PwnCollege - RE - Patching Data

Interoperability: Patching Data

Another goal of reverse engineering is for interoperability. Time is a harsh mistress, and many things can happen to or around software as time goes on. For example, source code can get lost, as it is typically secretive and internal to a company in question, but binary files tend to persist, as they are widely (e.g., commercially) distributed. When source code is lost, interoperability must be achieved by reverse engineering the binary file to either reconstruct or adapt them.

In this challenge, we’ve recovered the source code of the game The Epic Quest for the Flag (/challenge/quest.py), but its customized cIMG-based graphics engine is missing! We’ve provided you a close approximation (a normal cIMG parser in /challenge/cimg), but it does not work out of the box. You’ll need to binary-patch it for compatibility! Can you uncover the flag?

NOTE: Note, /challenge/quest.py uses cimg as a graphics engine, but it’s built for a custom version of cimg that you do not have. You run it with /challenge/quest.py NOFLAG | /challenge/cimg to run it in “compatibility mode”: no flag, but compatible with the standard cimg. If you want the flag, you’ll need to modify the cimg to work with the quest, and run it via /challenge/quest.py | /home/hacker/your-patched-cimg.

HINT: You can either patch using your reverse engineering tool of choice or figure out the file address of the bytes you want to patch and use hexedit.

int main(int argc, char **argv, char **envp)
{

    struct cimg cimg = { 0 };
    cimg.framebuffer = NULL;
    int won = 1;

    if (argc > 1)
    {
        if (strcmp(argv[1]+strlen(argv[1])-5, ".cimg"))
        {
            printf("ERROR: Invalid file extension!");
            exit(-1);
        }
        dup2(open(argv[1], O_RDONLY), 0);
    }

    read_exact(0, &cimg.header, sizeof(cimg.header), "ERROR: Failed to read header!", -1);

    if (strncmp(cimg.header.magic_number, "cIMG", sizeof(cimg.header.magic_number)))
    {
        puts("ERROR: Invalid magic number!");
        exit(-1);
    }

    if (cimg.header.version != 4)
    {
        puts("ERROR: Unsupported version!");
        exit(-1);
    }

    initialize_framebuffer(&cimg);

    while (cimg.header.remaining_directives--)
    {
        uint16_t directive_code;
        read_exact(0, &directive_code, sizeof(directive_code), "ERROR: Failed to read &directive_code!", -1);

        switch (directive_code)
        {
        case 1:
            handle_1(&cimg);
            break;
        case 2:
            handle_2(&cimg);
            break;
        case 3:
            handle_3(&cimg);
            break;
        case 4:
            handle_4(&cimg);
            break;
        case 5:
            handle_5(&cimg);
            break;
        case 6:
            handle_6(&cimg);
            break;
        case 7:
            handle_7(&cimg);
            break;
        default:
            fprintf(stderr, "ERROR: invalid directive_code %ux\n", directive_code);
            exit(-1);
        }
    }
    display(&cimg, NULL);
}

r2 -A -q -c “pdf @ sym.handle_1; pdf @ sym.handle_2; pdf @ sym.handle_3; pdf @ sym.handle_4; pdf @ sym.handle_5; pdf @ sym.handle_6; pdf @ sym.handle_7” /challenge/cimg

