BabyGame01 PicoCTF 2023

Valentsea
April 1, 2023
2 minute read
Total
0
Shares
0
0
0



babygame01

100 points

AUTHOR: PALASH OSWAL

Description
Get the flag and reach the exit.
Welcome to BabyGame! Navigate around the map and see what you can find! The game is available to download here. There is no source available, so you’ll have to figure your way around the map. You can connect with it using the port they give you.

This challenge wasn’t solved by me, but all the credits go to @laundry.

Bla bla the game is to get to a specific square in the game using wasd cool.

Let’s look at the code itself using IDA.

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4; // [esp+1h] [ebp-AA5h]
  int v5[2]; // [esp+2h] [ebp-AA4h] BYREF
  char v6; // [esp+Ah] [ebp-A9Ch]
  char v7[2700]; // [esp+Eh] [ebp-A98h] BYREF
  unsigned int v8; // [esp+A9Ah] [ebp-Ch]
  int *p_argc; // [esp+A9Eh] [ebp-8h]

  p_argc = &argc;
  v8 = __readgsdword(0x14u);
  init_player(v5);
  init_map(v7, v5);
  print_map(v7, v5);
  signal(2, sigint_handler);
  do
  {
    do
    {
      v4 = getchar(p_argc);
      move_player(v5, v4, v7);
      print_map(v7, v5);
    }
    while ( v5[0] != 29 );
  }
  while ( v5[1] != 89 );
  puts("You win!");
  if ( v6 )
  {
    puts("flage");
    win();
    fflush(stdout);
  }
  return 0;
}
Enter fullscreen mode

Exit fullscreen mode

To #win we need to make v6 not zero.

Because it was placed super well above the varible v7 I tried for ages to perfom a buffer overflow using the getchar() function itself, dud.

The relevant piece of code to solve this is in the move_player function.

_BYTE *__cdecl move_player(_DWORD *a1, char a2, int a3)
{
  _BYTE *result; // eax

  if ( a2 == 108 )
    player_tile = getchar();
  if ( a2 == 112 )
    solve_round(a3, a1);
  *(_BYTE *)(a1[1] + a3 + 90 * *a1) = 46;
  switch ( a2 )
  {
    case 'w':
      --*a1;
      break;
    case 's':
      ++*a1;
      break;
    case 'a':
      --a1[1];
      break;
    case 'd':
      ++a1[1];
      break;
  }
  result = (_BYTE *)(a1[1] + a3 + 90 * *a1);
  *result = player_tile;
  return result;
}
Enter fullscreen mode

Exit fullscreen mode

2 secret commands are now shown to us:

## Now time to solve



Before we begin remember to first try all move wasd so that you don’t get existed in the game before finishing it.

  • w and a using those two we can win move the player to Player position: 0 0 and then using a move your player to go off map a till you see that the flag have changed from 0 to 46 or 64

Image description

Now you can move to the final position to win using l and then p to win and there you go your flag.

picoCTF{your flag}

Total
0
Shares
0
0
0
About Author
Valentsea Team
Valentsea
Read Next

Programming is the art of trade-off

No matter what programming language you are using, one common suggestion you all probably hear is that: Don’t…

You May Also Like