picoCTF Solutions
picoCTF 2023Reverse EngineeringMedium

Ready Gladiator 2

Published: April 26, 2023

Description

For the final duel you must win every single round. Only elite CoreWars strategies such as Herem/Scimitar consistently stomp the Imp.

Setup

Craft or copy a warrior with a 100% win rate versus the Imp (Herem/Scimitar is a reliable bomber).

Pipe the warrior into nc saturn.picoctf.net 54217 and ensure it records 100 wins.

cat <<'RED' > imp.red
;redcode-94
;name Herem/Scimitar
;author aCa
;strategy bomber tuned versus the Imp
bomb       dat #4, #4
start      add.ab #4, bomb
           mov.i   bomb, @bomb
           jmp     start
end start
RED
nc saturn.picoctf.net 54217 < imp.red

Solution

  1. Step 1Use a bomber strategy
    Herem/Scimitar walks memory and overwrites the Imp's process every cycle, guaranteeing victory. Any equally dominant warrior is fine.
    Learn more

    Herem/Scimitar is a tuned bomber warrior written in the ICWS-94 Redcode standard (the modern standard, superseding the original 1988 spec). It uses the .ab modifier on add to update only the B-field of the bomb pointer, and .i on mov to copy the entire instruction (both A and B fields) to the target address. These modifiers make the bombing sweep more efficient than older Imp-killers.

    The key to achieving 100% wins against the Imp is understanding the Imp's deterministic behavior: it marches through memory at a fixed pace, one cell per turn. A bomber that writes DAT instructions in a regular stride pattern will inevitably cover every address the Imp will ever visit. The stride length (here #4) and the starting bomb position are tuned so that the bomber's sweep outpaces the Imp's advance in every possible starting-position configuration.

    This kind of mathematical analysis - proving that a strategy wins in 100% of cases rather than just "usually" - is related to formal verification and game-theoretic reasoning. Elite Core War warriors on public Hills are often analyzed with MARS simulators that exhaustively test all possible starting offsets to compute exact win/loss/tie statistics.

  2. Step 2Verify 100 wins
    Wait for the scoreboard to report 100/100 wins; the service then prints the final flag.
    Learn more

    A 100/100 win requirement is the most stringent possible test - it means the warrior must win regardless of starting position. In Core War, two warriors are placed at random positions in the circular memory array, so the starting offset between them varies. A warrior that wins 99% of offsets but fails at one specific configuration would fail this test.

    Testing locally before submitting saves time. Install a MARS simulator such as pMARS (sudo apt install pmars) and run: pmars -r 100 imp.red herem.red. This simulates 100 rounds and reports the result. Confirming a 100-0 score locally means the server submission will succeed on the first try.

    The progression across the three Ready Gladiator challenges mirrors a lesson in competitive strategy: understanding the rules (challenge 0), achieving partial success (challenge 1), and achieving perfection (challenge 2) each require different levels of analysis and increasingly sophisticated tools. This pattern appears in real security work: a penetration tester who can reliably exploit a vulnerability under all conditions is more valuable than one who can only do so sometimes.

Flag

picoCTF{d3m0n_3xpu...24e}

Consistency is key-choose a warrior with deterministic wins rather than probabilistic ones.

Want more picoCTF 2023 writeups?

Browse picoCTF 2023Full library

Useful tools for Reverse Engineering

Related reading

What to try next