From 83d5a7a8a8a8cdc1b521692556eff081726bb7fb Mon Sep 17 00:00:00 2001 From: h7x4 Date: Thu, 2 Jul 2026 00:19:16 +0900 Subject: [PATCH] rev/picker_4 --- rev/picker_4/flag.txt | 1 + rev/picker_4/picker-IV | Bin 0 -> 17272 bytes rev/picker_4/picker-IV.c | 49 +++++++++++++++++++++++++++++++++++++++ rev/picker_4/solve.sh | 10 ++++++++ 4 files changed, 60 insertions(+) create mode 100644 rev/picker_4/flag.txt create mode 100755 rev/picker_4/picker-IV create mode 100644 rev/picker_4/picker-IV.c create mode 100755 rev/picker_4/solve.sh diff --git a/rev/picker_4/flag.txt b/rev/picker_4/flag.txt new file mode 100644 index 0000000..e0c701d --- /dev/null +++ b/rev/picker_4/flag.txt @@ -0,0 +1 @@ +picoCTF{dummy_flag} diff --git a/rev/picker_4/picker-IV b/rev/picker_4/picker-IV new file mode 100755 index 0000000000000000000000000000000000000000..238a4da37598c2e1bb7ab27190ac727d42c85805 GIT binary patch literal 17272 zcmb<-^>JfjWMqH=CI&kO5O0E@16T+`GBE7026MrL1A_$vFM|VvJcAqq8v_Fa3j+fK zOq~Oi1*2~;fweHeXbuRMff=e#0>ofoV31&jm;j??pz2^W$W0(25Dl^q#D-vqK9~zK z*dd}Ynn3`<2kB!4F`;}00jNGG9SSuRMkDJ3ODTXfGcYhHK=nas1E~LCG_pQW*a+xB z^a*P<=4k1*#rKgX{na1wSoG0kKK7F951<4%9(&py3FkLqLWzFfhPqkR2eQ zz^5fCpl|`PiNUaF4uaZ;D;_>T!xKhBxeWR_nMr0Q`Z+1OIhlE-6}lA`X1Zo3dd2yA zMqukf?gH5XN>lEBp$tq63C>-iR;fBp#F&yf-afpM`88&m=7#J7? z8Kf8*96&x~fae#6oXn(TP%8T~j48Wl5!J z4Dsew5{pXWa}zW37~Fk4ot)#1^vvNbBRx}w`1thP{5+_-cu>$WF(5+*Fpn8b zGBGeRfG`8Bm|+ml%;W{7&JqTQSgBMdCrC#f$RGv=h7a}-e}mE-2t$P#ejtg%$`Fto zESy030hTsF;u6sC0~O1lbPf^&VFe^{P#On`fv^UWI4CcG#6Z{pNgR}KKw=lPs2GTfKoSR~A&?jdCm@OQfCQj814*10DmF@u zhQMeDjE2By2#kinXb6mkz+ei2&-`+~JeuEdcyzPA)MsGuXgyHE^#6iK^AV22U}yd} zeWcI8@aezmV|@k&et8Cv`V5fFrKE1pM=Ytw_pI#n>^Fa-{PcJvZ z`Je{er189F4{E@DdRYkPgBqTnUM9l%poZM1mw|9Tr~&us zr6Y|0>A$Kj*!3<9VE2Feud0g1mqp`?qVajr_^fFBzj~n1L74v)jsF&n{}hdX7nyJP z*0b|soJZ#)kLD*I0zy2GA8-(HVDLD8@PaUiI&LED!0=zxNRNTx3po4_r|I#_w}2vr zVZshjL)^m_M3xBe0EvO3lyg5w;QxcP35U}ViuvUo81{iAJR0ADsm>1`2jAIy9Q?uT z!FbH$;=d9>xC!h~6VUa8;=jSx7BpH>Dje$3`SeBA|NsAwv1;ovFfhg*#;^~h{&g3K z1S$6DwQc5QV0e-C@Bjb({0s~XFW!JypoaE~OaK1=hpTITBjC|%TLMyR_3!_Gk6zP4 zUIqq_UfUdyP&-Jd)AfT#bL|I)QZbKS+c=Q00LUy*5WHvuDd=|n;L&;fh1S3S|2tg& zzn0?P=lZ|%_={VA|Nr-Z%JD(u8fyRlFMY5dl#E{NMv^}N_y7M1Cl8~#%2faV|Nr~J zPQDLT%c`Nvz_1f!?=DbA*au>PEWQYm?X|td!@vLz))y1N0?I*)nu+WvrxpZNR# zf4A!wu;^2`XcAQPfJdk6507rwAOA0ajX8-F{b}Iz;27@HYiq2*?G+|)U)%e zV~AttpHPopT@@_`hF~Afzo0z-;{Wge|2+==WiF97yv;A)0CK2L=O>@ecP^dJ9si5m z_h>%M=wW%c^cAQ)h>mrPag240bBsq$1E8<~l@uTvWF|-@hz~Mr6px0$Xb6mkz-S1J zhQMeDjE2By2#kinXb23h5CF{!fm{@vnx2+enp2`sQk0pVo?4WeqNw0nky(F6c|)1z;b&Fyqtz{{oB*3?`rd|2JV|U|90`|Nk0B1_scaEXco%RY44l z6#|UXJnS437$I|Dpo!Fm5C8w`gA};13xMVr4Hy_0=6v}7A2dV(5>^4Z0n|}__y7L^ zkN}^68=r(1KX*At1B1Pkm6oxJ5=aS&pffhn<6g0W@U}va{ji|Nj$E-Lf>451O(CF{MBRXuUU7 z9@OUn3BlyQ{`;Q~;xB-%Lx%Oc3|JxNgZfDz`4doia7U4Wfng>{kb!