picoCTF Solutions
picoGym ExclusiveReverse EngineeringMedium

GDB baby step 4

Published: March 5, 2024Updated: December 9, 2025

Description

Debugger0_d jumps into func1 where EAX is multiplied by a constant. Convert that constant to decimal for the final flag.

Setup

GDB control flowDownload debugger0_d

Launch the binary under gdb and examine main until it calls func1.

Inside func1, watch for the IMUL instruction that scales EAX; its immediate operand is the flag.

wget https://artifacts.picoctf.net/c/532/debugger0_d
chmod +x debugger0_d
gdb --args ./debugger0_d

Solution

  1. Step 1Step into func1
    From main, step or break inside func1 (main+38). Within func1 the IMUL at offset +14 multiplies EAX by 0x3269.
  2. Step 2Convert the constant
    Translate 0x3269 into decimal and wrap it with picoCTF{...}. Any method works-printf, python, or bc all give 12905.
    python3 - <<'PY' print(0x3269) PY
    printf "picoCTF{%d}\n" 0x3269

Flag

picoCTF{12905}

Only the multiplier matters; the rest of the function simply returns EAX after scaling.