diff --git a/rev/picker_4/flag.txt b/rev/picker_4/flag.txt new file mode 100644 index 0000000..e0c701d --- /dev/null +++ b/rev/picker_4/flag.txt @@ -0,0 +1 @@ +picoCTF{dummy_flag} diff --git a/rev/picker_4/picker-IV b/rev/picker_4/picker-IV new file mode 100755 index 0000000..238a4da Binary files /dev/null and b/rev/picker_4/picker-IV differ diff --git a/rev/picker_4/picker-IV.c b/rev/picker_4/picker-IV.c new file mode 100644 index 0000000..5f16afb --- /dev/null +++ b/rev/picker_4/picker-IV.c @@ -0,0 +1,49 @@ +#include +#include +#include +#include + + +void print_segf_message(){ + printf("Segfault triggered! Exiting.\n"); + sleep(15); + exit(SIGSEGV); +} + +int win() { + FILE *fptr; + char c; + + printf("You won!\n"); + // Open file + fptr = fopen("flag.txt", "r"); + if (fptr == NULL) + { + printf("Cannot open file.\n"); + exit(0); + } + + // Read contents from file + c = fgetc(fptr); + while (c != EOF) + { + printf ("%c", c); + c = fgetc(fptr); + } + + printf("\n"); + fclose(fptr); +} + +int main() { + signal(SIGSEGV, print_segf_message); + setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered + + unsigned int val; + printf("Enter the address in hex to jump to, excluding '0x': "); + scanf("%x", &val); + printf("You input 0x%x\n", val); + + void (*foo)(void) = (void (*)())val; + foo(); +} diff --git a/rev/picker_4/solve.sh b/rev/picker_4/solve.sh new file mode 100755 index 0000000..dd9a2f5 --- /dev/null +++ b/rev/picker_4/solve.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +NC_HOST="saturn.picoctf.net" +NC_PORT="55490" + +WIN_ADDR="$(nm -g ./picker-IV | grep win | cut -d' ' -f1)" + +# ./picker-IV <<<"$WIN_ADDR" + +nc "$NC_HOST" "$NC_PORT" <<<"$WIN_ADDR"