Ready Gladiator 0 picoCTF 2023 Solution

Published: April 26, 2023

Description

CoreWars is back, and this time you must intentionally lose every battle against the Imp. Submit a warrior that self-terminates immediately.

Edit the provided Redcode warrior so it contains nothing but a header and ends immediately.

Pipe the modified warrior into nc saturn.picoctf.net 62089 to fight the Imp.

bash
printf ';redcode\nDAT 0, 1\nend\n' > imp.red
bash
nc saturn.picoctf.net 62089 < imp.red

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
The match runs across a netcat pipe, so the basics from the netcat for CTF guide apply: redirect a file as stdin and read the response.
  1. Step 1
    Strip the warrior
    Observation
    I noticed the challenge description explicitly required losing every battle against the Imp, which suggested I needed a warrior that self-terminates immediately rather than one that competes, pointing to a DAT-only Redcode program.
    A warrior that only contains a DAT instruction dies the moment it executes it. DAT is the data instruction and any process that attempts to execute it is immediately terminated. One DAT line is enough to lose every round.
    Learn more

    Core War is a programming game from 1984 (A.K. Dewdney) where two programs called warriors compete inside a virtual machine called the MARS (Memory Array Redcode Simulator). Warriors are written in Redcode, an assembly-like language: a few opcodes, addressing modes, and a circular memory of typically 8000 cells. The MARS interleaves instructions from each warrior. A warrior dies when it executes a DAT instruction; the last live warrior wins.

    The Imp is the simplest possible warrior: MOV 0, 1 copies the current instruction one cell forward, and execution follows it. The result is a self-replicating wave that sweeps memory forever.

    A warrior whose source is just ;redcode plus end loads with zero executable instructions, so the very first scheduled tick lands on DAT and dies. Across all 100 rounds the result is deterministic: 0 wins, 100 losses. With a normal scoring tiebreaker (more wins beats more ties beats more losses), this hits the requirement of losing every round.

    Want to test locally first? sudo apt install pmars installs pMARS, the standard MARS simulator. Run pmars -r 100 -b imp.red imp.red and confirm the empty warrior loses 100/100 before connecting. The pMARS reference covers the CLI in detail.

  2. Step 2
    Run the matches over netcat
    Observation
    I noticed the setup steps referenced piping to nc saturn.picoctf.net 62089 and the solutionIntro confirmed the match runs over a netcat pipe, which suggested redirecting the modified warrior file as stdin to receive the flag after 100 rounds complete.
    Send the file through nc and read the summary. The flag prints once 100 rounds finish.
    bash
    timeout 30 nc saturn.picoctf.net 62089 < imp.red

    Expected output

    picoCTF{h3r0_...6d4cf}
    What didn't work first

    Tried: Typing the nc command interactively without redirecting imp.red as stdin

    Without the < imp.red redirect, nc sends nothing to the server and the session just hangs waiting for keyboard input. The server expects the warrior source over stdin immediately; piping or redirecting the file is what delivers it. Add < imp.red to the command to feed the file automatically.

    Tried: Sending the original downloaded imp.red (the Imp warrior) unchanged to the server

    The original imp.red contains the Imp's MOV 0, 1 instruction, which is a winning warrior, not a losing one. The server will report wins or ties rather than 100 losses, and the flag will not appear. The file must be replaced with a DAT-only warrior before being sent.

    Learn more

    The challenge server runs the matches synchronously, so the response is just stdin in, summary out. Wrap nc in timeout 30 if the connection seems to hang; that catches the case where the warrior is malformed and the server waits for more bytes. If the response complains about syntax, double-check the file has Unix line endings (run file imp.red; CRLF endings break some pMARS variants).

    For deeper Core War strategy the corewar.co.uk archive has decades of documented warriors and tournament results.

Flag

Reveal flag

picoCTF{h3r0_...6d4cf}

Any warrior that terminates immediately will forfeit every round and yield the flag.

Key takeaway

Core War is a competitive programming game where two Redcode programs fight for control of a shared circular memory by overwriting each other with DAT instructions. Understanding the virtual machine model, specifically that executing a DAT cell kills the current process, lets you construct both the simplest winning warrior and the simplest losing one. The DAT-as-trap mechanic maps directly to concepts in real exploitation: code reuse attacks and shellcode work by controlling what instruction pointer executes next, and knowing which instructions terminate a process versus advance it is the foundation of both attack and defense.

Related reading

Want more picoCTF 2023 writeups?

Useful tools for Reverse Engineering

What to try next