a lot of files to download All we need for part one is the stage one ASM if you wanted to you can W get it But I already have it downloaded in my current directory So we could actually just go ahead and view it in a sublime text editor stage one ASM And I've got my patreon supporters given here, but I also want to display it I want to head and download a package to install package like nasm x86 And it's not displayed now if in package controller in sublime text But if you wanted better x86 or assembly syntax highlighting, that's a cool package download and Kind of make these comments and the code a little bit more readable here So this challenge is as it says for people that are not used to reverse engineering and that's okay I fall in that category. So the Netcat command that you actually end up running is essentially going to ask you questions about this code And it takes a little bit for this connection timeout stupid delay, and that's very annoying So what I'm gonna end up doing actually is keeping track of the questions that were asked here in another text editor So I'm just gonna say nano answers dot text because these questions will remain the same But maybe we'll time out of the connection So we'll be able to just pump the answers into netcat as we learn them and as we explore So the first question is what's the value of DH after line 129 executes? And it's one answer with one byte hex value Prefixed with 0x just as you would expect to see hexadecimal So hopefully I will balance between this is beginner friendly newbie oriented and Something that a little bit more seasoned person with assembly can understand This goes through and explains how NASM is the essentially I don't I don't want to say compiler, but that's probably the best word for it for assembly from Yes, the assembly code that we're looking at dot asm script files with op codes and hexadecimal instructions Essentially to a compiled binary. So Kimu is what they would run the operating system They're making on blah blah blah at texas what they're working terminal, etc. So unnecessary stuff that you need to read through If you wanted to just jump to the answer here you straight up can't What it goes through and initially does in the start label here that it tries to explain for you It will set EAX essentially the register the extended a register for 32 bit All of those to be zero in that EAX is 32 bits. I'll try and draw this out EAX is 32 bits while a x is the last 16 of it and then AL and AH are the high or low versions of or the last eight bits of Whatever 16 bits components that we're working with so EAX is 32 bit a x is the Lower I believe 16 bit and then a h and AL are the higher bits a h for higher and Al for lower both of those being eight bits. They're all Under that register, but they are just different components of it different segments of it you can see the split here between a h and al so All of these are being set with the move instruction MOV to zero in intel syntax. So h is going to be Zero Al is set to zero so is a x all of it in this case Let's remove all that. Hopefully that explains it a little bit better They do the same thing with bx blbh and that is the register for ebx It's another register that you'll see in 32 bit assembly Same thing with ecx etc etc and eventually we're getting to question one So question one There are other ways to make a register be set to zero. I hope you know your binary operators and or not x or in compliments etc so in this case when they are x oring a Value with another value if they x or the same value on both ends of the operands That x or is an exclusive or so the x or operation when it takes an inputs it's going to be a Let's say a true table here if we had inputs zero zero and outputs on the other side zero one output on the other side One and zero output on the other side and one and one Output on the other side here. It's an exclusive or so that means that if these two are different If one is not the other this will return true So in this case zero zero both of them are the same value. So that's going to return zero zero and one Well, one is different the other it's exclusive or that's going to return true That's going to return true But one in one or no matter what the value is if they are the same value it will return true So i'm sorry. It will it will return zero return false in this case. So When you're doing this with an x or if you use in an assembly if you x or one register or one component with itself It essentially sets that whole register to zero So that answers our first question when we have to display this in a hexadecimal format with one byte that byte is again Just two Hexadecimal characters here. So if we wanted to say zero as our answer We would say zero x zero zero and that would be the bytes that we're working with so We have lost connection and timed out just like that But if we wanted to keep track of this answer we could say zero x zero zero perfect Now when we're asked this question if I were to answer with something wrong I'm going to give it the correct answer for this time So it'll move on to the next question, but if I were to answer it something wrong It would just crap out and we would lose our connection. So that's fine Now we can move on to the next question now that we know that we can use our answers that we're working with so far and Move on to the next question now that we know it. What's the value of gs? What other variable or assembly notion here after line 145 executes? Let's check out the code again Moving down moving on down I don't know why I had an accent there. That was weird some other operands and other things going jump not equal We'll jump to another label. However, we're comparing if dx is equal to zero, which right now We originally had dx set to hexadecimal 0x fff fff But once we've knotted it if you wanted to that will go ahead and invert everything back to zero again So since compare dx equal to zero that is equal We're not going to end up jumping to that death label because the instruction is jump not equal to But in our case, we are equal to so that's fine. Let's move on. We're not going to end up jump taking this jump We'll keep moving along literally in a procedural fashion Looks like it's setting more questions here. It says question two gs is going to equal dx Well, we've just discussed dx is now being set to all zeros once we've set it to zero x fff f And then we knotted it that register or that value again is just being set to the proper evaluation of this So when we take zero x fff and we knot it all those proper bits all those one bits or all those things that are set to A value in a bit notion so binary zero or one once we've knotted them They're all going to go