So in this task we should know which value will be in the eax register after completing main function.
To do so we can just disassemble main thru gdb and set breakpoint at the last instruction of main.
Let’s go:
wget https://artifacts.picoctf.net/c/512/debugger0_a
chmod +x debugger0_aI use this script for gdb.
I will use gdb-pwndbg
pwndbg> file debugger0_a
Reading symbols from debugger0_a...
(No debugging symbols found in debugger0_a)
pwndbg> disass main
Dump of assembler code for function main:
0x0000000000001129 <+0>: endbr64
0x000000000000112d <+4>: push rbp
0x000000000000112e <+5>: mov rbp,rsp
0x0000000000001131 <+8>: mov DWORD PTR [rbp-0x4],edi
0x0000000000001134 <+11>: mov QWORD PTR [rbp-0x10],rsi
0x0000000000001138 <+15>: mov eax,0x86342
0x000000000000113d <+20>: pop rbp
0x000000000000113e <+21>: ret
End of assembler dump.
pwndbg>so we can just break at +21
pwndbg> break *main+21
Breakpoint 1 at 0x113e
pwndbg> run
Starting program: /home/ch/ctf/debugger0_a
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Breakpoint 1, 0x000055555555513e in main ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────────────────────
*RAX 0x86342
*RBX 0x7fffffffe628 —▸ 0x7fffffffe8a2 ◂— '/home/ch/ctf/debugger0_a'
*RCX 0x7ffff7fa5680 —▸ 0x7ffff7fa6fc0 ◂— 0
*RDX 0x7fffffffe638 —▸ 0x7fffffffe8bb ◂— 'PWD=/home/ch/ctf'
*RDI 1
*RSI 0x7fffffffe628 —▸ 0x7fffffffe8a2 ◂— '/home/ch/ctf/debugger0_a'
*R8 0x5555555551b0 (__libc_csu_fini) ◂— endbr64
*R9 0x7ffff7fcdf40 ◂— endbr64
*R10 0x7fffffffe230 ◂— 0x800000
*R11 0x203
*R12 1
R13 0
*R14 0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f
R15 0
*RBP 0x7fffffffe5a0 —▸ 0x7fffffffe600 ◂— 0
*RSP 0x7fffffffe508 —▸ 0x7ffff7de8c88 ◂— mov edi, eax
*RIP 0x55555555513e (main+21) ◂— ret
─────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────────────────────────────────
► 0x55555555513e <main+21> ret <0x7ffff7de8c88>
↓
0x7ffff7de8c88 mov edi, eax EDI => 0x86342
0x7ffff7de8c8a call exit <exit>
0x7ffff7de8c8f call 0x7ffff7e52a60 <0x7ffff7e52a60>
0x7ffff7de8c94 lock sub dword ptr [rip + 0x1bc434], 1
0x7ffff7de8c9c je 0x7ffff7de8cb0 <0x7ffff7de8cb0>
0x7ffff7de8c9e mov edx, 0x3c EDX => 0x3c
0x7ffff7de8ca3 nop dword ptr [rax + rax]
0x7ffff7de8ca8 xor edi, edi EDI => 0
0x7ffff7de8caa mov eax, edx
0x7ffff7de8cac syscall
──────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffe508 —▸ 0x7ffff7de8c88 ◂— mov edi, eax
01:0008│-090 0x7fffffffe510 —▸ 0x7fffffffe550 —▸ 0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— ...
02:0010│-088 0x7fffffffe518 —▸ 0x7fffffffe628 —▸ 0x7fffffffe8a2 ◂— '/home/ch/ctf/debugger0_a'
03:0018│-080 0x7fffffffe520 ◂— 0x155554040
04:0020│-078 0x7fffffffe528 —▸ 0x555555555129 (main) ◂— endbr64
05:0028│-070 0x7fffffffe530 —▸ 0x7fffffffe628 —▸ 0x7fffffffe8a2 ◂— '/home/ch/ctf/debugger0_a'
06:0030│-068 0x7fffffffe538 ◂— 0xb406d786e6f08b10
07:0038│-060 0x7fffffffe540 ◂— 1
────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────
► 0 0x55555555513e main+21
1 0x7ffff7de8c88
2 0x7ffff7de8d4c __libc_start_main+140
3 0x55555555506e _start+46
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>in this output we can already see EAX value (RAX cause 64 bit)
pwndbg> info reg rax
rax 0x86342 549698So flag is picoCTF{549698}