picoCTF Solutions
picoGym ExclusiveReverse EngineeringMedium

GDB baby step 4

Published: March 5, 2024

Description

Debugger0_d jumps into func1 where EAX is multiplied by a constant. Convert that constant to decimal for the final flag.

Setup

GDB control flowDownload debugger0_d

Launch the binary under gdb and examine main until it calls func1.

Inside func1, watch for the IMUL instruction that scales EAX; its immediate operand is the flag.

wget https://artifacts.picoctf.net/c/532/debugger0_d
chmod +x debugger0_d
gdb --args ./debugger0_d

Solution

  1. Step 1Step into func1
    From main, step or break inside func1 (main+38). Within func1 the IMUL at offset +14 multiplies EAX by 0x3269.
    Learn more

    This challenge introduces control flow tracing across function boundaries. Main calls func1 using a CALL instruction, which pushes the return address onto the stack and transfers control to the called function. In GDB, stepi (step one instruction, entering calls) follows execution into func1, while nexti (step over) would execute the entire call and return as a single step.

    In real reverse engineering, following call graphs is essential. Complex software can have hundreds of nested function calls, and understanding the data flow requires knowing which functions are called in what order and what they do to the arguments. GDB's backtrace command (alias bt) shows the current call stack, which helps you understand where you are in the call hierarchy at any breakpoint.

    The IMUL instruction at func1+14 is the key. Setting a breakpoint at that exact offset (b *(func1+14)) would land execution right before the multiply, letting you inspect EAX before and after to observe the transformation. Alternatively, breaking after the IMUL and reading the assembly listing statically reveals the multiplier without needing to run anything.

  2. Step 2Convert the constant
    Translate 0x3269 into decimal and wrap it with picoCTF{...}. Any method works-printf, python, or bc all give 12905.
    python3 - <<'PY'
print(0x3269)
PY
    printf "picoCTF{...}\n" 0x3269
    Learn more

    0x3269 converts to decimal 12905. The challenge specifically asks for the multiplier - the immediate operand of the IMUL instruction - rather than the result of the multiplication. This distinction matters: the multiplier is a constant visible in the disassembly, while the result depends on whatever value EAX held before the IMUL, which could vary across runs.

    This challenge wraps up the GDB Baby Step series by combining all the skills introduced in the previous three: disassembling a binary, tracing data flow across instructions, following a function call, and converting a constant from hex to decimal. Each step was simple in isolation, but combining them is the actual skill being assessed.

    The real-world application is binary auditing for hardcoded constants. License keys, encryption round counts, magic numbers for validation, and protocol version numbers all appear as constants in binaries. Being able to locate and extract them using GDB or static disassembly tools is a core reverse engineering skill used in vulnerability research, malware analysis, and software interoperability work.

Flag

picoCTF{...}

Only the multiplier matters; the rest of the function simply returns EAX after scaling.

Want more picoGym Exclusive writeups?

Browse picoGym ExclusiveFull library

Useful tools for Reverse Engineering

Related reading

What to try next