# I like to buy or smth

## Interacting with the program

![](https://630407063-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZD3WIm997ouoGhrdss%2F-Mgbkpggp3dcM-aJtj-u%2F-MgblDxGNuqvwFqGv4zE%2Fimage.png?alt=media\&token=a39cd7e0-3fd4-4689-977b-ed5aec02958c)

The remote program gives us a wallet, and the value changes if we sell something or when we buy something.

![](https://630407063-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZD3WIm997ouoGhrdss%2F-Mgbkpggp3dcM-aJtj-u%2F-MgblTJPxR3BVglSfzHE%2Fimage.png?alt=media\&token=27dc3462-1772-4f36-be4f-5b4076ea26a6)

We can buy the flag but we don't have that much money :/

The only thing it allows us to to sell is nullbytes, but it won't buy it for mor than $0.

![](https://630407063-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZD3WIm997ouoGhrdss%2F-Mgbkpggp3dcM-aJtj-u%2F-MgbltVjo-ddmThLyv-E%2Fimage.png?alt=media\&token=6fe8a6cf-d3a0-4dd7-930d-f94db35592a0)

## Int Underflow

What we could do where is appeal to a technique called integer Underflow. But first, let's understand what a int overflow is.

{% embed url="<https://en.wikipedia.org/wiki/Integer_overflow>" %}

The maxium number that can be represented in a int is 2147483647 and if we add 1 to it, this will cause the signal to invert and we would get -2147483648 as the result.

The opposite thing happens when we subtract 1 from -2147483647, which results in 2147483648, that's an int underflow.

If we sell a nullbyte for -2147483647, when the program tries to subtract the value of the flag the integer would underflow and our wallet's new amount would be over 2 billion dollars, which is way more than enough to buy the flag.

## Exploit

![](https://630407063-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZD3WIm997ouoGhrdss%2F-Mgbkpggp3dcM-aJtj-u%2F-Mgbp3f4AXOLZ1P5hocd%2Fimage.png?alt=media\&token=c39896f7-97ba-44bf-ae9a-ef2ceadb86db)