=

GDB baby step 1 2 3 4 Picoctf writeup

Table of Contents

    Before solving these challenges, do some initial setup like: Install GDB tool, make the intel style persistent using .gdbinit file.

    GDB baby step 1

    Can you figure out what is in the eax register at the end of the main function? Put your answer in the picoCTF flag format: picoCTF{n} where n is the contents of the eax register in the decimal number base. If the answer was 0x11 your flag would be picoCTF{17}.

    Lets use the GDB tool to analyze the main function which is given in above description. Download the given executable file. And do following :

    1. gdb debugger0_a : To open the file in gdb
    2. info functions : To list out all the functions. You can see the main function there.
    3. disassemble main : To read the assembly code of main function.

    Now its time to analyze the assembly code and get the value stored in eax register at the end. The code looks similer like following :

    Code x86asm
       0x0000000000001129 <+0>:     endbr64
   0x000000000000112d <+4>:     push   rbp
   0x000000000000112e <+5>:     mov    rbp,rsp
   0x0000000000001131 <+8>:      mov    DWORD PTR [rbp-0x4],edi
   0x0000000000001134 <+11>:     mov    QWORD PTR [rbp-0x10],rsi
   0x0000000000001138 <+15>:    mov    eax,0x86342          ; the value 0x86342 copied into eax
   0x000000000000113d <+20>:   pop     rbp
   0x000000000000113e <+21>:     ret

    You can see that a value is stored inside into eax register. Which is in hex. You can use following command to convert it into decimal and wrap with flag. python -c "print(f'picoCTF{{{0x86342}}}')"

    Flag : picoCTF{549698}

    GDB baby step 2

    Can you figure out what is in the eax register at the end of the main function? Put your answer in the picoCTF flag format: picoCTF{n} where n is the contents of the eax register in the decimal number base. If the answer was 0x11 your flag would be picoCTF{17}.

    Now do the same steps for this binary to get the assembly code :

    1. gdb debugger0_a : To open the file in gdb
    2. info functions : To list out all the functions. You can see the main function there.
    3. disassemble main : To read the assembly code of main function. Which looks like following :
    Code x86asm
    0x0000000000401106 <+0>:     endbr64
0x000000000040110a <+4>:     push   rbp
0x000000000040110b <+5>:     mov    rbp,rsp
0x000000000040110e <+8>:     mov    DWORD PTR [rbp-0x14],edi
0x0000000000401111 <+11>:       mov    QWORD PTR [rbp-0x20],rsi
0x0000000000401115 <+15>:     mov    DWORD PTR [rbp-0x4],0x1e0da
0x000000000040111c <+22>:     mov    DWORD PTR [rbp-0xc],0x25f
0x0000000000401123 <+29>:    mov    DWORD PTR [rbp-0x8],0x0
0x000000000040112a <+36>:    jmp    0x401136 <main+48>
0x000000000040112c <+38>:    mov    eax,DWORD PTR [rbp-0x8]
0x000000000040112f <+41>:       add    DWORD PTR [rbp-0x4],eax
0x0000000000401132 <+44>:    add    DWORD PTR [rbp-0x8],0x1
0x0000000000401136 <+48>:    mov    eax,DWORD PTR [rbp-0x8]
0x0000000000401139 <+51>:    cmp    eax,DWORD PTR [rbp-0xc]
0x000000000040113c <+54>:    jl     0x40112c <main+38>
0x000000000040113e <+56>:    mov    eax,DWORD PTR [rbp-0x4]
0x0000000000401141 <+59>:    pop    rbp
0x0000000000401142 <+60>:    ret

    GDB baby step 3

    Now for something a little different. 0x2262c96b is loaded into memory in the main function. Examine byte-wise the memory that the constant is loaded in by using the GDB command x/4xb addr. The flag is the four bytes as they are stored in memory. If you find the bytes 0x11 0x22 0x33 0x44 in the memory location, your flag would be: picoCTF{0x11223344}.

    Now do the same steps for this binary to get the assembly code :

    1. gdb debugger0_a : To open the file in gdb
    2. info functions : To list out all the functions. You can see the main function there.
    3. disassemble main : To read the assembly code of main function. Which looks like following :
    Code x86asm
    0x0000000000401106 <+0>:     endbr64
0x000000000040110a <+4>:     push   rbp
0x000000000040110b <+5>:     mov    rbp,rsp
0x000000000040110e <+8>:     mov    DWORD PTR [rbp-0x14],edi
0x0000000000401111 <+11>:    mov    QWORD PTR [rbp-0x20],rsi
0x0000000000401115 <+15>:    mov    DWORD PTR [rbp-0x4],0x2262c96b
0x000000000040111c <+22>:    mov    eax,DWORD PTR [rbp-0x4]
0x000000000040111f <+25>:    pop    rbp
0x0000000000401120 <+26>:    ret

    Flag : picoCTF{0x6bc96222}

    GDB baby step 4

    main calls a function that multiplies eax by a constant. The flag for this challenge is that constant in decimal base. If the constant you find is 0x1000, the flag will be picoCTF{4096}.

    Now do the same steps for this binary to get the assembly code :

    1. gdb debugger0_a : To open the file in gdb
    2. info functions : To list out all the functions. You can see the main function there.
    3. disassemble main : To read the assembly code of main function. Which looks like following :
    Code x86asm
    0x000000000040111c <+0>:     endbr64
0x0000000000401120 <+4>:     push   rbp
0x0000000000401121 <+5>:     mov    rbp,rsp
0x0000000000401124 <+8>:     sub    rsp,0x20
0x0000000000401128 <+12>:    mov    DWORD PTR [rbp-0x14],edi
0x000000000040112b <+15>:    mov    QWORD PTR [rbp-0x20],rsi
0x000000000040112f <+19>:    mov    DWORD PTR [rbp-0x4],0x28e
0x0000000000401136 <+26>:    mov    DWORD PTR [rbp-0x8],0x0
0x000000000040113d <+33>:    mov    eax,DWORD PTR [rbp-0x4]
0x0000000000401140 <+36>:    mov    edi,eax
0x0000000000401142 <+38>:    call   0x401106 <func1>
0x0000000000401147 <+43>:    mov    DWORD PTR [rbp-0x8],eax
0x000000000040114a <+46>:    mov    eax,DWORD PTR [rbp-0x4]
0x000000000040114d <+49>:    leave
0x000000000040114e <+50>:    ret