            ; CALL XREF from main @ 0x401408(x)
┌ 386: sym.handle_1 (int64_t arg1);
│ `- args(rdi) vars(3:sp[0x40..0x6c])
│           0x004015c6      f30f1efa       endbr64
│           0x004015ca      4157           push r15
│           0x004015cc      4156           push r14
│           0x004015ce      4155           push r13
│           0x004015d0      4154           push r12
│           0x004015d2      55             push rbp
│           0x004015d3      53             push rbx
│           0x004015d4      4889fb         mov rbx, rdi                ; arg1
│           0x004015d7      4883ec48       sub rsp, 0x48
│           0x004015db      0fb66f06       movzx ebp, byte [rdi + 6]   ; arg1
│           0x004015df      0fb65707       movzx edx, byte [rdi + 7]   ; arg1
│           0x004015e3      64488b0425..   mov rax, qword fs:[0x28]
│           0x004015ec      4889442438     mov qword [canary], rax
│           0x004015f1      31c0           xor eax, eax
│           0x004015f3      0fafea         imul ebp, edx
│           0x004015f6      4863ed         movsxd rbp, ebp
│           0x004015f9      48c1e502       shl rbp, 2
│           0x004015fd      4889ef         mov rdi, rbp                ; size_t size
│           0x00401600      e82bfcffff     call sym.imp.malloc         ;  void *malloc(size_t size)
│           0x00401605      4885c0         test rax, rax
│       ┌─< 0x00401608      750e           jne 0x401618
│       │   0x0040160a      488d3df319..   lea rdi, str.ERROR:_Failed_to_allocate_memory_for_the_image_data_ ; 0x403004 ; "ERROR: Failed to allocate memory for the image data!" ; const char *s
│       │   0x00401611      e87afbffff     call sym.imp.puts           ; int puts(const char *s)
│      ┌──< 0x00401616      eb57           jmp 0x40166f
│      ││   ; CODE XREF from sym.handle_1 @ 0x401608(x)
│      │└─> 0x00401618      89ea           mov edx, ebp                ; int64_t arg3
│      │    0x0040161a      4889c6         mov rsi, rax                ; void *buf
│      │    0x0040161d      4183c8ff       or r8d, 0xffffffff          ; -1
│      │    0x00401621      31ff           xor edi, edi                ; int fildes
│      │    0x00401623      488d0d0f1a..   lea rcx, str.ERROR:_Failed_to_read_data_ ; 0x403039 ; "ERROR: Failed to read data!" ; int64_t arg4
│      │    0x0040162a      4989c4         mov r12, rax
│      │    0x0040162d      e844ffffff     call sym.read_exact
│      │    0x00401632      0fb64307       movzx eax, byte [rbx + 7]
│      │    0x00401636      0fb65306       movzx edx, byte [rbx + 6]
│      │    0x0040163a      0fafd0         imul edx, eax
│      │    0x0040163d      31c0           xor eax, eax
│      │    ; CODE XREF from sym.handle_1 @ 0x401653(x)
│      │┌─> 0x0040163f      39c2           cmp edx, eax
│     ┌───< 0x00401641      7e34           jle 0x401677
│     ││╎   0x00401643      410fb64c8403   movzx ecx, byte [r12 + rax*4 + 3]
│     ││╎   0x00401649      48ffc0         inc rax
│     ││╎   0x0040164c      8d71e0         lea esi, [rcx - 0x20]
│     ││╎   0x0040164f      4080fe5e       cmp sil, 0x5e               ; '^' ; 94
│     ││└─< 0x00401653      76ea           jbe 0x40163f
│     ││    0x00401655      488b3de439..   mov rdi, qword [obj.stderr] ; obj.stderr__GLIBC_2.2.5
│     ││                                                               ; [0x405040:8]=0
│     ││    0x0040165c      488d15f219..   lea rdx, str.ERROR:_Invalid_character_0x_x_in_the_image_data__n ; str.ERROR:_Invalid_character_0x_x_in_the_image_data__n
│     ││                                                               ; 0x403055 ; "ERROR: Invalid character 0x%x in the image data!\n"
│     ││    0x00401663      be01000000     mov esi, 1
│     ││    0x00401668      31c0           xor eax, eax
│     ││    0x0040166a      e811fcffff     call sym.imp.__fprintf_chk
│     ││    ; CODE XREF from sym.handle_1 @ 0x401616(x)
│     │└──> 0x0040166f      83cfff         or edi, 0xffffffff          ; -1
│     │     0x00401672      e8f9fbffff     call sym.imp.exit           ; void exit(int status)
│     │     ; CODE XREF from sym.handle_1 @ 0x401641(x)
│     └───> 0x00401677      4531ed         xor r13d, r13d
│           0x0040167a      4c8d74241f     lea r14, [var_1fh]
│           ; CODE XREF from sym.handle_1 @ 0x40171f(x)
│       ┌─> 0x0040167f      0fb64307       movzx eax, byte [rbx + 7]
│       ╎   0x00401683      4439e8         cmp eax, r13d
│      ┌──< 0x00401686      0f8e98000000   jle 0x401724
│      │╎   0x0040168c      31ed           xor ebp, ebp
│      │╎   ; CODE XREF from sym.handle_1 @ 0x401717(x)
│     ┌───> 0x0040168e      440fb67b06     movzx r15d, byte [rbx + 6]
│     ╎│╎   0x00401693      4139ef         cmp r15d, ebp
│    ┌────< 0x00401696      0f8e80000000   jle 0x40171c
│    │╎│╎   0x0040169c      4589fa         mov r10d, r15d
│    │╎│╎   0x0040169f      b919000000     mov ecx, 0x19               ; 25
│    │╎│╎   0x004016a4      be19000000     mov esi, 0x19               ; 25
│    │╎│╎   0x004016a9      4c89f7         mov rdi, r14
│    │╎│╎   0x004016ac      450fafd5       imul r10d, r13d
│    │╎│╎   0x004016b0      4c8d05d019..   lea r8, str.e_38_2__03d__03d__03dm_ce_0m ; 0x403087
│    │╎│╎   0x004016b7      418d042a       lea eax, [r10 + rbp]
│    │╎│╎   0x004016bb      448954240c     mov dword [var_ch], r10d
│    │╎│╎   0x004016c0      4898           cdqe
│    │╎│╎   0x004016c2      52             push rdx
│    │╎│╎   0x004016c3      498d0484       lea rax, [r12 + rax*4]
│    │╎│╎   0x004016c7      0fb65003       movzx edx, byte [rax + 3]
│    │╎│╎   0x004016cb      52             push rdx
│    │╎│╎   0x004016cc      0fb65002       movzx edx, byte [rax + 2]
│    │╎│╎   0x004016d0      52             push rdx
│    │╎│╎   0x004016d1      0fb65001       movzx edx, byte [rax + 1]
│    │╎│╎   0x004016d5      52             push rdx
│    │╎│╎   0x004016d6      440fb608       movzx r9d, byte [rax]
│    │╎│╎   0x004016da      ba01000000     mov edx, 1
│    │╎│╎   0x004016df      31c0           xor eax, eax
│    │╎│╎   0x004016e1      e87afaffff     call sym.imp.__snprintf_chk
│    │╎│╎   0x004016e6      89e8           mov eax, ebp
│    │╎│╎   0x004016e8      448b54242c     mov r10d, dword [var_ch]
│    │╎│╎   0x004016ed      410f1006       movups xmm0, xmmword [r14]
│    │╎│╎   0x004016f1      99             cdq
│    │╎│╎   0x004016f2      4883c420       add rsp, 0x20
│    │╎│╎   0x004016f6      ffc5           inc ebp
│    │╎│╎   0x004016f8      41f7ff         idiv r15d
│    │╎│╎   0x004016fb      428d0412       lea eax, [rdx + r10]
│    │╎│╎   0x004016ff      31d2           xor edx, edx
│    │╎│╎   0x00401701      f7730c         div dword [rbx + 0xc]
│    │╎│╎   0x00401704      486bd218       imul rdx, rdx, 0x18
│    │╎│╎   0x00401708      48035310       add rdx, qword [rbx + 0x10]
│    │╎│╎   0x0040170c      0f1102         movups xmmword [rdx], xmm0
│    │╎│╎   0x0040170f      498b4610       mov rax, qword [r14 + 0x10]
│    │╎│╎   0x00401713      48894210       mov qword [rdx + 0x10], rax
│    │└───< 0x00401717      e972ffffff     jmp 0x40168e
│    │ │╎   ; CODE XREF from sym.handle_1 @ 0x401696(x)
│    └────> 0x0040171c      41ffc5         inc r13d
│      │└─< 0x0040171f      e95bffffff     jmp 0x40167f
│      │    ; CODE XREF from sym.handle_1 @ 0x401686(x)
│      └──> 0x00401724      488b442438     mov rax, qword [canary]
│           0x00401729      6448330425..   xor rax, qword fs:[0x28]
│       ┌─< 0x00401732      7405           je 0x401739
│       │   0x00401734      e877faffff     call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
│       │   ; CODE XREF from sym.handle_1 @ 0x401732(x)
│       └─> 0x00401739      4883c448       add rsp, 0x48
│           0x0040173d      5b             pop rbx
│           0x0040173e      5d             pop rbp
│           0x0040173f      415c           pop r12
│           0x00401741      415d           pop r13
│           0x00401743      415e           pop r14
│           0x00401745      415f           pop r15
└           0x00401747      c3             ret
            ; CALL XREF from main @ 0x40140f(x)
┌ 517: sym.handle_2 (int64_t arg1, int64_t arg5, int64_t arg_3h);
│ `- args(rdi, r8, sp[0x3..0x3]) vars(6:sp[0x40..0x5d])
│           0x00401748      f30f1efa       endbr64
│           0x0040174c      4157           push r15
│           0x0040174e      4183c8ff       or r8d, 0xffffffff          ; -1 ; arg5
│           0x00401752      ba01000000     mov edx, 1                  ; int64_t arg3
│           0x00401757      488d0d4619..   lea rcx, str.ERROR:_Failed_to_read_base_x_ ; 0x4030a4 ; "ERROR: Failed to read &base_x!" ; int64_t arg4
│           0x0040175e      4156           push r14
│           0x00401760      4155           push r13
│           0x00401762      4154           push r12
│           0x00401764      4989fc         mov r12, rdi                ; arg1
│           0x00401767      31ff           xor edi, edi                ; int fildes
│           0x00401769      55             push rbp
│           0x0040176a      53             push rbx
│           0x0040176b      4883ec38       sub rsp, 0x38
│           0x0040176f      64488b0425..   mov rax, qword fs:[0x28]
│           0x00401778      4889442428     mov qword [canary], rax
│           0x0040177d      31c0           xor eax, eax
│           0x0040177f      488d74240d     lea rsi, [var_dh]           ; void *buf
│           0x00401784      e8edfdffff     call sym.read_exact
│           0x00401789      4183c8ff       or r8d, 0xffffffff          ; -1
│           0x0040178d      31ff           xor edi, edi                ; int fildes
│           0x0040178f      488d74240e     lea rsi, [var_eh]           ; void *buf
│           0x00401794      488d0d2819..   lea rcx, str.ERROR:_Failed_to_read_base_y_ ; 0x4030c3 ; "ERROR: Failed to read &base_y!" ; int64_t arg4
│           0x0040179b      ba01000000     mov edx, 1                  ; int64_t arg3
