Baby Game
For this challenge we are given a game to play
Moving to the X in the bottom right informs us that “You win!” and exits the program. This does not give us the flag so lets have a poke around in ghidra.
In the main function we can see we get the flag if local_aa4 is != ‘\0’. which is a local variable placed on the stack before a large buffer (local_aa0).
Lets have a closer look at the local variables in particular local_aac is used in init_player().
This function takes the address of local_aac and writes three ints 4, 4 and 0. To local variables:
Top of stack 0x00000
$EBP - 0xAAC = local_aac = 4
$EBP - 0xAA8 = local_aa8 = 4
$EBP - 0xAA4 = local_aa4 = 0
4 and 4 happens to match our starting position.
So we know that that the x, y and flag condition are right before the giant buffer which appears to be the map as its passed in via print_map(). Lets piviot our attention to the move_player function which takes a point to the first position, the pressed key and the map buffer.
Pressing p appears to call solve round which is handy and W,A,S,D will perform some pointer arithmetic and the last line dereferences and writes our player tile to that location. Interestingly there is no out of bounds checks. So if we move to 0,0 in the grid this means we can write to local_aa0
+----------+ +--------+ +-------+ +------+ +---------------+
| local_aa4| | | | | | | | local_aa0 |
+----------+ +--------+ +-------+ +------+ +---------------+
-4,0 -3,0 -2,0 -1,0 0,0
If we move our position into the negatives this means we could write over other local variables such as the flag condition.
Moving to -4 , 0 results in the value being written over and us getting the flag!