roaris
commented
3 months ago layout asmでmain関数のretのアドレスを確認(0x401142だった)
layout asmはCtrl + x → Ctrl + aで抜けられる(https://stackoverflow.com/questions/8409540/how-to-close-layout-src-windows-in-gdb)
0x401142にbreakpointを設定してrunする
RAXに0x4af4bとあり、これを10進数に直したものがフラグ
gdb-peda$ layout asm
gdb-peda$ b *0x401142
Breakpoint 1 at 0x401142
gdb-peda$ r
Starting program: /home/roaris/picoCTF/reversing/396/debugger0_b
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated.
Use 'set logging enabled off'.
Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated.
Use 'set logging enabled on'.
[----------------------------------registers-----------------------------------]
RAX: 0x4af4b
RBX: 0x7fffffffe068 --> 0x7fffffffe30a ("/home/roaris/picoCTF/reversing/396/debugger0_b")
RCX: 0x7ffff7f9e840 --> 0x7ffff7fa0300 --> 0x0
RDX: 0x7fffffffe078 --> 0x7fffffffe339 ("HOSTTYPE=x86_64")
RSI: 0x7fffffffe068 --> 0x7fffffffe30a ("/home/roaris/picoCTF/reversing/396/debugger0_b")
RDI: 0x1
RBP: 0x1
RSP: 0x7fffffffdf58 --> 0x7ffff7df26ca (<__libc_start_call_main+122>: mov edi,eax)
RIP: 0x401142 (<main+60>: ret)
R8 : 0x4011c0 (<__libc_csu_fini>: endbr64)
R9 : 0x7ffff7fcfb10 (<_dl_fini>: push r15)
R10: 0x7ffff7fcb858 --> 0xa00120000000e
R11: 0x7ffff7fe1e30 (<_dl_audit_preinit>: mov eax,DWORD PTR [rip+0x1b022] # 0x7ffff7ffce58 <_rtld_global_ro+888>)
R12: 0x0
R13: 0x7fffffffe078 --> 0x7fffffffe339 ("HOSTTYPE=x86_64")
R14: 0x0
R15: 0x7ffff7ffd000 --> 0x7ffff7ffe2d0 --> 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x40113c <main+54>: jl 0x40112c <main+38>
0x40113e <main+56>: mov eax,DWORD PTR [rbp-0x4]
0x401141 <main+59>: pop rbp
=> 0x401142 <main+60>: ret
0x401143: cs nop WORD PTR [rax+rax*1+0x0]
0x40114d: nop DWORD PTR [rax]
0x401150 <__libc_csu_init>: endbr64
0x401154 <__libc_csu_init+4>: push r15
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdf58 --> 0x7ffff7df26ca (<__libc_start_call_main+122>: mov edi,eax)
0008| 0x7fffffffdf60 --> 0x7fffffffe050 --> 0x7fffffffe058 --> 0x7ffff7fc3160 --> 0x7ffff7dcb000 --> 0x3010102464c457f
0016| 0x7fffffffdf68 --> 0x401106 (<main>: endbr64)
0024| 0x7fffffffdf70 --> 0x100400040
0032| 0x7fffffffdf78 --> 0x7fffffffe068 --> 0x7fffffffe30a ("/home/roaris/picoCTF/reversing/396/debugger0_b")
0040| 0x7fffffffdf80 --> 0x7fffffffe068 --> 0x7fffffffe30a ("/home/roaris/picoCTF/reversing/396/debugger0_b")
0048| 0x7fffffffdf88 --> 0x85f5e3cc49fcb258
0056| 0x7fffffffdf90 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 1, 0x0000000000401142 in main ()
gdb-peda$ exit
┌──(roaris㉿DESKTOP-G3SGKDT)-[~/picoCTF/reversing/396]
└─$ python
Python 3.11.8 (main, Feb 7 2024, 21:52:08) [GCC 13.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> 4*16**4+10*16**3+15*16**2+4*16+11
307019
https://play.picoctf.org/practice/challenge/396