picoCTF Solutions
picoGym ExclusiveReverse EngineeringMedium

GDB baby step 3

Published: March 5, 2024Updated: December 9, 2025

Description

Debugger0_c stores 0x2262c96b on the stack. Examine the bytes exactly as they appear in memory and wrap them (in order) inside picoCTF{0x????????}.

Setup

Memory inspectionDownload debugger0_c

Launch the binary under gdb and switch to layout asm to see where the MOV that stores 0x2262c96b executes.

Set a breakpoint right afterward (main+25) so the stack contents can be inspected before anything is overwritten.

wget https://artifacts.picoctf.net/c/531/debugger0_c
chmod +x debugger0_c
gdb --args ./debugger0_c

Solution

  1. Step 1Break after the store
    Place b *(main+25) so execution halts immediately after the constant is written to the stack. Run the program to hit that breakpoint.
    b *(main+25)
    run
  2. Step 2Dump four bytes from the stack
    Use x/4xb $rbp-4 (little-endian, so subtract four bytes from RBP) to view the byte order as stored in memory. Concatenate those bytes, preserving order, to form the hexadecimal inside the flag.
    x/4xb $rbp-4

Flag

picoCTF{0x6b......22}

Your exact byte sequence may differ; always copy the four bytes exactly as x/4xb prints them.