Do you seek your destiny in these deplorable dungeons? If so, you may want to look elsewhere. Many have gone before you and honestly, they've cleared out the place of all monsters, ne'erdowells, bandits and every other sort of evil foe. The dungeons themselves have seen better days too. There's a lot of missing floors and key passages blocked off. You'd have to be a real wizard to make any progress in this sorry excuse for a dungeon! 'w', 'a', 's', 'd' moves your character and 'Q' quits. You'll need to improvise some wizardly abilities to find the flag in this dungeon crawl. '.' is floor, '#' are walls, '<' are stairs up to previous level, and '>' are stairs down to next level. Category: re (500 points) Chall author: LT 'syreal' Jones Writeup author: malfurious Setup ----- A single 64-bit ELF is provided. As advertised, it plays a simple text-based dungeon game. The user can move around, and travel between levels when touching stairs. However, not all of the level is initially visible to the player. The player must move around to reveal additional portions of the level, but is blocked by walls ('#') and gaps (' '). RE -- RE of the binary reveals that the intended map dimensions are 100x100 chars. See these relevant portions of reversed code: bool can_move(int x,int y) { bool _ret; /* Assert parameters are in [0, 100) */ if ((((x < 100) && (y < 100)) && (-1 < x)) && (-1 < y)) { /* If location is a wall ('#') or empty, block */ if (((&_level_data)[(long)y * 100 + (long)x] == '#') || ((&_level_data)[(long)y * 100 + (long)x] == ' ')) { _ret = false; } else { /* In-bounds floor, succeed */ _ret = true; } } else { _ret = false; } return _ret; } void set_level_data(char *data) { int y; int x; for (y = 0; y < 100; y = y + 1) { for (x = 0; x < 100; x = x + 1) { (&_level_data)[(long)y * 100 + (long)x] = data[(long)x + (long)y * 100]; } } return; } [ and others ... ] This allows us to better inspect the level data stored in the binary. By simply printing the data as-is, line-wrapping at 100 chars, we can see the hidden portions of the levels, with the geometry preserved as intended. After doing this, the flag characters become visible as structures within the game levels. Start with level 1, and proceed in order. Solution / Level data --------------------- Some extra level areas are omitted. Besides the first two, the reaining levels contain only a single flag character each. picoCTF{ur_4_w1z4rd_2A05D7A8} ######### #.......# ......#................................... #.......# ....................####.#####.#####..###. #........ .####.#..###..###..#.......#...#......#... #.......# .# #.#.#....# #.#.......#...###...#.... #.......# .####.#.#....# #.#.......#...#......#... #.......# .#....#..###..###...####...#...#......###. #.......# .#........................................ #.......# .......................................... #.......# #.......# #.......# #.......# #.......# #......># ######### #####. ............................................................. #.<.#. ...............#..#.............##.......#..#........#....... #...#. .#..#.###......#..#.......#...#..#.####..#..#.###....#....... #...#. .#..#.#........####.......#.#.#..#...#...####.#...####....... #...#. .####.#...####....#.#####..#.#..###.####....#.#...####.#####. . ............................................................. . ............................................................. . ............................................................. #.... #...# #...# #...# #...# #...# #.>.# ##### ################# ....... #<..............#. ..###.. #...............#.. .#...#. #..............#........#.. #...#.......#...#.. ...#... #..###.....###..#. .#####. #...#...#...#...# ....... #......#>#......# ....... #...............# #...#.......#...# #..###.....###..# #...#.......#...# #...............# #...............# #...............# ################# ... .. ....... .<. ####. ..###.. ... ...#.. .#...#. ... ...#....#####. ..>#.. .#...#. ####. .#...#. .. ....... ....... ######################## #<.............#.......# #..............#..###..# #..............#.#...#.# #..............#.#...#.# #..............#.#...#.# #..............#..###..# #..............#.......# #..............#.......# ######################## ....... .<..... ....... ....... ....... ....... ....... ....... ....... ....... ....... .....>. ....... ####### ....... .#####. .#..... .####.. .....#. .####.. ....... ....... ... .<......... ........... ... .. .. .. .. .. .. .. .............. ..##########.. .# #. .# ....... #. .# .####.. #. .# .#...#. #. .# .#...#. #. .# .#...#. #. .# .####.. #. .# ....... #. .# ....... #. .# #. ..##########.. .............> ######################### #<#......#.#.......###..# #.#.###..#.#.......##..## #.#.#.#..#.#.......#..### #.#.#.#..#.#.......#...## #...#....#..#......#....# #.######.##..###.###....# #.#.....................# #.###.#################.# #.......................# #########.###.#########.# #.......#.#.#.#.........# #.#####.#.#...#.######### #....#..#.#.#.#.........# #...#...#.#.#.#########.# #..#....#.#.#.#.........# #..#....#.#.#.#.######### #.......#.#.#.#.........# #.......#.#.#.#########.# #########.#.#.#...#...#.# #...........#.#.#.#.#.#.# #########...#.#.#.#.#.#.# #.......#...#.#.#.#.#.#.# ####.####...#.#.#.#.#.#.# ##..........#.#.#.#.#.#.# #.#..####...#.#.#.#.#.#.# #..#....#####.#.#.#.#.#.# #...#...#...#.#.#...#...# #....#........#.######### #...........#.#........># ########################. ... ....... .<. ..###.. ... .#...#. ... .#####. .#...#. .#...#. ....... ....... #################################################################################################### #####################################################################################..............# #####################################################################################..###..###....# #####################################################################################.#...#...#....# #####################################################################################..###.....#...# #####################################################################################.#...#...#....# #####################################################################################..###..###....# #####################################################################################..............# #####################################################################################..............# ####################################################################################################