# flagshop

{% hint style="danger" %}
My blog has migrated to <https://wintertia.pages.dev/> ! This Gitbook will no longer be maintained.
{% endhint %}

{% file src="<https://2144351424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHiJQsVkdtykBvL3Cp8aS%2Fuploads%2FBtffcoI46GWS5GksIZnP%2Fflagshop?alt=media&token=774134d8-d389-430b-b418-45ec928cd68e>" %}

Given a binary, it contained a simple flag shop program:

<figure><img src="https://2144351424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHiJQsVkdtykBvL3Cp8aS%2Fuploads%2FvUAHhl2YIciGfEelb9Ba%2Fimage.png?alt=media&#x26;token=657a0861-51a0-4dc7-8ca2-8c7cddd8cfba" alt=""><figcaption></figcaption></figure>

I decided to open Ghidra to analyze it further.

<figure><img src="https://2144351424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHiJQsVkdtykBvL3Cp8aS%2Fuploads%2Fxz8A3kbBeyKnDpEvo10J%2Fimage.png?alt=media&#x26;token=4cde6553-cbb5-4759-8dd4-748f82794a67" alt=""><figcaption></figcaption></figure>

Looking at the decompiled binary, the vulnerability in this challenge is a simple integer overflow to make the total cost negative so I could add to the balance to buy the flag.

<figure><img src="https://2144351424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHiJQsVkdtykBvL3Cp8aS%2Fuploads%2Fyyh5KGdFoSPKvFARaxcC%2Fimage.png?alt=media&#x26;token=cd1e21c9-fed7-4ce6-a229-672183f05e8d" alt=""><figcaption></figcaption></figure>

Using a simple calculation to divide a number above the **32-bit signed integer limit** with the cost of the discounted flag, I was able to do an integer overflow to buy the flag!

<figure><img src="https://2144351424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHiJQsVkdtykBvL3Cp8aS%2Fuploads%2FjFQuQDfeA7kuq3cqsfkz%2FScreenshot%202024-11-08%20211526.png?alt=media&#x26;token=25141ca3-d1ee-460b-a8ec-c12bc2bd948f" alt=""><figcaption></figcaption></figure>