Rating:

## Description

Here's a program that plays rock, paper, scissors against you. I hear something good happens if you win 5 times in a row.
Connect to the program with netcat:
`$ nc saturn.picoctf.net 5252`
The program's source code with the flag redacted can be downloaded [here](https://artifacts.picoctf.net/c/446/game-redacted.c).

## Solution

Let's look at the source code. There are some specific things to notice:

```c
if (wins >= 5) // win 5 times in a row
{
puts("Congrats, here's the flag!");
puts(flag);
}
```

We could just spam the server until we get lucky (we have a 1/3^5*100, or a ~0.4% chance of winning 5 times in a row), but that isn't exactly in the spirit of this challenge.

As this is a binary exploit, what immedietaly comes to mind is somehow tricking the program into thinking we won. After all, there is a buffer for our input `char player_turn[100];`, maybe we can overflow that?

Before we jump the gun, let's see how the program actually determines if we win a round.

```c
char* loses[3] = {"paper", "scissors", "rock"};
// ...
if (strstr(player_turn, loses[computer_turn]))
{
puts("You win! Play again?");
return true;
}
```

This seems kinda strange... We have a dictionary that maps the computer's move to the move that beats it, and checks if the player's move is a substring of the winning move... Wait no! It's the other way around, it checks if the winning move is a substring of the user's input. Therefore, we can just input the string "rockpaperscissors", and the winning move will always be a substring. Do this five times, and we get the flag.

## Flag

*picoCTF{50M3_3X7R3M3_1UCK_32F730C2}*

Original writeup (https://github.com/FlyN-Nick/picoGymWriteups/blob/main/Binary%20Exploitation/RPS/RPS.md).