│           0x004017a0      e8d1fdffff     call sym.read_exact
│           0x004017a5      4183c8ff       or r8d, 0xffffffff          ; -1
│           0x004017a9      31ff           xor edi, edi                ; int fildes
│           0x004017ab      488d74240b     lea rsi, [var_bh]           ; void *buf
│           0x004017b0      488d0d2b19..   lea rcx, str.ERROR:_Failed_to_read_width_ ; 0x4030e2 ; "ERROR: Failed to read &width!" ; int64_t arg4
│           0x004017b7      ba01000000     mov edx, 1                  ; int64_t arg3
│           0x004017bc      e8b5fdffff     call sym.read_exact
│           0x004017c1      31ff           xor edi, edi                ; int fildes
│           0x004017c3      4183c8ff       or r8d, 0xffffffff          ; -1
│           0x004017c7      ba01000000     mov edx, 1                  ; int64_t arg3
│           0x004017cc      488d74240c     lea rsi, [var_ch]           ; void *buf
│           0x004017d1      488d0d2819..   lea rcx, str.ERROR:_Failed_to_read_height_ ; 0x403100 ; "ERROR: Failed to read &height!" ; int64_t arg4
│           0x004017d8      e899fdffff     call sym.read_exact
│           0x004017dd      0fb65c240b     movzx ebx, byte [var_bh]
│           0x004017e2      0fb654240c     movzx edx, byte [var_ch]
│           0x004017e7      0fafda         imul ebx, edx
│           0x004017ea      4863db         movsxd rbx, ebx
│           0x004017ed      48c1e302       shl rbx, 2
│           0x004017f1      4889df         mov rdi, rbx                ; size_t size
│           0x004017f4      e837faffff     call sym.imp.malloc         ;  void *malloc(size_t size)
│           0x004017f9      4885c0         test rax, rax
│       ┌─< 0x004017fc      750e           jne 0x40180c
│       │   0x004017fe      488d3dff17..   lea rdi, str.ERROR:_Failed_to_allocate_memory_for_the_image_data_ ; 0x403004 ; "ERROR: Failed to allocate memory for the image data!" ; const char *s
│       │   0x00401805      e886f9ffff     call sym.imp.puts           ; int puts(const char *s)
│      ┌──< 0x0040180a      eb58           jmp 0x401864
│      ││   ; CODE XREF from sym.handle_2 @ 0x4017fc(x)
│      │└─> 0x0040180c      89da           mov edx, ebx                ; int64_t arg3
│      │    0x0040180e      4889c6         mov rsi, rax                ; void *buf
│      │    0x00401811      4183c8ff       or r8d, 0xffffffff          ; -1
│      │    0x00401815      31ff           xor edi, edi                ; int fildes
│      │    0x00401817      488d0d1b18..   lea rcx, str.ERROR:_Failed_to_read_data_ ; 0x403039 ; "ERROR: Failed to read data!" ; int64_t arg4
│      │    0x0040181e      4889c5         mov rbp, rax
│      │    0x00401821      e850fdffff     call sym.read_exact
│      │    0x00401826      0fb644240c     movzx eax, byte [var_ch]
│      │    0x0040182b      0fb654240b     movzx edx, byte [var_bh]
│      │    0x00401830      0fafd0         imul edx, eax
│      │    0x00401833      31c0           xor eax, eax
│      │    ; CODE XREF from sym.handle_2 @ 0x401848(x)
│      │┌─> 0x00401835      39c2           cmp edx, eax
│     ┌───< 0x00401837      7e33           jle 0x40186c
│     ││╎   0x00401839      0fb64c8503     movzx ecx, byte [rbp + rax*4 + 3]
│     ││╎   0x0040183e      48ffc0         inc rax
│     ││╎   0x00401841      8d71e0         lea esi, [rcx - 0x20]
│     ││╎   0x00401844      4080fe5e       cmp sil, 0x5e               ; '^' ; 94
│     ││└─< 0x00401848      76eb           jbe 0x401835
│     ││    0x0040184a      488b3def37..   mov rdi, qword [obj.stderr] ; obj.stderr__GLIBC_2.2.5
│     ││                                                               ; [0x405040:8]=0
│     ││    0x00401851      488d15fd17..   lea rdx, str.ERROR:_Invalid_character_0x_x_in_the_image_data__n ; str.ERROR:_Invalid_character_0x_x_in_the_image_data__n
│     ││                                                               ; 0x403055 ; "ERROR: Invalid character 0x%x in the image data!\n"
│     ││    0x00401858      be01000000     mov esi, 1
│     ││    0x0040185d      31c0           xor eax, eax
│     ││    0x0040185f      e81cfaffff     call sym.imp.__fprintf_chk
│     ││    ; CODE XREF from sym.handle_2 @ 0x40180a(x)
│     │└──> 0x00401864      83cfff         or edi, 0xffffffff          ; -1
│     │     0x00401867      e804faffff     call sym.imp.exit           ; void exit(int status)
│     │     ; CODE XREF from sym.handle_2 @ 0x401837(x)
│     └───> 0x0040186c      4531ed         xor r13d, r13d
│           0x0040186f      4c8d7c240f     lea r15, [var_fh]
│           ; CODE XREF from sym.handle_2 @ 0x401924(x)
│       ┌─> 0x00401874      0fb644240c     movzx eax, byte [var_ch]
│       ╎   0x00401879      4439e8         cmp eax, r13d
│      ┌──< 0x0040187c      0f8ea7000000   jle 0x401929
│      │╎   0x00401882      4531f6         xor r14d, r14d
│      │╎   ; CODE XREF from sym.handle_2 @ 0x40191c(x)
│     ┌───> 0x00401885      0fb64c240b     movzx ecx, byte [var_bh]
│     ╎│╎   0x0040188a      4439f1         cmp ecx, r14d
│    ┌────< 0x0040188d      0f8e8e000000   jle 0x401921
│    │╎│╎   0x00401893      0fb644240d     movzx eax, byte [var_dh]
│    │╎│╎   0x00401898      0fb65c240e     movzx ebx, byte [var_eh]
│    │╎│╎   0x0040189d      410fafcd       imul ecx, r13d
│    │╎│╎   0x004018a1      4c89ff         mov rdi, r15
│    │╎│╎   0x004018a4      410fb6742406   movzx esi, byte [r12 + 6]
│    │╎│╎   0x004018aa      4c8d05d617..   lea r8, str.e_38_2__03d__03d__03dm_ce_0m ; 0x403087
│    │╎│╎   0x004018b1      4401f0         add eax, r14d
│    │╎│╎   0x004018b4      4401eb         add ebx, r13d
│    │╎│╎   0x004018b7      99             cdq
│    │╎│╎   0x004018b8      0fafde         imul ebx, esi
│    │╎│╎   0x004018bb      4401f1         add ecx, r14d
│    │╎│╎   0x004018be      41ffc6         inc r14d
│    │╎│╎   0x004018c1      f7fe           idiv esi
│    │╎│╎   0x004018c3      4863c9         movsxd rcx, ecx
│    │╎│╎   0x004018c6      be19000000     mov esi, 0x19               ; 25
│    │╎│╎   0x004018cb      488d448d00     lea rax, [rbp + rcx*4]
│    │╎│╎   0x004018d0      b919000000     mov ecx, 0x19               ; 25
│    │╎│╎   0x004018d5      01d3           add ebx, edx
│    │╎│╎   0x004018d7      52             push rdx
│    │╎│╎   0x004018d8      0fb65003       movzx edx, byte [rax + 3]
│    │╎│╎   0x004018dc      52             push rdx
│    │╎│╎   0x004018dd      0fb65002       movzx edx, byte [rax + 2]
│    │╎│╎   0x004018e1      52             push rdx
│    │╎│╎   0x004018e2      0fb65001       movzx edx, byte [rax + 1]
│    │╎│╎   0x004018e6      52             push rdx
│    │╎│╎   0x004018e7      440fb608       movzx r9d, byte [rax]
│    │╎│╎   0x004018eb      ba01000000     mov edx, 1
│    │╎│╎   0x004018f0      31c0           xor eax, eax
│    │╎│╎   0x004018f2      e869f8ffff     call sym.imp.__snprintf_chk
│    │╎│╎   0x004018f7      89d8           mov eax, ebx
│    │╎│╎   0x004018f9      31d2           xor edx, edx
│    │╎│╎   0x004018fb      410f1007       movups xmm0, xmmword [r15]
│    │╎│╎   0x004018ff      41f774240c     div dword [r12 + 0xc]
│    │╎│╎   0x00401904      4883c420       add rsp, 0x20
│    │╎│╎   0x00401908      486bd218       imul rdx, rdx, 0x18
│    │╎│╎   0x0040190c      4903542410     add rdx, qword [r12 + 0x10]
│    │╎│╎   0x00401911      0f1102         movups xmmword [rdx], xmm0
│    │╎│╎   0x00401914      498b4710       mov rax, qword [r15 + 0x10]
│    │╎│╎   0x00401918      48894210       mov qword [rdx + 0x10], rax
│    │└───< 0x0040191c      e964ffffff     jmp 0x401885
│    │ │╎   ; CODE XREF from sym.handle_2 @ 0x40188d(x)
│    └────> 0x00401921      41ffc5         inc r13d
│      │└─< 0x00401924      e94bffffff     jmp 0x401874
│      │    ; CODE XREF from sym.handle_2 @ 0x40187c(x)
│      └──> 0x00401929      488b442428     mov rax, qword [canary]
│           0x0040192e      6448330425..   xor rax, qword fs:[0x28]
│       ┌─< 0x00401937      7405           je 0x40193e
│       │   0x00401939      e872f8ffff     call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
│       │   ; CODE XREF from sym.handle_2 @ 0x401937(x)
│       └─> 0x0040193e      4883c438       add rsp, 0x38
│           0x00401942      5b             pop rbx
│           0x00401943      5d             pop rbp
│           0x00401944      415c           pop r12
│           0x00401946      415d           pop r13
│           0x00401948      415e           pop r14
│           0x0040194a      415f           pop r15
└           0x0040194c      c3             ret
            ; CALL XREF from main @ 0x401416(x)
┌ 337: sym.handle_3 (int64_t arg1, int64_t arg5);
│ `- args(rdi, r8) vars(4:sp[0x20..0x23])
│           0x0040194d      f30f1efa       endbr64
│           0x00401951      4154           push r12
│           0x00401953      4183c8ff       or r8d, 0xffffffff          ; -1 ; arg5
│           0x00401957      ba01000000     mov edx, 1                  ; int64_t arg3
│           0x0040195c      488d0dbc17..   lea rcx, str.ERROR:_Failed_to_read_sprite_id_ ; 0x40311f ; "ERROR: Failed to read &sprite_id!" ; int64_t arg4
│           0x00401963      55             push rbp
│           0x00401964      4889fd         mov rbp, rdi                ; arg1
│           0x00401967      31ff           xor edi, edi                ; int fildes
│           0x00401969      53             push rbx
│           0x0040196a      4883ec10       sub rsp, 0x10
│           0x0040196e      64488b0425..   mov rax, qword fs:[0x28]
│           0x00401977      4889442408     mov qword [canary], rax
│           0x0040197c      31c0           xor eax, eax
│           0x0040197e      488d742405     lea rsi, [var_5h]           ; void *buf
│           0x00401983      e8eefbffff     call sym.read_exact
│           0x00401988      488d742406     lea rsi, [var_6h]           ; void *buf
│           0x0040198d      4183c8ff       or r8d, 0xffffffff          ; -1