to zero. So in this case gs is set equal to dx and dx is already equal to zero So the next answer is zero x zero zero again Okay, cool. We can keep moving on now. Many of these registers actually have names, but they're mostly Irrelevant and just legacy. So sp is a stack pointer BP is the base pointer si source index And what is this next question asking us? Let's get to the same answers we've had so far What is the value of si after line 151 executes answer with a two byte hex value prefix with zero x So we know that sp is set to cx And where is cx set Well, do we see it anywhere else? Oh, just at the very top here before that code ran cx was set to be zero and then we set si to equal sp And sp is set to cx. So that means that following through this si is going to equal zero But it wants it in two bytes. So we will have to answer zero x zero zero zero two bytes in this case Perfect. What's the value of ax after line 169 executes again two byte hex value prefixes zero x So now we're on line 169 and we're in a new function a different label here It's not really a new function since white space enables are effectively ignored in assembly But we're labeling it so they can keep track of it as the original programmer. That's fine So this function is supposed to print text first things first We need to set up the screen such that I will allow us to display text So those are interesting things that would happen on the actual operating system or the key mu However, step two a problem. We can only print one letter of time. So we're setting al to one character T and move ah to zero x zero e question four Okay, we know that 169 Value of ax is going to equal as we saw in our description earlier ax is 16 bits here And al and ah are the smaller parts of it so age for higher bits al and al is set to T And age is set to zero x zero e So what is the value of t in hexadecimal? Well, we can use python to figure that out or anything else that we'd like to hear Let's use python and let's use t as a character Let's take the ordinal value of that So we know what it is in the ascii table and let's go ahead and convert that to hex Looks like it's seven four. So if we were to put these together, we now have zero x zero e Again, that's ah as we can see in the assembly here And now t is going to be zero x seven four as that character in hex Since it's all put together since it's ah as both ah I'm sorry ax as both ah and al we're going to end up having zero x zero e seven four So let's go ahead and send that And we'll keep track of that as our next answer What is the value of ax after line 199 executes for the first time? So let's scroll down coming down here Looks like we are setting ax to string to print which we've defined Just here as a database or some data here acos and we're printing out one character at a time When we call print string So when we're getting to line 199 It's asking us. What's the value of ax after this line executes? Well, we know that ax is being put in as our register And that register is what's essentially being passed in as a parameter to this function here print string Where we only it says i'm going to just pass the first parameter as a function through ax And what we do since we're ending up Just saying ax is going to equal string to print and we jump to print string Since string to print starts with an a and we're going one character at a time We know that the very very end of ax is going to be what it was just before Just before we've actually ran to this function And then we're going to end up having that last or that that least significant bit Or that least significant byte in this case set to the first byte of what we're trying to print out So if we had let's say zero e to begin with And then we end up working with an a character What's the value of a in hexadecimal again? Let's get python. Let's get the Ordinal value of a lowercase a convert that to hex and we've got the value six one So our nano answers now should be The last question should be answered as six one Let's go ahead and Oh, I totally removed my net cat connection crap Once we connect to it, let's go ahead and cat the answers right into it So it should be able to just take everything that we've answered line by line And pump it through the actual socket and connection that we've made here It'll be as if we entered the answers line by line and we're going through it manually So awesome that is how we solve that challenge That is just walking through the assembly trying to read through a little bit of reverse engineering And learning a little bit more of the x86 architecture and instruction set So if you didn't know everything this like this this code was doing that's okay It was meant to be well commented and meant to talk you through it And then obviously you can google and research some things around I probably sped through this a little bit and I hope it wasn't too hard to follow But I wanted to focus on getting these questions answered and actually getting us the flag So reverse engineering and assembly is a weird and hard thing But uh, don't ever be afraid to simply google Even the like smallest most minute thing because that is important for actually solving reverse engineering challenges and understanding assembly So super cool Quick shout out to the people that support me on patreon. Thank you guys so much. It is incredible to see this list growing Thank you. Thank you. Thank you. I cannot say it enough $1 a month on patreon will give you a special shout out just like this at the end of every video $5 and more on patreon will give you early access to everything that released on youtube before it goes live Because I like to record things in bulk. Hopefully usually when I actually have motivation and time that's kind of at a premium these days That way you can get everything right when it's recorded right when it's ready to go You don't have to wait until youtube will gradually upload them and release them So just $5 a month. Hope it's not too much. Thanks. Hey, if you did like this video, please do like comment and subscribe It helps grow the channel If you're willing to support me on patreon link in the description. That'd be awesome. Please do join our discord server It's a cool community full of ctf players programmers and hackers. You want to hang out with me or other cool people? That's the best place to do it We like to form up when a ctf or competition is going on I think we're going to have seesaw red and pico ctf and we're just got a really good ctf camp Uh cool place to just jam with people that like war games and that whole scene Programming cyber security, etc. Please do coming out. Hope to see you on patreon. Hope to see you in the next video Love you guys. Bye