picoCTF Solutions
PathPart of the Reverse Engineering path · Step 3 of 5: Debugging with GDB
picoGym ExclusiveReverse EngineeringMedium

GDB baby step 1

Published: March 5, 2024

Description

Disassemble debugger0_a and report the final value placed into EAX before main returns. Format the answer as picoCTF{...} where n is the decimal representation.

Setup

Static + GDBDownload debugger0_a

Make the binary executable and open it inside gdb with layout asm so you can watch instructions update EAX.

Alternatively, run objdump -D debugger0_a | less and search for main to read the assembly without a debugger.

wget https://artifacts.picoctf.net/c/512/debugger0_a
chmod +x debugger0_a
gdb --args ./debugger0_a

Solution

  1. Step 1Observe the assignment
    Stepping through main shows a MOV that loads 0x86342 into EAX right before the function returns. No further arithmetic occurs afterward.
    Learn more

    GDB (GNU Debugger) is the standard debugger for Linux programs written in C, C++, and assembly. It lets you pause execution at any point, inspect registers and memory, modify values, and step through instructions one at a time. The layout asm command switches GDB to a split-screen mode that shows the disassembly alongside the command prompt, making it easy to see which instruction is about to execute.

    Opening a binary in GDB without running it first allows pure static inspection: you can disassemble functions (disas main) and read the assembly without the program executing any code. This is useful when a binary has side effects you want to avoid (network connections, file writes, anti-debugging checks). Many CTF binaries are safe to run, but building the habit of inspecting before executing is important for real-world work.

    The two approaches shown - GDB and objdump - represent dynamic and static analysis respectively. Static analysis reads the binary without running it; dynamic analysis runs it under controlled conditions. Professional reverse engineers use both, switching between them depending on which provides more clarity. For this challenge, static analysis via objdump is sufficient and faster.

  2. Step 2Convert to decimal
    Use printf or python to convert 0x86342 to decimal, since the flag expects picoCTF{...} where n is decimal.
    python3 - <<'PY'
print(0x86342)
PY
    printf "picoCTF{...}\n" 0x86342
    Learn more

    0x86342 in decimal is 549,698. The conversion follows the standard positional notation for base 16: 8×16&sup4; + 6×16³ + 3×16² + 4×16 + 2. Both the printf and Python approaches handle this instantly, which is why learning a few reliable conversion tools matters more than memorizing the arithmetic.

    In GDB you can also print converted values directly: print/d $eax prints EAX in decimal, print/x $eax in hex, and print/t $eax in binary. The GDB print command is a full expression evaluator - you can even do arithmetic inside it: print 0x86342 immediately shows 549698.

    This challenge series is explicitly designed to build comfort with the GDB workflow: download a binary, make it executable, load it in the debugger, set breakpoints, run, inspect registers. These are the exact steps a vulnerability researcher takes when analyzing a real target. Mastering this flow on simple binaries makes the transition to complex targets much smoother.

Flag

picoCTF{...}

Every run produces the same deterministic constant, so any disassembly workflow that recovers 0x86342 works.

Want more picoGym Exclusive writeups?

Browse picoGym ExclusiveFull library

Useful tools for Reverse Engineering

Related reading

Do these first

What to try next