│           0x00401991      31ff           xor edi, edi                ; int fildes
│           0x00401993      488d0d4817..   lea rcx, str.ERROR:_Failed_to_read_width_ ; 0x4030e2 ; "ERROR: Failed to read &width!" ; int64_t arg4
│           0x0040199a      ba01000000     mov edx, 1                  ; int64_t arg3
│           0x0040199f      e8d2fbffff     call sym.read_exact
│           0x004019a4      ba01000000     mov edx, 1                  ; int64_t arg3
│           0x004019a9      31ff           xor edi, edi                ; int fildes
│           0x004019ab      4183c8ff       or r8d, 0xffffffff          ; -1
│           0x004019af      488d742407     lea rsi, [var_7h]           ; void *buf
│           0x004019b4      488d0d4517..   lea rcx, str.ERROR:_Failed_to_read_height_ ; 0x403100 ; "ERROR: Failed to read &height!" ; int64_t arg4
│           0x004019bb      e8b6fbffff     call sym.read_exact
│           0x004019c0      0fb6442405     movzx eax, byte [var_5h]
│           0x004019c5      8a542406       mov dl, byte [var_6h]
│           0x004019c9      48c1e004       shl rax, 4
│           0x004019cd      4801e8         add rax, rbp
│           0x004019d0      885019         mov byte [rax + 0x19], dl
│           0x004019d3      488b7820       mov rdi, qword [rax + 0x20]
│           0x004019d7      8a542407       mov dl, byte [var_7h]
│           0x004019db      885018         mov byte [rax + 0x18], dl
│           0x004019de      4885ff         test rdi, rdi
│       ┌─< 0x004019e1      7405           je 0x4019e8
│       │   0x004019e3      e888f7ffff     call sym.imp.free           ; void free(void *ptr)
│       │   ; CODE XREF from sym.handle_3 @ 0x4019e1(x)
│       └─> 0x004019e8      440fb6642406   movzx r12d, byte [var_6h]
│           0x004019ee      0fb6542407     movzx edx, byte [var_7h]
│           0x004019f3      440fafe2       imul r12d, edx
│           0x004019f7      4963fc         movsxd rdi, r12d            ; size_t size
│           0x004019fa      e831f8ffff     call sym.imp.malloc         ;  void *malloc(size_t size)
│           0x004019ff      4889c3         mov rbx, rax
│           0x00401a02      4885c0         test rax, rax
│       ┌─< 0x00401a05      750e           jne 0x401a15
│       │   0x00401a07      488d3df615..   lea rdi, str.ERROR:_Failed_to_allocate_memory_for_the_image_data_ ; 0x403004 ; "ERROR: Failed to allocate memory for the image data!" ; const char *s
│       │   0x00401a0e      e87df7ffff     call sym.imp.puts           ; int puts(const char *s)
│      ┌──< 0x00401a13      eb55           jmp 0x401a6a
│      ││   ; CODE XREF from sym.handle_3 @ 0x401a05(x)
│      │└─> 0x00401a15      4489e2         mov edx, r12d               ; int64_t arg3
│      │    0x00401a18      4889c6         mov rsi, rax                ; void *buf
│      │    0x00401a1b      4183c8ff       or r8d, 0xffffffff          ; -1
│      │    0x00401a1f      31ff           xor edi, edi                ; int fildes
│      │    0x00401a21      488d0d1116..   lea rcx, str.ERROR:_Failed_to_read_data_ ; 0x403039 ; "ERROR: Failed to read data!" ; int64_t arg4
│      │    0x00401a28      e849fbffff     call sym.read_exact
│      │    0x00401a2d      0fb6442407     movzx eax, byte [var_7h]
│      │    0x00401a32      0fb6542406     movzx edx, byte [var_6h]
│      │    0x00401a37      0fafd0         imul edx, eax
│      │    0x00401a3a      31c0           xor eax, eax
│      │    ; CODE XREF from sym.handle_3 @ 0x401a4e(x)
│      │┌─> 0x00401a3c      39c2           cmp edx, eax
│     ┌───< 0x00401a3e      7e32           jle 0x401a72
│     ││╎   0x00401a40      0fb60c03       movzx ecx, byte [rbx + rax]
│     ││╎   0x00401a44      48ffc0         inc rax
│     ││╎   0x00401a47      8d71e0         lea esi, [rcx - 0x20]
│     ││╎   0x00401a4a      4080fe5e       cmp sil, 0x5e               ; '^' ; 94
│     ││└─< 0x00401a4e      76ec           jbe 0x401a3c
│     ││    0x00401a50      488b3de935..   mov rdi, qword [obj.stderr] ; obj.stderr__GLIBC_2.2.5
│     ││                                                               ; [0x405040:8]=0
│     ││    0x00401a57      488d15f715..   lea rdx, str.ERROR:_Invalid_character_0x_x_in_the_image_data__n ; str.ERROR:_Invalid_character_0x_x_in_the_image_data__n
│     ││                                                               ; 0x403055 ; "ERROR: Invalid character 0x%x in the image data!\n"
│     ││    0x00401a5e      be01000000     mov esi, 1
│     ││    0x00401a63      31c0           xor eax, eax
│     ││    0x00401a65      e816f8ffff     call sym.imp.__fprintf_chk
│     ││    ; CODE XREF from sym.handle_3 @ 0x401a13(x)
│     │└──> 0x00401a6a      83cfff         or edi, 0xffffffff          ; -1
│     │     0x00401a6d      e8fef7ffff     call sym.imp.exit           ; void exit(int status)
│     │     ; CODE XREF from sym.handle_3 @ 0x401a3e(x)
│     └───> 0x00401a72      0fb6442405     movzx eax, byte [var_5h]
│           0x00401a77      48c1e004       shl rax, 4
│           0x00401a7b      48895c2820     mov qword [rax + rbp + 0x20], rbx
│           0x00401a80      488b442408     mov rax, qword [canary]
│           0x00401a85      6448330425..   xor rax, qword fs:[0x28]
│       ┌─< 0x00401a8e      7405           je 0x401a95
│       │   0x00401a90      e81bf7ffff     call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
│       │   ; CODE XREF from sym.handle_3 @ 0x401a8e(x)
│       └─> 0x00401a95      4883c410       add rsp, 0x10
│           0x00401a99      5b             pop rbx
│           0x00401a9a      5d             pop rbp
│           0x00401a9b      415c           pop r12
└           0x00401a9d      c3             ret
            ; CALL XREF from main @ 0x40141d(x)
┌ 603: sym.handle_4 (int64_t arg1, int64_t arg5);
│ `- args(rdi, r8) vars(16:sp[0x1056..0x1078])
│           0x00401c36      f30f1efa       endbr64
│           0x00401c3a      4157           push r15
│           0x00401c3c      4156           push r14
│           0x00401c3e      4155           push r13
│           0x00401c40      4154           push r12
│           0x00401c42      55             push rbp
│           0x00401c43      53             push rbx
│           0x00401c44      4c8d9c2400..   lea r11, [rsp - 0x40000]
│           ; CODE XREF from sym.handle_4 @ 0x401c5a(x)
│       ┌─> 0x00401c4c      4881ec0010..   sub rsp, 0x1000
│       ╎   0x00401c53      830c2400       or dword [rsp], 0
│       ╎   0x00401c57      4c39dc         cmp rsp, r11
│       └─< 0x00401c5a      75f0           jne 0x401c4c
│           0x00401c5c      4883ec48       sub rsp, 0x48
│           0x00401c60      488d0d5615..   lea rcx, str.ERROR:_Failed_to_read_sprite_render_record_ ; 0x4031bd ; "ERROR: Failed to read &sprite_render_record!" ; int64_t arg4
│           0x00401c67      ba09000000     mov edx, 9                  ; int64_t arg3
│           0x00401c6c      4183c8ff       or r8d, 0xffffffff          ; -1 ; arg5
│           0x00401c70      64488b0425..   mov rax, qword fs:[0x28]
│           0x00401c79      4889842438..   mov qword [rsp + 0x40038], rax ; [0x40038:8]=-1
│           0x00401c81      31c0           xor eax, eax
│           0x00401c83      4889fb         mov rbx, rdi                ; arg1
│           0x00401c86      488d742416     lea rsi, [var_16h]          ; void *buf
│           0x00401c8b      31ff           xor edi, edi                ; int fildes
│           0x00401c8d      e8e4f8ffff     call sym.read_exact
│           0x00401c92      488d7c241f     lea rdi, [var_1fh]
│           0x00401c97      b900000100     mov ecx, 0x10000
│           0x00401c9c      31c0           xor eax, eax
│           0x00401c9e      0fb6542416     movzx edx, byte [var_16h]
│           0x00401ca3      448a542417     mov r10b, byte [var_17h]
│           0x00401ca8      488d74241f     lea rsi, [var_1fh]
│           0x00401cad      f3ab           rep stosd dword [rdi], eax
│           0x00401caf      448a5c2418     mov r11b, byte [var_18h]
│           0x00401cb4      408a6c2419     mov bpl, byte [var_19h]
│           0x00401cb9      48c1e204       shl rdx, 4
│           0x00401cbd      4801da         add rdx, rbx
│           0x00401cc0      440fb66218     movzx r12d, byte [rdx + 0x18]
│           ; CODE XREF from sym.handle_4 @ 0x401d20(x)
│       ┌─> 0x00401cc5      4139cc         cmp r12d, ecx
│      ┌──< 0x00401cc8      7e58           jle 0x401d22
│      │╎   0x00401cca      440fb64219     movzx r8d, byte [rdx + 0x19]
│      │╎   0x00401ccf      31ff           xor edi, edi
│      │╎   0x00401cd1      4489c0         mov eax, r8d
│      │╎   0x00401cd4      0fafc1         imul eax, ecx
│      │╎   ; CODE XREF from sym.handle_4 @ 0x401d1c(x)
│     ┌───> 0x00401cd7      4139f8         cmp r8d, edi
│    ┌────< 0x00401cda      7e42           jle 0x401d1e
│    │╎│╎   0x00401cdc      4c8b4a20       mov r9, qword [rdx + 0x20]
│    │╎│╎   0x00401ce0      44881486       mov byte [rsi + rax*4], r10b
│    │╎│╎   0x00401ce4      44885c8601     mov byte [rsi + rax*4 + 1], r11b
│    │╎│╎   0x00401ce9      40886c8602     mov byte [rsi + rax*4 + 2], bpl
│    │╎│╎   0x00401cee      4d85c9         test r9, r9
│   ┌─────< 0x00401cf1      751b           jne 0x401d0e
│   ││╎│╎   0x00401cf3      488b354633..   mov rsi, qword [obj.stderr] ; obj.stderr__GLIBC_2.2.5
│   ││╎│╎                                                              ; [0x405040:8]=0 ; FILE *stream
│   ││╎│╎   0x00401cfa      488d3de914..   lea rdi, str.ERROR:_attempted_to_render_uninitialized_sprite__n ; 0x4031ea ; "ERROR: attempted to render uninitialized sprite!\n" ; const char *s
│   ││╎│╎   0x00401d01      e8daf4ffff     call sym.imp.fputs          ; int fputs(const char *s, FILE *stream)
│   ││╎│╎   0x00401d06      83cfff         or edi, 0xffffffff          ; -1
│   ││╎│╎   0x00401d09      e862f5ffff     call sym.imp.exit           ; void exit(int status)
│   ││╎│╎   ; CODE XREF from sym.handle_4 @ 0x401cf1(x)
