picoCTF Solutions
PathPart of the Reverse Engineering path · Step 3 of 5: Debugging with GDB
picoCTF 2022Reverse EngineeringMedium

GDB Test Drive

Published: July 20, 2023

Description

Practice GDB: break at `main+99`, run, and jump to `main+104` to skip a delay and print the flag.

Setup

Download gdbme

Make the binary executable (`chmod +x gdbme`).

Launch gdb, set the layout, breakpoint, and run the program.

Use `jump *(main+104)` to bypass the sleep and immediately print the flag.

chmod +x gdbme
gdb gdbme <<'GDB'
layout asm
break *(main+99)
run
jump *(main+104)
GDB

Solution

  1. Step 1Set up the breakpoint
    The instructions provided in the challenge description are enough: break at main+99, run, then jump to main+104.
    Learn more

    GDB (GNU Debugger) is the standard debugger for Linux programs. It can pause execution at specific points (breakpoints), inspect registers and memory, modify values at runtime, and change the instruction pointer to jump to arbitrary locations in the code. These capabilities make it an essential tool for both software development and reverse engineering.

    A breakpoint at *(main+99) tells GDB to pause execution 99 bytes into the main function. The * dereferences the address expression - without it, GDB would interpret the argument as a line number. The layout asmcommand switches the TUI (text user interface) to show the assembly disassembly, which is useful for understanding exactly what instruction you're stopped at.

    GDB supports scripting via here-documents (as shown in the command) or via -x script.gdb to run a file of GDB commands. Automating debugger sessions this way is powerful for CTF challenges that require repeatable interaction with a binary, and is the foundation of tools like pwndbg and pwntools which wrap GDB for exploit development.

  2. Step 2Skip the wait
    Jumping to main+104 avoids the sleep call and reveals `picoCTF{...}` immediately.
    Learn more

    The jump command in GDB changes the instruction pointer (RIP on x86-64) to a new address and resumes execution from there. This lets you skip over any instruction or block of code - in this case, a sleep() call that would otherwise make the program wait an impractically long time before printing the flag.

    Anti-debugging tricks like deliberate sleep calls, infinite loops, or timing checks are common in CTF binaries and real malware to frustrate analysis. The sleep approach is the simplest: the program is correct and will eventually print the flag, but waiting would take too long. More sophisticated techniques include checking if a debugger is attached via ptrace(PTRACE_TRACEME), detecting breakpoints by looking for 0xCC bytes in the code, or using timing side-channels.

    Knowing how to patch around such checks - either by jumping past them in GDB or by binary patching the file with a hex editor - is a core reverse engineering skill. The jumpcommand is the lightest-weight approach since it doesn't modify the binary on disk.

Flag

picoCTF{d3bugg3r_dr1v3_197c3...}

Great intro to gdb's `jump` command for skipping instructions.

Want more picoCTF 2022 writeups?

Browse picoCTF 2022Full library

Useful tools for Reverse Engineering

Related reading

Do these first

What to try next