docs/writeups/picoCTF_2022/Wizardlike.txt


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266

Do you seek your destiny in these deplorable dungeons? If so, you may want to
look elsewhere. Many have gone before you and honestly, they've cleared out the
place of all monsters, ne'erdowells, bandits and every other sort of evil foe.
The dungeons themselves have seen better days too. There's a lot of missing
floors and key passages blocked off. You'd have to be a real wizard to make any
progress in this sorry excuse for a dungeon!

'w', 'a', 's', 'd' moves your character and 'Q' quits. You'll need to improvise
some wizardly abilities to find the flag in this dungeon crawl. '.' is floor,
'#' are walls, '<' are stairs up to previous level, and '>' are stairs down to
next level.

Category:       re (500 points)
Chall author:   LT 'syreal' Jones
Writeup author: malfurious


Setup
-----
A single 64-bit ELF is provided.  As advertised, it plays a simple text-based
dungeon game.  The user can move around, and travel between levels when touching
stairs.  However, not all of the level is initially visible to the player.  The
player must move around to reveal additional portions of the level, but is
blocked by walls ('#') and gaps (' ').


RE
--
RE of the binary reveals that the intended map dimensions are 100x100 chars.
See these relevant portions of reversed code:

    bool can_move(int x,int y)
    {
      bool _ret;
      
                        /* Assert parameters are in [0, 100) */
      if ((((x < 100) && (y < 100)) && (-1 < x)) && (-1 < y)) {
                        /* If location is a wall ('#') or empty, block */
        if (((&_level_data)[(long)y * 100 + (long)x] == '#') ||
           ((&_level_data)[(long)y * 100 + (long)x] == ' ')) {
          _ret = false;
        }
        else {
                        /* In-bounds floor, succeed */
          _ret = true;
        }
      }
      else {
        _ret = false;
      }
      return _ret;
    }

    void set_level_data(char *data)
    {
      int y;
      int x;
      
      for (y = 0; y < 100; y = y + 1) {
        for (x = 0; x < 100; x = x + 1) {
          (&_level_data)[(long)y * 100 + (long)x] = data[(long)x + (long)y * 100];
        }
      }
      return;
    }

    [ and others ... ]

This allows us to better inspect the level data stored in the binary.  By
simply printing the data as-is, line-wrapping at 100 chars, we can see the
hidden portions of the levels, with the geometry preserved as intended.

After doing this, the flag characters become visible as structures within the
game levels.  Start with level 1, and proceed in order.


Solution / Level data
---------------------
Some extra level areas are omitted.  Besides the first two, the reaining levels
contain only a single flag character each.

                      picoCTF{ur_4_w1z4rd_2A05D7A8}


#########                                                                                           
#.......#  ......#...................................                                               
#.......#  ....................####.#####.#####..###.                                               
#........  .####.#..###..###..#.......#...#......#...                                               
#.......#  .#  #.#.#....#   #.#.......#...###...#....                                               
#.......#  .####.#.#....#   #.#.......#...#......#...                                               
#.......#  .#....#..###..###...####...#...#......###.                                               
#.......#  .#........................................                                               
#.......#  ..........................................                                               
#.......#                                                                                           
#.......#                                                                                           
#.......#                                                                                           
#.......#                                                                                           
#.......#                                                                                           
#......>#                                                                                           
#########                                                                                           


#####. .............................................................                                
#.<.#. ...............#..#.............##.......#..#........#.......                                
#...#. .#..#.###......#..#.......#...#..#.####..#..#.###....#.......                                
#...#. .#..#.#........####.......#.#.#..#...#...####.#...####.......                                
#...#. .####.#...####....#.#####..#.#..###.####....#.#...####.#####.                                
  .    .............................................................                                
  .    .............................................................                                
  .    .............................................................                                
#....                                                                                               
#...#                                                                                               
#...#                                                                                               
#...#                                                                                               
#...#                                                                                               
#...#                                                                                               
#.>.#                                                                                               
#####                                                                                               


