diff options
| author | Malfurious <m@lfurio.us> | 2022-03-23 07:30:39 -0400 |
|---|---|---|
| committer | Malfurious <m@lfurio.us> | 2022-03-23 07:30:39 -0400 |
| commit | ca5d9625ae9b1830153fa28d841d1cfd6d334846 (patch) | |
| tree | 9a518ce252ff58233a2b4f421a219ed1817b1700 | |
| parent | 6a617f6dea973862fc88fdbdbbf9c7afed44de62 (diff) | |
| download | lib-des-gnux-ca5d9625ae9b1830153fa28d841d1cfd6d334846.tar.gz lib-des-gnux-ca5d9625ae9b1830153fa28d841d1cfd6d334846.zip | |
Add writeup for picoCTF 2022 / Wizardlike
Signed-off-by: Malfurious <m@lfurio.us>
| -rw-r--r-- | docs/writeups/picoCTF_2022/Wizardlike.txt | 266 |
1 files changed, 266 insertions, 0 deletions
diff --git a/docs/writeups/picoCTF_2022/Wizardlike.txt b/docs/writeups/picoCTF_2022/Wizardlike.txt new file mode 100644 index 0000000..c69ea38 --- /dev/null +++ b/docs/writeups/picoCTF_2022/Wizardlike.txt @@ -0,0 +1,266 @@ +Do you seek your destiny in these deplorable dungeons? If so, you may want to +look elsewhere. Many have gone before you and honestly, they've cleared out the +place of all monsters, ne'erdowells, bandits and every other sort of evil foe. +The dungeons themselves have seen better days too. There's a lot of missing +floors and key passages blocked off. You'd have to be a real wizard to make any +progress in this sorry excuse for a dungeon! + +'w', 'a', 's', 'd' moves your character and 'Q' quits. You'll need to improvise +some wizardly abilities to find the flag in this dungeon crawl. '.' is floor, +'#' are walls, '<' are stairs up to previous level, and '>' are stairs down to +next level. + +Category: re (500 points) +Chall author: LT 'syreal' Jones +Writeup author: malfurious + + + +Setup +----- +A single 64-bit ELF is provided. As advertised, it plays a simple text-based +dungeon game. The user can move around, and travel between levels when touching +stairs. However, not all of the level is initially visible to the player. The +player must move around to reveal additional portions of the level, but is +blocked by walls ('#') and gaps (' '). + + + +RE +-- +RE of the binary reveals that the intended map dimensions are 100x100 chars. +See these relevant portions of reversed code: + + bool can_move(int x,int y) + { + bool _ret; + + /* Assert parameters are in [0, 100) */ + if ((((x < 100) && (y < 100)) && (-1 < x)) && (-1 < y)) { + /* If location is a wall ('#') or empty, block */ + if (((&_level_data)[(long)y * 100 + (long)x] == '#') || + ((&_level_data)[(long)y * 100 + (long)x] == ' ')) { + _ret = false; + } + else { + /* In-bounds floor, succeed */ + _ret = true; + } + } + else { + _ret = false; + } + return _ret; + } + + void set_level_data(char *data) + { + int y; + int x; + + for (y = 0; y < 100; y = y + 1) { + for (x = 0; x < 100; x = x + 1) { + (&_level_data)[(long)y * 100 + (long)x] = data[(long)x + (long)y * 100]; + } + } + return; + } + + [ and others ... ] + +This allows us to better inspect the level data stored in the binary. By +simply printing the data as-is, line-wrapping at 100 chars, we can see the +hidden portions of the levels, with the geometry preserved as intended. + +After doing this, the flag characters become visible as structures within the +game levels. Start with level 1, and proceed in order. + + + +Solution / Level data +--------------------- +Some extra level areas are omitted. Besides the first two, the reaining levels +contain only a single flag character each. + + picoCTF{ur_4_w1z4rd_2A05D7A8} + + +######### +#.......# ......#................................... +#.......# ....................####.#####.#####..###. +#........ .####.#..###..###..#.......#...#......#... +#.......# .# #.#.#....# #.#.......#...###...#.... +#.......# .####.#.#....# #.#.......#...#......#... +#.......# .#....#..###..###...####...#...#......###. +#.......# .#........................................ +#.......# .......................................... +#.......# +#.......# +#.......# +#.......# +#.......# +#......># +######### + + +#####. ............................................................. +#.<.#. ...............#..#.............##.......#..#........#....... +#...#. .#..#.###......#..#.......#...#..#.####..#..#.###....#....... +#...#. .#..#.#........####.......#.#.#..#...#...####.#...####....... +#...#. .####.#...####....#.#####..#.#..###.####....#.#...####.#####. + . ............................................................. + . ............................................................. + . ............................................................. +#.... +#...# +#...# +#...# +#...# +#...# +#.>.# +##### + + +################# ....... +#<..............#. ..###.. +#...............#.. .#...#. +#..............#........#.. +#...#.......#...#.. ...#... +#..###.....###..#. .#####. +#...#...#...#...# ....... +#......#>#......# ....... +#...............# +#...#.......#...# +#..###.....###..# +#...#.......#...# +#...............# +#...............# +#...............# +################# + + +... .. ....... +.<. ####. ..###.. +... ...#.. .#...#. +... ...#....#####. + ..>#.. .#...#. + ####. .#...#. + .. ....... + ....... + + +######################## +#<.............#.......# +#..............#..###..# +#..............#.#...#.# +#..............#.#...#.# +#..............#.#...#.# +#..............#..###..# +#..............#.......# +#..............#.......# +######################## + + +....... +.<..... +....... +....... +....... +....... +....... +....... +....... +....... +....... +.....>. +....... +####### +....... +.#####. +.#..... +.####.. +.....#. +.####.. +....... +....... + + +... +.<......... +........... +... .. + .. + .. + .. + .. + .. + .. + .............. + ..##########.. + .# #. + .# ....... #. + .# .####.. #. + .# .#...#. #. + .# .#...#. #. + .# .#...#. #. + .# .####.. #. + .# ....... #. + .# ....... #. + .# #. + ..##########.. + .............> + + +######################### +#<#......#.#.......###..# +#.#.###..#.#.......##..## +#.#.#.#..#.#.......#..### +#.#.#.#..#.#.......#...## +#...#....#..#......#....# +#.######.##..###.###....# +#.#.....................# +#.###.#################.# +#.......................# +#########.###.#########.# +#.......#.#.#.#.........# +#.#####.#.#...#.######### +#....#..#.#.#.#.........# +#...#...#.#.#.#########.# +#..#....#.#.#.#.........# +#..#....#.#.#.#.######### +#.......#.#.#.#.........# +#.......#.#.#.#########.# +#########.#.#.#...#...#.# +#...........#.#.#.#.#.#.# +#########...#.#.#.#.#.#.# +#.......#...#.#.#.#.#.#.# +####.####...#.#.#.#.#.#.# +##..........#.#.#.#.#.#.# +#.#..####...#.#.#.#.#.#.# +#..#....#####.#.#.#.#.#.# +#...#...#...#.#.#...#...# +#....#........#.######### +#...........#.#........># +########################. + + +... ....... +.<. ..###.. +... .#...#. +... .#####. + .#...#. + .#...#. + ....... + ....... + + +#################################################################################################### +#####################################################################################..............# +#####################################################################################..###..###....# +#####################################################################################.#...#...#....# +#####################################################################################..###.....#...# +#####################################################################################.#...#...#....# +#####################################################################################..###..###....# +#####################################################################################..............# +#####################################################################################..............# +#################################################################################################### |