The Viet Cong is transmitting a secret message. They built a password checker so that only a selected few can view the secret message. We've recovered the binary, we need you to find out what they're trying to say.
This is an interpreter for Hanoifuck (which I discovered after the CTF). I zoomed in to a few operators:
,: read a character and write it at *sa
.: write *saat*str, then increment *str
[: if *sa is zero, jump to the next ]
]: if *sa is not zero, jump to the previous [
str is at 0x404078, while STR is at 0x404ca0.
We can make use of the 4 operators discussed to write the payload ,[,.].
This reads in a character to *sa, then while*sa is not zero, keep reading in characters and writing it to str. Eventually, we can write HELLO\n at STR, then terminate the write by sending in a null byte.
from pwn import *
# r = process("./vietnam")
r = remote("chall.csivit.com", 30814)
# gdb.attach(r, """
# b *main+612
payload = ",[,.]" # loop, incrementing str until we send null