We should find eax at the end of function main. Let’s do that.
wget https://artifacts.picoctf.net/c/520/debugger0_b
chmod +x debugger0_bI use this script for gdb.
I will use gdb-pwndbg
pwndbg> file debugger0_b
Reading symbols from debugger0_b...
(No debugging symbols found in debugger0_b)
pwndbg> disass main
Dump of assembler code for function main:
0x0000000000401106 <+0>: endbr64
0x000000000040110a <+4>: push rbp
0x000000000040110b <+5>: mov rbp,rsp
0x000000000040110e <+8>: mov DWORD PTR [rbp-0x14],edi
0x0000000000401111 <+11>: mov QWORD PTR [rbp-0x20],rsi
0x0000000000401115 <+15>: mov DWORD PTR [rbp-0x4],0x1e0da
0x000000000040111c <+22>: mov DWORD PTR [rbp-0xc],0x25f
0x0000000000401123 <+29>: mov DWORD PTR [rbp-0x8],0x0
0x000000000040112a <+36>: jmp 0x401136 <main+48>
0x000000000040112c <+38>: mov eax,DWORD PTR [rbp-0x8]
0x000000000040112f <+41>: add DWORD PTR [rbp-0x4],eax
0x0000000000401132 <+44>: add DWORD PTR [rbp-0x8],0x1
0x0000000000401136 <+48>: mov eax,DWORD PTR [rbp-0x8]
0x0000000000401139 <+51>: cmp eax,DWORD PTR [rbp-0xc]
0x000000000040113c <+54>: jl 0x40112c <main+38>
0x000000000040113e <+56>: mov eax,DWORD PTR [rbp-0x4]
0x0000000000401141 <+59>: pop rbp
0x0000000000401142 <+60>: ret
End of assembler dump.
pwndbg>Let’s add breakpoint at *main+60:
pwndbg> break *main+60
Breakpoint 1 at 0x401142
pwndbg> run
Starting program: /home/ch/ctf/debugger0_b
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Breakpoint 1, 0x0000000000401142 in main ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────────────────────
*RAX 0x4af4b
*RBX 0x7fffffffe628 —▸ 0x7fffffffe8a2 ◂— '/home/ch/ctf/debugger0_b'
*RCX 0x7ffff7fa5680 —▸ 0x7ffff7fa6fc0 ◂— 0
*RDX 0x7fffffffe638 —▸ 0x7fffffffe8bb ◂— 'PWD=/home/ch/ctf'
*RDI 1
*RSI 0x7fffffffe628 —▸ 0x7fffffffe8a2 ◂— '/home/ch/ctf/debugger0_b'
*R8 0x4011c0 (__libc_csu_fini) ◂— endbr64
*R9 0x7ffff7fcdf40 ◂— endbr64
*R10 0x7fffffffe230 ◂— 0x800000
*R11 0x203
*R12 1
R13 0
*R14 0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0
R15 0
*RBP 0x7fffffffe5a0 —▸ 0x7fffffffe600 ◂— 0
*RSP 0x7fffffffe508 —▸ 0x7ffff7de8c88 ◂— mov edi, eax
*RIP 0x401142 (main+60) ◂— ret
─────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────────────────────────────────
► 0x401142 <main+60> ret <0x7ffff7de8c88>
↓
0x7ffff7de8c88 mov edi, eax EDI => 0x4af4b
0x7ffff7de8c8a call exit <exit>
0x7ffff7de8c8f call 0x7ffff7e52a60 <0x7ffff7e52a60>
0x7ffff7de8c94 lock sub dword ptr [rip + 0x1bc434], 1
0x7ffff7de8c9c je 0x7ffff7de8cb0 <0x7ffff7de8cb0>
0x7ffff7de8c9e mov edx, 0x3c EDX => 0x3c
0x7ffff7de8ca3 nop dword ptr [rax + rax]
0x7ffff7de8ca8 xor edi, edi EDI => 0
0x7ffff7de8caa mov eax, edx
0x7ffff7de8cac syscall
──────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffe508 —▸ 0x7ffff7de8c88 ◂— mov edi, eax
01:0008│-090 0x7fffffffe510 —▸ 0x7fffffffe550 —▸ 0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0
02:0010│-088 0x7fffffffe518 —▸ 0x7fffffffe628 —▸ 0x7fffffffe8a2 ◂— '/home/ch/ctf/debugger0_b'
03:0018│-080 0x7fffffffe520 ◂— 0x100400040 /* '@' */
04:0020│-078 0x7fffffffe528 —▸ 0x401106 (main) ◂— endbr64
05:0028│-070 0x7fffffffe530 —▸ 0x7fffffffe628 —▸ 0x7fffffffe8a2 ◂— '/home/ch/ctf/debugger0_b'
06:0030│-068 0x7fffffffe538 ◂— 0x43963d184f5f5738
07:0038│-060 0x7fffffffe540 ◂— 1
────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────
► 0 0x401142 main+60
1 0x7ffff7de8c88
2 0x7ffff7de8d4c __libc_start_main+140
3 0x40104e _start+46
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> info reg eax
eax 0x4af4b 307019
pwndbg>So the flag is picoCTF{307019}