#################   .......                                                                         
#<..............#.  ..###..                                                                         
#...............#.. .#...#.                                                                         
#..............#........#..                                                                         
#...#.......#...#.. ...#...                                                                         
#..###.....###..#.  .#####.                                                                         
#...#...#...#...#   .......                                                                         
#......#>#......#   .......                                                                         
#...............#                                                                                   
#...#.......#...#                                                                                   
#..###.....###..#                                                                                   
#...#.......#...#                                                                                   
#...............#                                                                                   
#...............#                                                                                   
#...............#                                                                                   
#################                                                                                   


...             ..  .......                                                                         
.<.          ####.  ..###..                                                                         
...          ...#.. .#...#.                                                                         
...          ...#....#####.                                                                         
             ..>#.. .#...#.                                                                         
             ####.  .#...#.                                                                         
                ..  .......                                                                         
                    .......                                                                         


########################                                                                            
#<.............#.......#                                                                            
#..............#..###..#                                                                            
#..............#.#...#.#                                                                            
#..............#.#...#.#                                                                            
#..............#.#...#.#                                                                            
#..............#..###..#                                                                            
#..............#.......#                                                                            
#..............#.......#                                                                            
########################                                                                            


.......                                                                                             
.<.....                                                                                             
.......                                                                                             
.......                                                                                             
.......                                                                                             
.......                                                                                             
.......                                                                                             
.......                                                                                             
.......                                                                                             
.......                                                                                             
.......                                                                                             
.....>.                                                                                             
.......                                                                                             
#######                                                                                             
.......                                                                                             
.#####.                                                                                             
.#.....                                                                                             
.####..                                                                                             
.....#.                                                                                             
.####..                                                                                             
.......                                                                                             
.......                                                                                             


...                                                                                                 
.<.........                                                                                         
...........                                                                                         
...      ..                                                                                         
         ..                                                                                         
         ..                                                                                         
         ..                                                                                         
         ..                                                                                         
         ..                                                                                         
         ..                                                                                         
   ..............                                                                                   
   ..##########..                                                                                   
   .#          #.                                                                                   
   .#  ....... #.                                                                                   
   .#  .####.. #.                                                                                   
   .#  .#...#. #.                                                                                   
   .#  .#...#. #.                                                                                   
   .#  .#...#. #.                                                                                   
   .#  .####.. #.                                                                                   
   .#  ....... #.                                                                                   
   .#  ....... #.                                                                                   
   .#          #.                                                                                   
   ..##########..                                                                                   
   .............>                                                                                   


#########################                                                                           
#<#......#.#.......###..#                                                                           
#.#.###..#.#.......##..##                                                                           
#.#.#.#..#.#.......#..###                                                                           
#.#.#.#..#.#.......#...##                                                                           
#...#....#..#......#....#                                                                           
#.######.##..###.###....#                                                                           
#.#.....................#                                                                           
#.###.#################.#                                                                           
#.......................#                                                                           
#########.###.#########.#                                                                           
#.......#.#.#.#.........#                                                                           
#.#####.#.#...#.#########                                                                           
#....#..#.#.#.#.........#                                                                           
#...#...#.#.#.#########.#                                                                           
#..#....#.#.#.#.........#                                                                           
#..#....#.#.#.#.#########                                                                           
#.......#.#.#.#.........#                                                                           
#.......#.#.#.#########.#                                                                           
#########.#.#.#...#...#.#                                                                           
#...........#.#.#.#.#.#.#                                                                           
#########...#.#.#.#.#.#.#                                                                           
#.......#...#.#.#.#.#.#.#                                                                           
####.####...#.#.#.#.#.#.#                                                                           
##..........#.#.#.#.#.#.#                                                                           
#.#..####...#.#.#.#.#.#.#                                                                           
#..#....#####.#.#.#.#.#.#                                                                           
#...#...#...#.#.#...#...#                                                                           
#....#........#.#########                                                                           
#...........#.#........>#                                                                           
########################.                                                                           


...                                                                                          .......
.<.                                                                                          ..###..
...                                                                                          .#...#.
...                                                                                          .#####.
                                                                                             .#...#.
                                                                                             .#...#.
                                                                                             .......
                                                                                             .......


####################################################################################################
#####################################################################################..............#
#####################################################################################..###..###....#
#####################################################################################.#...#...#....#
#####################################################################################..###.....#...#
#####################################################################################.#...#...#....#
#####################################################################################..###..###....#
#####################################################################################..............#
#####################################################################################..............#
####################################################################################################