Write-up – lehack 2019 – Reverse 50 – Gladiator

This chall started with the downloading of an executable file named gladiator. We first tried to execute the program : it was a simple cli rpg game where you choose between a berserk or a guardian and fight a bot.

gladiator_bin_execution

After a few rounds, we agreed that we can’t defeat the bot fairly. Let’s go patch the binary to enhance the attack caracterstic of our character’s class. To achieve this goal, we used IDA Pro. First, we used one of its coolest features : c code generation from a binary file. We focused on searching the default integers represnting the character attack, life points etc.

LH19_gladiator_c_file

On the above code, we can see that a c struct is populated with all the caracteristics of the beserker class. Let’s go back to IDA at 0x0000000000008DED to patch the bytes!

LH19_gladiator_asm

On this asm code, we changed life points and attack to 255 to beat the bot in just one attack. Let’s patch the binary and win this game!

LH19_gladiator_win_no_flag

So…. we won the game but no flag?.. At this point we went back to the c code and found an interesting function that seemed to generate the flag. There was an if statement that checked that before game ending, the player life is set to the integer value 42

LH19_gladiator_c_flag_function

Let’s go back to IDA and patch the player life! After that, we launched the game, attacked and… FLAG!

LH19_gladiator_win_with_flag
The Flag : LH{lUj?]T_VAR94$+N

Thank you to Wiserix that worked with me on this one!

3 thoughts on “Write-up – lehack 2019 – Reverse 50 – Gladiator

  1. nlegall Reply

    Hello,

    I tried to reproduce the path to patch the binary, but I can’t figure out how you did it. I don’t see any difference in the assembly in the file and your screenshot. Can you provide me some more explanations for the way to how you modify the code with IDA ?

    Thanks in advance 🙂

  2. nlegall Reply

    Yeah, thanks for the help. Just stupid and too old memories with IDA to remember. I did it. Thanks again and maybe see you next year 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.