picoCTF Solutions
picoCTF 2023Reverse EngineeringMedium

Ready Gladiator 0 picoCTF 2023 Solution

Published: April 26, 2023

Description

CoreWars is back, and this time you must intentionally lose every battle against the Imp. Submit a warrior that self-terminates immediately.

Setup

Download imp.red

Edit the provided Redcode warrior so it contains nothing but a header and ends immediately.

Pipe the modified warrior into nc saturn.picoctf.net 62089 to fight the Imp.

bash
printf ';redcode\nDAT 0, 1\nend\n' > imp.red
bash
nc saturn.picoctf.net 62089 < imp.red

Solution

Walk me through it
The match runs across a netcat pipe, so the basics from the netcat for CTF guide apply: redirect a file as stdin and read the response.
  1. Step 1Strip the warrior
    A warrior that only contains a DAT instruction dies the moment it executes it. DAT is the data instruction and any process that attempts to execute it is immediately terminated. One DAT line is enough to lose every round.
    Learn more

    Core War is a programming game from 1984 (A.K. Dewdney) where two programs called warriors compete inside a virtual machine called the MARS (Memory Array Redcode Simulator). Warriors are written in Redcode, an assembly-like language: a few opcodes, addressing modes, and a circular memory of typically 8000 cells. The MARS interleaves instructions from each warrior. A warrior dies when it executes a DAT instruction; the last live warrior wins.

    The Imp is the simplest possible warrior: MOV 0, 1 copies the current instruction one cell forward, and execution follows it. The result is a self-replicating wave that sweeps memory forever.

    A warrior whose source is just ;redcode plus end loads with zero executable instructions, so the very first scheduled tick lands on DAT and dies. Across all 100 rounds the result is deterministic: 0 wins, 100 losses. With a normal scoring tiebreaker (more wins beats more ties beats more losses), this hits the requirement of losing every round.

    Want to test locally first? sudo apt install pmars installs pMARS, the standard MARS simulator. Run pmars -r 100 -b imp.red imp.red and confirm the empty warrior loses 100/100 before connecting. The pMARS reference covers the CLI in detail.

  2. Step 2Run the matches over netcat
    Send the file through nc and read the summary. The flag prints once 100 rounds finish.
    bash
    timeout 30 nc saturn.picoctf.net 62089 < imp.red
    Learn more

    The challenge server runs the matches synchronously, so the response is just stdin in, summary out. Wrap nc in timeout 30 if the connection seems to hang; that catches the case where the warrior is malformed and the server waits for more bytes. If the response complains about syntax, double-check the file has Unix line endings (run file imp.red; CRLF endings break some pMARS variants).

    For deeper Core War strategy the corewar.co.uk archive has decades of documented warriors and tournament results.

Flag

picoCTF{h3r0_...6d4cf}

Any warrior that terminates immediately will forfeit every round and yield the flag.

Want more picoCTF 2023 writeups?

Browse picoCTF 2023Full library

Useful tools for Reverse Engineering

Related reading

What to try next