│   └─────> 0x00401d0e      458a0c01       mov r9b, byte [r9 + rax]
│    │╎│╎   0x00401d12      ffc7           inc edi
│    │╎│╎   0x00401d14      44884c8603     mov byte [rsi + rax*4 + 3], r9b
│    │╎│╎   0x00401d19      48ffc0         inc rax
│    │└───< 0x00401d1c      ebb9           jmp 0x401cd7
│    │ │╎   ; CODE XREF from sym.handle_4 @ 0x401cda(x)
│    └────> 0x00401d1e      ffc1           inc ecx
│      │└─< 0x00401d20      eba3           jmp 0x401cc5
│      │    ; CODE XREF from sym.handle_4 @ 0x401cc8(x)
│      └──> 0x00401d22      4531ff         xor r15d, r15d
│           0x00401d25      488dbc241f..   lea rdi, [rsp + 0x4001f]
│           ; CODE XREF from sym.handle_4 @ 0x401e62(x)
│       ┌─> 0x00401d2d      0fb644241d     movzx eax, byte [var_1dh]
│       ╎   0x00401d32      4439f8         cmp eax, r15d
│      ┌──< 0x00401d35      0f8e2c010000   jle 0x401e67
│      │╎   0x00401d3b      4531d2         xor r10d, r10d
│      │╎   ; CODE XREF from sym.handle_4 @ 0x401e5a(x)
│     ┌───> 0x00401d3e      0fb644241c     movzx eax, byte [var_1ch]
│     ╎│╎   0x00401d43      4439d0         cmp eax, r10d
│    ┌────< 0x00401d46      0f8e13010000   jle 0x401e5f
│    │╎│╎   0x00401d4c      0fb6542416     movzx edx, byte [var_16h]
│    │╎│╎   0x00401d51      4531db         xor r11d, r11d
│    │╎│╎   0x00401d54      48c1e204       shl rdx, 4
│    │╎│╎   0x00401d58      4801da         add rdx, rbx
│    │╎│╎   0x00401d5b      8a4219         mov al, byte [rdx + 0x19]
│    │╎│╎   0x00401d5e      410fafc2       imul eax, r10d
│    │╎│╎   0x00401d62      0244241a       add al, byte [var_1ah]
│    │╎│╎   0x00401d66      440fb6e0       movzx r12d, al
│    │╎│╎   0x00401d6a      8a4218         mov al, byte [rdx + 0x18]
│    │╎│╎   0x00401d6d      410fafc7       imul eax, r15d
│    │╎│╎   0x00401d71      0244241b       add al, byte [var_1bh]
│    │╎│╎   0x00401d75      0fb6e8         movzx ebp, al
│    │╎│╎   ; CODE XREF from sym.handle_4 @ 0x401e52(x)
│   ┌─────> 0x00401d78      0fb6442416     movzx eax, byte [var_16h]
│   ╎│╎│╎   0x00401d7d      48c1e004       shl rax, 4
│   ╎│╎│╎   0x00401d81      0fb6441818     movzx eax, byte [rax + rbx + 0x18]
│   ╎│╎│╎   0x00401d86      4439d8         cmp eax, r11d
│  ┌──────< 0x00401d89      0f8ec8000000   jle 0x401e57
│  │╎│╎│╎   0x00401d8f      4531ed         xor r13d, r13d
│  │╎│╎│╎   ; CODE XREF from sym.handle_4 @ 0x401e48(x)
│ ┌───────> 0x00401d92      0fb6442416     movzx eax, byte [var_16h]
│ ╎│╎│╎│╎   0x00401d97      48c1e004       shl rax, 4
│ ╎│╎│╎│╎   0x00401d9b      0fb6441819     movzx eax, byte [rax + rbx + 0x19]
│ ╎│╎│╎│╎   0x00401da0      4439e8         cmp eax, r13d
│ ────────< 0x00401da3      0f8ea4000000   jle 0x401e4d
│ ╎│╎│╎│╎   0x00401da9      410fafc3       imul eax, r11d
│ ╎│╎│╎│╎   0x00401dad      4401e8         add eax, r13d
│ ╎│╎│╎│╎   0x00401db0      4898           cdqe
│ ╎│╎│╎│╎   0x00401db2      0fb6548422     movzx edx, byte [rsp + rax*4 + 0x22]
│ ╎│╎│╎│╎   0x00401db7      3a54241e       cmp dl, byte [var_1eh]
│ ────────< 0x00401dbb      0f8484000000   je 0x401e45
│ ╎│╎│╎│╎   0x00401dc1      44895c240c     mov dword [var_ch], r11d
│ ╎│╎│╎│╎   0x00401dc6      be19000000     mov esi, 0x19               ; 25
│ ╎│╎│╎│╎   0x00401dcb      440fb67306     movzx r14d, byte [rbx + 6]
│ ╎│╎│╎│╎   0x00401dd0      4c8d05b012..   lea r8, str.e_38_2__03d__03d__03dm_ce_0m ; 0x403087
│ ╎│╎│╎│╎   0x00401dd7      4489542408     mov dword [var_8h], r10d
│ ╎│╎│╎│╎   0x00401ddc      51             push rcx
│ ╎│╎│╎│╎   0x00401ddd      b919000000     mov ecx, 0x19               ; 25
│ ╎│╎│╎│╎   0x00401de2      52             push rdx
│ ╎│╎│╎│╎   0x00401de3      0fb6548431     movzx edx, byte [rsp + rax*4 + 0x31]
│ ╎│╎│╎│╎   0x00401de8      52             push rdx
│ ╎│╎│╎│╎   0x00401de9      0fb6548438     movzx edx, byte [rsp + rax*4 + 0x38]
│ ╎│╎│╎│╎   0x00401dee      52             push rdx
│ ╎│╎│╎│╎   0x00401def      440fb64c843f   movzx r9d, byte [rsp + rax*4 + 0x3f]
│ ╎│╎│╎│╎   0x00401df5      ba01000000     mov edx, 1
│ ╎│╎│╎│╎   0x00401dfa      31c0           xor eax, eax
│ ╎│╎│╎│╎   0x00401dfc      48897c2420     mov qword [var_20h], rdi
│ ╎│╎│╎│╎   0x00401e01      e85af3ffff     call sym.imp.__snprintf_chk
│ ╎│╎│╎│╎   0x00401e06      438d442500     lea eax, [r13 + r12]
│ ╎│╎│╎│╎   0x00401e0b      488b7c2420     mov rdi, qword [var_20h]
│ ╎│╎│╎│╎   0x00401e10      448b5c242c     mov r11d, dword [var_ch]
│ ╎│╎│╎│╎   0x00401e15      99             cdq
│ ╎│╎│╎│╎   0x00401e16      448b542428     mov r10d, dword [var_8h]
│ ╎│╎│╎│╎   0x00401e1b      4883c420       add rsp, 0x20
│ ╎│╎│╎│╎   0x00401e1f      41f7fe         idiv r14d
│ ╎│╎│╎│╎   0x00401e22      0f1007         movups xmm0, xmmword [rdi]
│ ╎│╎│╎│╎   0x00401e25      440faff5       imul r14d, ebp
│ ╎│╎│╎│╎   0x00401e29      428d0432       lea eax, [rdx + r14]
│ ╎│╎│╎│╎   0x00401e2d      31d2           xor edx, edx
│ ╎│╎│╎│╎   0x00401e2f      f7730c         div dword [rbx + 0xc]
│ ╎│╎│╎│╎   0x00401e32      486bd218       imul rdx, rdx, 0x18
│ ╎│╎│╎│╎   0x00401e36      48035310       add rdx, qword [rbx + 0x10]
│ ╎│╎│╎│╎   0x00401e3a      0f1102         movups xmmword [rdx], xmm0
│ ╎│╎│╎│╎   0x00401e3d      488b4710       mov rax, qword [rdi + 0x10]
│ ╎│╎│╎│╎   0x00401e41      48894210       mov qword [rdx + 0x10], rax
│ ╎│╎│╎│╎   ; CODE XREF from sym.handle_4 @ 0x401dbb(x)
│ ────────> 0x00401e45      41ffc5         inc r13d
│ └───────< 0x00401e48      e945ffffff     jmp 0x401d92
│  │╎│╎│╎   ; CODE XREF from sym.handle_4 @ 0x401da3(x)
│ ────────> 0x00401e4d      41ffc3         inc r11d
│  │╎│╎│╎   0x00401e50      ffc5           inc ebp
│  │└─────< 0x00401e52      e921ffffff     jmp 0x401d78
│  │ │╎│╎   ; CODE XREF from sym.handle_4 @ 0x401d89(x)
│  └──────> 0x00401e57      41ffc2         inc r10d
│    │└───< 0x00401e5a      e9dffeffff     jmp 0x401d3e
│    │ │╎   ; CODE XREF from sym.handle_4 @ 0x401d46(x)
│    └────> 0x00401e5f      41ffc7         inc r15d
│      │└─< 0x00401e62      e9c6feffff     jmp 0x401d2d
│      │    ; CODE XREF from sym.handle_4 @ 0x401d35(x)
│      └──> 0x00401e67      488b842438..   mov rax, qword [rsp + 0x40038]
│           0x00401e6f      6448330425..   xor rax, qword fs:[0x28]
│       ┌─< 0x00401e78      7405           je 0x401e7f
│       │   0x00401e7a      e831f3ffff     call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
│       │   ; CODE XREF from sym.handle_4 @ 0x401e78(x)
│       └─> 0x00401e7f      4881c44800..   add rsp, 0x40048
│           0x00401e86      5b             pop rbx
│           0x00401e87      5d             pop rbp
│           0x00401e88      415c           pop r12
│           0x00401e8a      415d           pop r13
│           0x00401e8c      415e           pop r14
│           0x00401e8e      415f           pop r15
└           0x00401e90      c3             ret
            ; CALL XREF from main @ 0x401424(x)
┌ 408: sym.handle_5 (int64_t arg1, int64_t arg5);
│ `- args(rdi, r8) vars(5:sp[0x30..0x133])
│           0x00401a9e      f30f1efa       endbr64
│           0x00401aa2      4155           push r13
│           0x00401aa4      b903010000     mov ecx, 0x103              ; 259
│           0x00401aa9      4183c8ff       or r8d, 0xffffffff          ; -1 ; arg5
│           0x00401aad      ba02010000     mov edx, 0x102              ; 258 ; int64_t arg3
│           0x00401ab2      4154           push r12
│           0x00401ab4      4989fc         mov r12, rdi                ; arg1
│           0x00401ab7      55             push rbp
│           0x00401ab8      53             push rbx
│           0x00401ab9      4881ec1801..   sub rsp, 0x118
│           0x00401ac0      64488b0425..   mov rax, qword fs:[0x28]
│           0x00401ac9      4889842408..   mov qword [canary], rax
│           0x00401ad1      31c0           xor eax, eax
│           0x00401ad3      488d7c2405     lea rdi, [var_5h]
│           0x00401ad8      488d742405     lea rsi, [var_5h]           ; void *buf
│           0x00401add      f3aa           rep stosb byte [rdi], al
│           0x00401adf      488d0d5b16..   lea rcx, str.ERROR:_Failed_to_read_sprite_load_record_ ; 0x403141 ; "ERROR: Failed to read &sprite_load_record!" ; int64_t arg4
│           0x00401ae6      31ff           xor edi, edi                ; int fildes
│           0x00401ae8      e889faffff     call sym.read_exact
│           0x00401aed      668b542406     mov dx, word [var_6h]
│           0x00401af2      0fb6442405     movzx eax, byte [var_5h]
│           0x00401af7      31f6           xor esi, esi                ; int oflag
│           0x00401af9      488d7c2408     lea rdi, [path]             ; const char *path
│           0x00401afe      86f2           xchg dl, dh
│           0x00401b00      48c1e004       shl rax, 4
│           0x00401b04      664189540418   mov word [r12 + rax + 0x18], dx
│           0x00401b0a      31c0           xor eax, eax
│           0x00401b0c      e84ff7ffff     call sym.imp.open           ; int open(const char *path, int oflag)
│           0x00401b11      488b352835..   mov rsi, qword [obj.stderr] ; obj.stderr__GLIBC_2.2.5
│                                                                      ; [0x405040:8]=0
│           0x00401b18      488d3d4d16..   lea rdi, str.ERROR:_failed_to_open_sprite_file_n ; 0x40316c ; "ERROR: failed to open sprite file\n"
│           0x00401b1f      85c0           test eax, eax
│       ┌─< 0x00401b21      0f88ca000000   js 0x401bf1
│       │   0x00401b27      89c5           mov ebp, eax
│       │   0x00401b29      0fb6442405     movzx eax, byte [var_5h]
│       │   0x00401b2e      48c1e004       shl rax, 4
│       │   0x00401b32      4a8b7c2020     mov rdi, qword [rax + r12 + 0x20]
│       │   0x00401b37      4885ff         test rdi, rdi
│      ┌──< 0x00401b3a      7405           je 0x401b41
│      ││   0x00401b3c      e82ff6ffff     call sym.imp.free           ; void free(void *ptr)
│      ││   ; CODE XREF from sym.handle_5 @ 0x401b3a(x)
