Skip to content

PicoCTF 2022: Wizardlike

TL;DR

  • The challenge is a terminal-based dungeon game with artificial restrictions.
  • Progress is blocked by hidden map data, collision checks, and UI annoyances.
  • Static analysis reveals simple boolean checks controlling visibility and movement.
  • Patch the binary to disable these checks and freely traverse the dungeon.
  • Once restrictions are removed, the path to the flag is trivial.

Video Walkthrough

PicoCTF 2022 Wizardlike reverse engineering video walkthrough showing binary patching to bypass dungeon restrictions

Description

Do you seek your destiny in these deplorable dungeons? If so, you may want to look elsewhere. Many have gone before you and honestly, they've cleared out the place of all monsters, ne'erdowells, bandits and every other sort of evil foe. The dungeons themselves have seen better days too. There's a lot of missing floors and key passages blocked off. You'd have to be a real wizard to make any progress in this sorry excuse for a dungeon!

Solution

from pwn import *

# Load our binary
exe = 'game'
elf = context.binary = ELF(exe, checksec=False)

# Patch out the call curs_set (annoying)
elf.asm(elf.symbols.curs_set, 'ret')

# Save the patched binary
elf.save('patched')

'''
Use these commands in terminal, to patch other instructions
(I'm not sure how to do this within pwntools, if you know - please tell me xD)

# Make map visible
pwn elfpatch game 1dba 00 > temp

# Walk through walls
pwn elfpatch temp 1657 01 > patched
'''