Rating:
## Patches' Punches (RE, 50pts)
#### Challenge Description
That moment when you go for a body slam and you realize you jump too far. Adjust your aim, and you'll crush this challenge!
[patches](http://files.sunshinectf.org/pwn/patches)
Author: soaspro
#### Overview
The challenge provides us with a binary file that supposedly contains the flag. Given the name and the fact that the challenge is only worth 50 points, it's safe to assume we'll only need some simple patching to solve it.
#### Patching
If we take a look at the main function, we'll see some interesting disassembly. I've omitted the parts that involve constructing the flag as reversing that is not needed.
```assembly
mov dword ptr [ebp-10h], 1
cmp dword ptr [ebp-10h], 0
jnz short loc_5A3
mov [ebp+var_C], 0
jmp short loc_580
loc_5A3:
sub esp, 0Ch
lea edx, (aWoahThereYouJu - 1FD8h)[eax] ; "Woah there! you jumped over the flag."
push edx
mov ebx, eax
call _printf
loc_580:
sub esp, 8
lea edx, (string - 1FD8h)[eax] ; "zyq|Xu3Px~_{Uo}TmfUq2E3piVtJ2nf!}"
push edx
lea edx, (aHurrayTheFlagI - 1FD8h)[eax] ; "Hurray the flag is %s\n"
push edx ; format
mov ebx, eax
call _printf
```
Basically, you'll only be given the flag if the value at `ebp-0x10` is 0. But we can see in the disassembly that it directly moves 1 into `ebp-0x10`. This is the instruction we need to patch. If we take a look at the opcodes for this instruction, we'll get the following from REBot:
```assembly
mov dword ptr [ebp - 0x10], 0 ; +0 = c7 45 f0 01 00 00 00
```
The first byte is the opcode for the `mov` instruction and the next two are for the `[ebp - 0x10]` operation, which means the trailing 4 bytes are for the immediate. This means if we patch the 4th byte to a `0` / NULL byte, we'll get the flag. In the binary, this turns out to be at file offset 0x53D.
#### Flag
After patching this byte, we can run the binary again and this time we'll get the flag. Note that if you're running on a 64-bit system you'll need to install 32-bit libraries to run the binary as it is a 32-bit binary (x86), not 64-bit.
```
$ ./patches
Hurray the flag is sun{To0HotToHanDleTo0C0ldToH0ld!}
```
