picoCTF: GDB baby step 4 (Reverse Engineering)

layout asmをすると、func1というラベルの関数が呼ばれていることが分かる func1にbreakpointを設定して実行する

imul eax,eax,0x3269というのがある imulは3つオペランドを取った時は、第2オペランドと第3オペランドの積を第1オペランドに格納する

gdb-peda$ layout asm
gdb-peda$ b func1
Breakpoint 1 at 0x40110e
gdb-peda$ r
Starting program: /home/roaris/picoCTF/reversing/398/debugger0_d
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated.
Use 'set logging enabled off'.

Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated.
Use 'set logging enabled on'.
[----------------------------------registers-----------------------------------]
RAX: 0x28e
RBX: 0x7fffffffe068 --> 0x7fffffffe30a ("/home/roaris/picoCTF/reversing/398/debugger0_d")
RCX: 0x7ffff7f9e840 --> 0x7ffff7fa0300 --> 0x0
RDX: 0x7fffffffe078 --> 0x7fffffffe339 ("HOSTTYPE=x86_64")
RSI: 0x7fffffffe068 --> 0x7fffffffe30a ("/home/roaris/picoCTF/reversing/398/debugger0_d")
RDI: 0x28e
RBP: 0x7fffffffdf20 --> 0x7fffffffdf50 --> 0x1
RSP: 0x7fffffffdf20 --> 0x7fffffffdf50 --> 0x1
RIP: 0x40110e (<func1+8>:       mov    DWORD PTR [rbp-0x4],edi)
R8 : 0x4011c0 (<__libc_csu_fini>:       endbr64)
R9 : 0x7ffff7fcfb10 (<_dl_fini>:        push   r15)
R10: 0x7ffff7fcb858 --> 0xa00120000000e
R11: 0x7ffff7fe1e30 (<_dl_audit_preinit>:       mov    eax,DWORD PTR [rip+0x1b022]        # 0x7ffff7ffce58 <_rtld_global_ro+888>)
R12: 0x0
R13: 0x7fffffffe078 --> 0x7fffffffe339 ("HOSTTYPE=x86_64")
R14: 0x0
R15: 0x7ffff7ffd000 --> 0x7ffff7ffe2d0 --> 0x0
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x401106 <func1>:    endbr64
   0x40110a <func1+4>:  push   rbp
   0x40110b <func1+5>:  mov    rbp,rsp
=> 0x40110e <func1+8>:  mov    DWORD PTR [rbp-0x4],edi
   0x401111 <func1+11>: mov    eax,DWORD PTR [rbp-0x4]
   0x401114 <func1+14>: imul   eax,eax,0x3269
   0x40111a <func1+20>: pop    rbp
   0x40111b <func1+21>: ret
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdf20 --> 0x7fffffffdf50 --> 0x1
0008| 0x7fffffffdf28 --> 0x401147 (<main+43>:   mov    DWORD PTR [rbp-0x8],eax)
0016| 0x7fffffffdf30 --> 0x7fffffffe068 --> 0x7fffffffe30a ("/home/roaris/picoCTF/reversing/398/debugger0_d")
0024| 0x7fffffffdf38 --> 0x1f7fe6780
0032| 0x7fffffffdf40 --> 0x0
0040| 0x7fffffffdf48 --> 0x28e00000000
0048| 0x7fffffffdf50 --> 0x1
0056| 0x7fffffffdf58 --> 0x7ffff7df26ca (<__libc_start_call_main+122>:  mov    edi,eax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x000000000040110e in func1 ()

0x3269を10進数に直したのがフラグ

$ python
Python 3.11.8 (main, Feb  7 2024, 21:52:08) [GCC 13.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> 3*16**3+2*16**2+6*16+9
12905

roaris / ctf-log

picoCTF: GDB baby step 4 (Reverse Engineering) #20