{#G!F-2g8Eq? zS`7^%ztt&^j(*PR34p2G(N+&?+0w~=8r6)k? z1yFhels*8ZFF2p^CFIz|tkEI2!{jJ)(-UGr-aFZ7-0DwRa_9UKLSaDnL&sFw!R-pn1Pu=nBfC-{XeR>2m@@N1gf|wg9NnPKou8b zz?P1g8N}i1m{HYBFfc&#KdQJSLjhKC#5!xlnUp zs5!3^ga;C(rm?g!a}&0kBv<_I(BC_&0ckl8SdP5maYqzFblg4PT$GGNBz z8K`>n^l%?6j+w4Lf!%`{zo7D62o#>sdJ0yrNHAjGAEC>Lef|GQ(3ltlW;$^Mo5Rmg z28~DX*dAyf3s@ZNSQH`+Jmx6L09tp0ERl;ty%0#82{Yd{g2a&xfU>9J5MO~q{5aG- z=;{9o4)rg<;Q+M^iTVx-HzrAj3TXO-NwF}2!V^(GfR=!P5#<UW2oRgoITFek1pOPP+o|B)Hm=m8;l3!FD zpIBPKker`ekds=Hnxbc6U}lJ2QG8lvUS@n^QBh)Ld}>}vQ6)oKQDSatd`f928O1?eqDRTQ6^l30=m-M@n>1=gR2DhA&4 zgDQlv%LiQ=WC3Jz4|F>bx&oBlKk@M?#rg3WiFqkGsSNR+{_({nDVcfkrNyZ!unk3^ zpa4Y+LwRN%Lwrh3d{JsnesW?-D#(_S%;flj%v6T>_@v@ukU&uh19pjTW{1fervtW41KQUQZr zUVcfcUV2`sUO`cQL26M+C6Z85X=YA}Ze|Kp$kEADwXn46i*pqHLs0wzGlGw4AKODZmA&`ZwG z%}vb%?bkvrfym>5S}veE9oGMW?Yo8T$A$IFV5WoA!q^~MnSp@;)E9#3hqbR^`$0i- zRUmaR4C^Ps_-1JOVeN3(K2*>=8%!;ThSe7!HVAv7>4&w~YoHxGbo&g$xV~puQwbKde7-3aVcYsu1RWm^v5@+UE!Ao5J|8e#Z-_e$c!p z$Ov@zgTz3%7u-$+?HB~{7~uUA38;mz{xFma-#-cS|8%H+Cx~`FOrw34l$aB6R^-y8BevmvUPC@n0{FQ4z{lww67MX7DS`le+f-L ztRMIRYQF=>aUhLQjBfuO21wrtn%&_2Mc6)XboDSkjDEquzyMls4$}|oS4u$FF~HP8 zt%s*ynD`e4NZNzxhxI>U`}Se`^FjFsWClzhEFJuX`X8nrw%_&xw1Em!2ht0|F#Rx^ zi4n3V9Ht-MpM_@J0+1#o4ATdrxzY5)+WiGk{kZIh87asJ*%J-3AJ&g)AX2{=)PAUP zn6V5n{n~I52m_WJkZD-jgQ$Rz8=wX%Km%Tufq_An0peDW3Q$=BqB)`EFNlqdFMvAO j3=9m1(F}*#3sVcqrZB(5#6a|9D-g-RAdjX2jmrQ4pP&ZN literal 0 HcmV?d00001 diff --git a/rev/picker_4/picker-IV.c b/rev/picker_4/picker-IV.c new file mode 100644 index 0000000..5f16afb --- /dev/null +++ b/rev/picker_4/picker-IV.c @@ -0,0 +1,49 @@ +#include +#include +#include +#include + + +void print_segf_message(){ + printf("Segfault triggered! Exiting.\n"); + sleep(15); + exit(SIGSEGV); +} + +int win() { + FILE *fptr; + char c; + + printf("You won!\n"); + // Open file + fptr = fopen("flag.txt", "r"); + if (fptr == NULL) + { + printf("Cannot open file.\n"); + exit(0); + } + + // Read contents from file + c = fgetc(fptr); + while (c != EOF) + { + printf ("%c", c); + c = fgetc(fptr); + } + + printf("\n"); + fclose(fptr); +} + +int main() { + signal(SIGSEGV, print_segf_message); + setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered + + unsigned int val; + printf("Enter the address in hex to jump to, excluding '0x': "); + scanf("%x", &val); + printf("You input 0x%x\n", val); + + void (*foo)(void) = (void (*)())val; + foo(); +} diff --git a/rev/picker_4/solve.sh b/rev/picker_4/solve.sh new file mode 100755 index 0000000..dd9a2f5 --- /dev/null +++ b/rev/picker_4/solve.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +NC_HOST="saturn.picoctf.net" +NC_PORT="55490" + +WIN_ADDR="$(nm -g ./picker-IV | grep win | cut -d' ' -f1)" + +# ./picker-IV <<<"$WIN_ADDR" + +nc "$NC_HOST" "$NC_PORT" <<<"$WIN_ADDR"