│      └──> 0x00401b41      440fb66c2406   movzx r13d, byte [var_6h]
│       │   0x00401b47      0fb6542407     movzx edx, byte [var_7h]
│       │   0x00401b4c      440fafea       imul r13d, edx
│       │   0x00401b50      4963fd         movsxd rdi, r13d            ; size_t size
│       │   0x00401b53      e8d8f6ffff     call sym.imp.malloc         ;  void *malloc(size_t size)
│       │   0x00401b58      4889c3         mov rbx, rax
│       │   0x00401b5b      4885c0         test rax, rax
│      ┌──< 0x00401b5e      7514           jne 0x401b74
│      ││   0x00401b60      488d3d9d14..   lea rdi, str.ERROR:_Failed_to_allocate_memory_for_the_image_data_ ; 0x403004 ; "ERROR: Failed to allocate memory for the image data!" ; const char *s
│      ││   0x00401b67      e824f6ffff     call sym.imp.puts           ; int puts(const char *s)
│      ││   ; CODE XREFS from sym.handle_5 @ 0x401bc9(x), 0x401bf6(x)
│    ┌┌───> 0x00401b6c      83cfff         or edi, 0xffffffff          ; -1
│    ╎╎││   0x00401b6f      e8fcf6ffff     call sym.imp.exit           ; void exit(int status)
│    ╎╎││   ; CODE XREF from sym.handle_5 @ 0x401b5e(x)
│    ╎╎└──> 0x00401b74      4489ea         mov edx, r13d               ; int64_t arg3
│    ╎╎ │   0x00401b77      4889c6         mov rsi, rax                ; void *buf
│    ╎╎ │   0x00401b7a      4183c8ff       or r8d, 0xffffffff          ; -1
│    ╎╎ │   0x00401b7e      89ef           mov edi, ebp                ; int fildes
│    ╎╎ │   0x00401b80      488d0db214..   lea rcx, str.ERROR:_Failed_to_read_data_ ; 0x403039 ; "ERROR: Failed to read data!" ; int64_t arg4
│    ╎╎ │   0x00401b87      e8eaf9ffff     call sym.read_exact
│    ╎╎ │   0x00401b8c      0fb6442407     movzx eax, byte [var_7h]
│    ╎╎ │   0x00401b91      0fb6542406     movzx edx, byte [var_6h]
│    ╎╎ │   0x00401b96      0fafd0         imul edx, eax
│    ╎╎ │   0x00401b99      31c0           xor eax, eax
│    ╎╎ │   ; CODE XREF from sym.handle_5 @ 0x401bad(x)
│    ╎╎┌──> 0x00401b9b      39c2           cmp edx, eax
│   ┌─────< 0x00401b9d      7e2c           jle 0x401bcb
│   │╎╎╎│   0x00401b9f      0fb60c03       movzx ecx, byte [rbx + rax]
│   │╎╎╎│   0x00401ba3      48ffc0         inc rax
│   │╎╎╎│   0x00401ba6      8d71e0         lea esi, [rcx - 0x20]
│   │╎╎╎│   0x00401ba9      4080fe5e       cmp sil, 0x5e               ; '^' ; 94
│   │╎╎└──< 0x00401bad      76ec           jbe 0x401b9b
│   │╎╎ │   0x00401baf      488b3d8a34..   mov rdi, qword [obj.stderr] ; obj.stderr__GLIBC_2.2.5
│   │╎╎ │                                                              ; [0x405040:8]=0
│   │╎╎ │   0x00401bb6      488d159814..   lea rdx, str.ERROR:_Invalid_character_0x_x_in_the_image_data__n ; str.ERROR:_Invalid_character_0x_x_in_the_image_data__n
│   │╎╎ │                                                              ; 0x403055 ; "ERROR: Invalid character 0x%x in the image data!\n"
│   │╎╎ │   0x00401bbd      be01000000     mov esi, 1
│   │╎╎ │   0x00401bc2      31c0           xor eax, eax
│   │╎╎ │   0x00401bc4      e8b7f6ffff     call sym.imp.__fprintf_chk
│   │└────< 0x00401bc9      eba1           jmp 0x401b6c
│   │ ╎ │   ; CODE XREF from sym.handle_5 @ 0x401b9d(x)
│   └─────> 0x00401bcb      ba0c000000     mov edx, 0xc                ; 12 ; size_t n
│     ╎ │   0x00401bd0      488d35b815..   lea rsi, str.pwn.college    ; 0x40318f ; "pwn.college{" ; const char *s2
│     ╎ │   0x00401bd7      4889df         mov rdi, rbx                ; const char *s1
│     ╎ │   0x00401bda      e8a1f5ffff     call sym.imp.strncmp        ; int strncmp(const char *s1, const char *s2, size_t n)
│     ╎ │   0x00401bdf      85c0           test eax, eax
│     ╎┌──< 0x00401be1      7518           jne 0x401bfb
│     ╎││   0x00401be3      488b355634..   mov rsi, qword [obj.stderr] ; obj.stderr__GLIBC_2.2.5
│     ╎││                                                              ; [0x405040:8]=0
│     ╎││   0x00401bea      488d3dab15..   lea rdi, str.ERROR:_shenanigans_detected_____ ; 0x40319c ; "ERROR: shenanigans detected!!!!!"
│     ╎││   ; CODE XREF from sym.handle_5 @ 0x401b21(x)
│     ╎│└─> 0x00401bf1      e8eaf5ffff     call sym.imp.fputs          ; int fputs(const char *s, FILE *stream)
│     └───< 0x00401bf6      e971ffffff     jmp 0x401b6c
│      │    ; CODE XREF from sym.handle_5 @ 0x401be1(x)
│      └──> 0x00401bfb      0fb6442405     movzx eax, byte [var_5h]
│           0x00401c00      89ef           mov edi, ebp                ; int fildes
│           0x00401c02      48c1e004       shl rax, 4
│           0x00401c06      4a895c2020     mov qword [rax + r12 + 0x20], rbx
│           0x00401c0b      e8e0f5ffff     call sym.imp.close          ; int close(int fildes)
│           0x00401c10      488b842408..   mov rax, qword [canary]
│           0x00401c18      6448330425..   xor rax, qword fs:[0x28]
│       ┌─< 0x00401c21      7405           je 0x401c28
│       │   0x00401c23      e888f5ffff     call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
│       │   ; CODE XREF from sym.handle_5 @ 0x401c21(x)
│       └─> 0x00401c28      4881c41801..   add rsp, 0x118
│           0x00401c2f      5b             pop rbx
│           0x00401c30      5d             pop rbp
│           0x00401c31      415c           pop r12
│           0x00401c33      415d           pop r13
└           0x00401c35      c3             ret
            ; CALL XREF from main @ 0x40142b(x)
┌ 121: sym.handle_6 (int64_t arg1, int64_t arg5);
│ `- args(rdi, r8) vars(2:sp[0x10..0x11])
│           0x00401f6b      f30f1efa       endbr64
│           0x00401f6f      55             push rbp
│           0x00401f70      4183c8ff       or r8d, 0xffffffff          ; -1 ; arg5
│           0x00401f74      4889fd         mov rbp, rdi                ; arg1
│           0x00401f77      ba01000000     mov edx, 1                  ; int64_t arg3
│           0x00401f7c      31ff           xor edi, edi                ; int fildes
│           0x00401f7e      488d0dd512..   lea rcx, str.ERROR:_Failed_to_read_clear_ ; 0x40325a ; "ERROR: Failed to read &clear!" ; int64_t arg4
│           0x00401f85      4883ec10       sub rsp, 0x10
│           0x00401f89      64488b0425..   mov rax, qword fs:[0x28]
│           0x00401f92      4889442408     mov qword [canary], rax
│           0x00401f97      31c0           xor eax, eax
│           0x00401f99      488d742407     lea rsi, [var_7h]           ; void *buf
│           0x00401f9e      e8d3f5ffff     call sym.read_exact
│           0x00401fa3      807c240700     cmp byte [var_7h], 0
│       ┌─< 0x00401fa8      7413           je 0x401fbd
│       │   0x00401faa      488d35c712..   lea rsi, str.e_He_2J        ; 0x403278
│       │   0x00401fb1      bf01000000     mov edi, 1
│       │   0x00401fb6      31c0           xor eax, eax
│       │   0x00401fb8      e883f2ffff     call sym.imp.__printf_chk
│       │   ; CODE XREF from sym.handle_6 @ 0x401fa8(x)
│       └─> 0x00401fbd      31f6           xor esi, esi
│           0x00401fbf      31c0           xor eax, eax
│           0x00401fc1      4889ef         mov rdi, rbp                ; int64_t arg1
│           0x00401fc4      e841ffffff     call sym.display
│           0x00401fc9      488b442408     mov rax, qword [canary]
│           0x00401fce      6448330425..   xor rax, qword fs:[0x28]
│       ┌─< 0x00401fd7      7405           je 0x401fde
│       │   0x00401fd9      e8d2f1ffff     call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
│       │   ; CODE XREF from sym.handle_6 @ 0x401fd7(x)
│       └─> 0x00401fde      4883c410       add rsp, 0x10
│           0x00401fe2      5d             pop rbp
└           0x00401fe3      c3             ret
            ; CALL XREF from main @ 0x401432(x)
┌ 121: sym.handle_7 (int64_t arg5);
│ `- args(r8) vars(4:sp[0x10..0x24])
│           0x00401e91      f30f1efa       endbr64
│           0x00401e95      4883ec28       sub rsp, 0x28
│           0x00401e99      4183c8ff       or r8d, 0xffffffff          ; -1 ; arg5
│           0x00401e9d      31ff           xor edi, edi                ; int fildes
│           0x00401e9f      ba04000000     mov edx, 4                  ; size_t nbyte
│           0x00401ea4      64488b0425..   mov rax, qword fs:[0x28]
│           0x00401ead      4889442418     mov qword [canary], rax
│           0x00401eb2      31c0           xor eax, eax
│           0x00401eb4      488d742404     lea rsi, [var_4h]           ; void *buf
│           0x00401eb9      488d0d5c13..   lea rcx, str.ERROR:_Failed_to_read_milliseconds_ ; 0x40321c ; "ERROR: Failed to read &milliseconds!" ; int64_t arg4
│           0x00401ec0      e8b1f6ffff     call sym.read_exact
│           0x00401ec5      8b442404       mov eax, dword [var_4h]
│           0x00401ec9      b9e8030000     mov ecx, 0x3e8              ; 1000
│           0x00401ece      31d2           xor edx, edx
│           0x00401ed0      31f6           xor esi, esi                ; struct timespec *rem
│           0x00401ed2      488d7c2408     lea rdi, [req]              ; const struct timespec *req
│           0x00401ed7      f7f1           div ecx
│           0x00401ed9      89c0           mov eax, eax
│           0x00401edb      4889442408     mov qword [req], rax
│           0x00401ee0      69c240420f00   imul eax, edx, 0xf4240
│           0x00401ee6      4889442410     mov qword [var_10h], rax
│           0x00401eeb      e8e0f2ffff     call sym.imp.nanosleep      ; int nanosleep(const struct timespec *req, struct timespec *rem)
│           0x00401ef0      488b442418     mov rax, qword [canary]
│           0x00401ef5      6448330425..   xor rax, qword fs:[0x28]
│       ┌─< 0x00401efe      7405           je 0x401f05
│       │   0x00401f00      e8abf2ffff     call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
│       │   ; CODE XREF from sym.handle_7 @ 0x401efe(x)
│       └─> 0x00401f05      4883c428       add rsp, 0x28
└           0x00401f09      c3             ret

