Rating: 3.0

* **Category:** reversing
* **Points:** 50
* **Description:**

> ## Part 1:
>
> Newbs only!
>
> ```sh
> nc rev.chal.csaw.io 9003
> ```
>
> -Elyk
>
> [stage-1.asm](https://ctf.csaw.io/files/02721fabb0c817ff88eecba00c8af128/stage-1.asm)
> [Makefile](https://ctf.csaw.io/files/dc249873b66ed653d7db4572ce6ef07a/Makefile)
> [stage-2.bin](https://ctf.csaw.io/files/5e0f7fb0d9229a7f878bc388e9fe1b4f/stage-2.bin)

## Writeup

This is a challenge in multiple stages, each one having its own flag.
(Note: the original link contains all three stages)

The general theme is low-level x86 code and how it behaves after boot.
The difficulty is quite low, but it was fun.

### Stage 1

In the first stage we have the assembly source code available, but it is heavily
commented. (This actually makes the code LESS readable at times)
The code is running in 16-bit real-mode, with BIOS interrupts available.

When connecting to the provided address and port, we are asked a series of
questions about the values of registers in different parts of the program.

#### What is the value of `dh` after line 129 executes? (one byte)

Line 129 is `xor dh, dh`, which always leaves `dh` as 0x00.

#### What is the value of `gs` after line 145 executes? (one byte)

Line 145 is `mov gs, dx`. `dx` is compared to 0 on line 134, so `gx` must always
be 0x00.

#### What is the value of `si` after line 151 executes? (two bytes)

Line 151 is `mov si, sp`. `sp` is set on line 149 with `mov sp, cx`. `cx` is set
to 0 on line 107, so `si` must always be 0x0000

#### What is the value of ax after line 169 executes? (two bytes)

Line 168 and 169 are `mov al, 't'` and `mov ah, 0x0e`. The hex-value of 't' is
0x74, so the value is 0x0e74.

#### What is the value of ax after line 199 executes for the first time? (two bytes)

Lines 197 and 199 are `mov al, [si]` and `mov ah, 0x0e`, which are part of a
loop.

`si` is initialized as a pointer to the string `"acOS\n\r by Elyk"`, so
the first iteration should leave `ax` with 0x0e61 (hex-value of 'a' is 0x61).

After answering all the questions, we get the flag:

```
flag{rev_up_y0ur_3ng1nes_reeeeeeeeeeeeecruit5!}
```