quest.py

class CIMG_NORMAL:
    MAGIC = b"cIMG"
    RENDER_FRAME =  struct.pack("<H", 1)
    RENDER_PATCH =  struct.pack("<H", 2)
    CREATE_SPRITE = struct.pack("<H", 3)
    RENDER_SPRITE = struct.pack("<H", 4)
    LOAD_SPRITE =   struct.pack("<H", 5)
    FLUSH =         struct.pack("<H", 6)
    SLEEP =         struct.pack("<H", 7)

class CIMG_1337(CIMG_NORMAL):
    MAGIC = b"CNNR"

class GraphicsEngine:
    def __init__(self, width, height, cimg_version=4, cimg_ops=CIMG_1337):
        self.num_sprites = 0
        self.ops = cimg_ops
        self.width = width
        self.height = height
        self.output = os.fdopen(1, 'wb', buffering=0)

        self.output.write(
            self.ops.MAGIC +
            struct.pack("<H", cimg_version) +
            bytes([width, height]) +
            b"\xff\xff\xff\xff"
        )

    def render_frame_monochrome(self, lines, r=0xff, g=0xc6, b=0x27):
        self.output.write(
            self.ops.RENDER_FRAME +
            b"".join(bytes([r, g, b, c]) for c in b"".join(lines))
        )

    def render_patch_monochrome(self, lines, x, y, r=0xff, g=0xc6, b=0x27):
        assert all(b >= 20 and b <= 0x7e for b in b"".join(lines))
        self.output.write(
            self.ops.RENDER_PATCH +
            bytes([x, y, len(lines[0]), len(lines)]) +
            b"".join(bytes([r, g, b, c]) for c in b"".join(lines))
        )

    def create_sprite(self, lines, num=None):
        if num is None:
            num = self.num_sprites
            self.num_sprites += 1

        self.output.write(
            self.ops.CREATE_SPRITE +
            bytes([num, len(lines[0]), len(lines)]) +
            b"".join(lines)
        )
        return num

    def render_sprite(self, num, x, y, tile_x=1, tile_y=1, r=0x8c, g=0x1d, b=0x40, t=" "):
        self.output.write(
            self.ops.RENDER_SPRITE + bytes([num, r, g, b, x, y, tile_x, tile_y, ord(t)])
        )

    def flush(self, clear=True):
        self.output.write(self.ops.FLUSH + bytes([clear]))

    def sleep(self, ms):
        self.output.write(self.ops.SLEEP + struct.pack("<I", ms))

    def blank(self):
        self.render_patch_monochrome([ b" "*self.width ]*self.height, 1, 1)
        self.flush()

    def animate_text(self, text, x, y, r=None, g=None, b=None, interval=20):
        for i,c in enumerate(text):
            self.render_patch_monochrome(
                [bytes([ord(c)])], x+i, y,
                r=random.randrange(128, 256) if r is None else r,
                g=random.randrange(128, 256) if g is None else g,
                b=random.randrange(128, 256) if b is None else b
            )
            self.flush()
            self.sleep(interval)

class InputEngine:
    # adapted from https://github.com/magmax/python-readchar/blob/master/readchar/_posix_read.py
    @staticmethod
    def readchar():
        fd = sys.stdin.fileno()
        old_settings = termios.tcgetattr(fd)
        term = termios.tcgetattr(fd)
        try:
            term[3] &= ~(termios.ICANON | termios.ECHO | termios.IGNBRK | termios.BRKINT)
            termios.tcsetattr(fd, termios.TCSAFLUSH, term)
            return sys.stdin.read(1)
        finally:
            termios.tcsetattr(fd, termios.TCSADRAIN, old_settings)

def game():
    w = 70
    h = 20
    x = random.randrange(w)
    y = random.randrange(h)

    victory = False

    kb = InputEngine()
    screen = GraphicsEngine(w, h, cimg_ops=CIMG_NORMAL if "NOFLAG" in sys.argv else CIMG_1337)
    our_sprite = screen.create_sprite([ b"\\o/", b" ^ "])

    screen.render_frame_monochrome([ b"#"*(w) ]*(h), r=255, g=255, b=255)
    screen.render_patch_monochrome([ b" "*(w-2) ]*(h-2), 1, 1)
    screen.flush()

    screen.animate_text("WELCOME TO THE EPIC QUEST FOR THE FLAG", 4, 4)
    screen.animate_text("INSTRUCTIONS:", 4, 10)
    screen.animate_text("- w: UP", 4, 11)
    screen.animate_text("- a: LEFT", 4, 12)
    screen.animate_text("- s: DOWN", 4, 13)
    screen.animate_text("- d: RIGHT", 4, 14)
    screen.animate_text("- q: QUIT", 4, 15)
    screen.animate_text("- l: LOOK", 4, 16)
    screen.animate_text("YOUR GOAL: UNCOVER THE FLAG", 4, 17)
    screen.animate_text("PRESS ANY KEY TO BEGIN", 8, 18)
    if kb.readchar() in ("q", "\x03"):
        return

    screen.blank()

    try:
        if "NOFLAG" in sys.argv:
            flag = b"TEST"
        else:
            flag = open("/flag", "rb").read().strip()
    except FileNotFoundError:
        flag = b"ERROR: /flag NOT FOUND"
    except PermissionError:
        flag = b"ERROR: /flag permission denied"

    hidden_bytes = [ bytes([b]) for b in flag ][::-1]

    hidden_x = random.randrange(w)
    hidden_y = random.randrange(h)
    revealed_bytes = [ ]

    bomb_x = random.randrange(w)
    bomb_y = random.randrange(h)
    while bomb_x in (x, x+1, x+2) and bomb_y in (y, y+1):
        bomb_x = random.randrange(w)
        bomb_y = random.randrange(h)

    key = ""
    while True:
        # quit on q or ctrl-c
        if key == "q" or key == "\x03":
            break

        # move
        if key == "w": y = (y-1)%h
        if key == "a": x = (x-1)%w
        if key == "s": y = (y+1)%h
        if key == "d": x = (x+1)%w

        # check bomb
        if bomb_x in (x, x+1, x+2) and bomb_y in (y, y+1):
            screen.blank()
            screen.animate_text("~~~~~ BOOOOOOOOM ~~~~~~", x, y)
            break

        # uncover flag
        if hidden_bytes and key == "l" and hidden_x in (x, x+1, x+2) and hidden_y in (y, y+1):
            revealed_bytes.append([
                hidden_x, hidden_y,
                random.randrange(128, 256), random.randrange(128, 256), random.randrange(128, 256),
                hidden_bytes.pop()
            ])
            bomb_x = random.randrange(w)
            bomb_y = random.randrange(h)
            while bomb_x in (x, x+1, x+2) and bomb_y in (y, y+1):
                bomb_x = random.randrange(w)
                bomb_y = random.randrange(h)
            prev_hidden_x = hidden_x
            prev_hidden_y = hidden_y
            while hidden_x == prev_hidden_x and hidden_y == prev_hidden_y:
                hidden_x = (bomb_x+random.randrange(w-1))%w
                hidden_y = (bomb_y+random.randrange(h-1))%h

        # render everyone
        screen.blank()
        correct_bytes = ''
        for rx,ry,r,g,b,c in revealed_bytes:
            screen.render_patch_monochrome([c], rx, ry, r=r, g=g, b=b)
            correct_bytes += str(c.decode())
        if hidden_bytes:
            screen.render_patch_monochrome(
                [b"?"], hidden_x, hidden_y,
                r=random.randrange(256), g=random.randrange(256), b=random.randrange(256)
            )
        else:
            try:
                while True:
                    screen.animate_text("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!", 10, hidden_y)
                    screen.animate_text("!!! CONGRATULATIONS, YOU DID IT !!!", 10, hidden_y + 1)
                    screen.animate_text(correct_bytes, 10, hidden_y + 2)
                    screen.animate_text("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!", 10, hidden_y + 1)
            except KeyboardInterrupt:
                print(flag.decode(), file=sys.stderr)  # Print decoded flag to stderr
                break

        screen.render_patch_monochrome([b"B"], bomb_x, bomb_y)
        screen.render_sprite(our_sprite, x, y)
        screen.flush()

        key = kb.readchar()

if __name__ == "__main__":
    game()

in quest.py

class CIMG_NORMAL:
    MAGIC = b"cIMG"
    # ...

class CIMG_1337(CIMG_NORMAL):
    MAGIC = b"CNNR"

当不加 NOFLAG 参数运行游戏获取 Flag 时，程序使用的是 CIMG_1337 引擎。它生成的图像数据流，开头不再是标准的 "cIMG"，而是 "CNNR"。

而标准解析器 /challenge/cimg 里写死了这个判断：

if (strncmp(cimg.header.magic_number, "cIMG", sizeof(cimg.header.magic_number))) {
    puts("ERROR: Invalid magic number!");
    exit(-1);
}

patch the binary /challenge/cimg or

直接用 Python 的 pwntools 挂载 quest.py，接管它的 stdout 截获地图数据，运行 BFS（广度优先搜索）自动避开炸弹并寻找目标，然后向 stdin 注入最优按键。

1. 不去处理图形界面，直接用 struct 解析 CNNR 字节流中的 Opcode。
2. BFS 寻路计算出避开炸弹、走到 ? 旁边的最短路径序列。

Breadth-First Search（广度优先搜索）

import struct
import subprocess

from pwn import *


def solve(known_flag):
    try:
        # PTY 欺骗 termios，PIPE 保证二进制流纯净
        p = process(
            ["/challenge/quest.py"],
            stdin=process.PTY,
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
        )
    except Exception as e:
        return known_flag

    try:
        p.recvn(12)  # 魔数
    except EOFError:
        return known_flag

    state = {
        "px": -1,
        "py": -1,
        "hx": -1,
        "hy": -1,
        "bx": -1,
        "by": -1,
        "frame_flag": "",
    }

    def parse_frame():
        state["px"] = state["bx"] = state["hx"] = -1
        frame_chars = ""
        saw_player = False

        while True:
            try:
                # 超时阻断，防止卡在输入缓冲区死锁
                if not p.can_recv(timeout=0.2):
                    return "TIMEOUT"

                op_bytes = p.recvn(2)
                if not op_bytes:
                    return False
                op = struct.unpack("<H", op_bytes)[0]
            except EOFError:
                return False

            if op == 1:  # RENDER_FRAME
                p.recvn(70 * 20 * 4)
            elif op == 2:  # RENDER_PATCH
                px, py, pw, ph = struct.unpack("<BBBB", p.recvn(4))
                pixels = p.recvn(pw * ph * 4)
                if pw == 1 and ph == 1:
                    # 获取 RGB 和 字符
                    r_col, g_col, b_col, c = pixels[0], pixels[1], pixels[2], pixels[3]
                    if c == ord("?"):
                        state["hx"], state["hy"] = px, py
                    elif c == ord("B") and r_col == 0xff and g_col == 0xc6 and b_col == 0x27:
                        # 只有黄色 (255, 198, 39) 的 B 才是炸弹， Flag may be B
                        state["bx"], state["by"] = px, py
                    elif chr(c) not in (" ", "!", "#"):
                        frame_chars += chr(c)
            elif op == 3:  # CREATE_SPRITE
                s_id, sw, sh = struct.unpack("<BBB", p.recvn(3))
                p.recvn(sw * sh)
            elif op == 4:  # RENDER_SPRITE
                num, r, g, b, px, py, tx, ty, tc = struct.unpack(
                    "<BBBBBBBBB", p.recvn(9)
                )
                if num == 0:
                    state["px"], state["py"] = px, py
                    saw_player = True
            elif op == 6:  # FLUSH (当前帧渲染完毕)
                p.recvn(1)
                if saw_player or "pwn.college" in frame_chars:
                    state["frame_flag"] = frame_chars
                return True
            elif op == 7:  # SLEEP
                p.recvn(4)
            else:
                return False

    def get_best_move(px, py, hx, hy, bx, by):
        """BFS 最短路径寻路"""
        queue = [(px, py, [])]
        visited = set([(px, py)])
        while queue:
            cx, cy, path = queue.pop(0)

            # 3x2 bounding box
            if hx in (cx, cx + 1, cx + 2) and hy in (cy, cy + 1):
                return path[0] if path else "l"

            for key, dx, dy in [("w", 0, -1), ("s", 0, 1), ("a", -1, 0), ("d", 1, 0)]:
                # Toroidal Map Wrapping
                nx, ny = (cx + dx) % 70, (cy + dy) % 20
                # boom here
                if not (bx in (nx, nx + 1, nx + 2) and by in (ny, ny + 1)):
                    if (nx, ny) not in visited:
                        visited.add((nx, ny))
                        queue.append((nx, ny, path + [key]))
        return "SOFTLOCK"

    while True:
        res = parse_frame()

        if res == "TIMEOUT":
            p.send(b" ")
            continue

        if not res:
            p.close()
            break

        # 增量比对：只在提取进度超越已知记录时才打印
        if state["frame_flag"] and len(state["frame_flag"]) > len(known_flag):
            known_flag = state["frame_flag"]
            print(f"[+] Extracted so far: {known_flag}")
            if known_flag.endswith("}"):
                p.close()
                return known_flag

        if state["px"] != -1 and state["bx"] != -1 and state["hx"] != -1:
            move = get_best_move(
                state["px"],
                state["py"],
                state["hx"],
                state["hy"],
                state["bx"],
                state["by"],
            )
            if move == "SOFTLOCK":
                print(
                    f"[*] Soft-lock detected at Target ({state['hx']:02d},{state['hy']:02d}). "
                )
                p.close()
                return known_flag
            p.send(move.encode())
    return known_flag


if __name__ == "__main__":
    print("START")
    current_flag = ""
    while True:
        current_flag = solve(current_flag)