Today we will be taking a look into hacking a web app game by altering the contents of the game in memory, so while the box is starting up we’ll quickly go over the installation guide of Cetus for Chrome and get ready for some hacking.
Day 10
What is the Guard’s flag?
First things first, let’s load up Cetus by going to chrome://extensions, making sure the Developer Mode is on and loading the unpacked extension. Once that’s done we can open the “Save Elf McSkidy” link on the desktop of the box to get to the game and use the Developer Tools menu to load up Cetus.
The game we’re dealing with here is a simple RPG type of game that allows us to walk around, talk with the NPC’s and lose health marked by the HP bar in the top right corner. Once we’ve gotten our bearings we can walk towards the nearby NPC and talk to them to proceed with the story. This guard gives us a change to guess a random number, but given that we only get one guess this won’t be feasible.
However after a wrong guess the guard will tell us the correct answer, and that hints at the possibility of looking up that string in the memory space. So let’s set up Cetus the following way:
- Value: The number the guyard gives us
- Comparison Operator:
EQfor equals to - Value Type:
i32, a 32-bit integer - Only Aligned Addresses:
No
Now when we do a search we’ll find one memory address which contains a hexadecimal value. If we run that value through an online converter like https://www.rapidtables.com/convert/number/hex-to-decimal.html (or do it in your head if that’s more your jazz) we can see that the number matches the number the guard chose.
Using this information we can easily bypass the first part of this puzzle, so let’s bookmark the value and talk to the guard again. At one point you notice that the value chances. Convert the new hexadecimal value to decimal and use that number to beat the guard, and talk to them again afterwards to get the flag.
What is the Yeti’s flag?
Moving on in the game we come across a bridge with snowball cannons on both sides. If we try to zerg rush it we’ll run out of HP very soon, so that’s obviously not the correct way forward. If you’ve ever played around with a Game Genie or GameShark or similar cheating device that lets you scan the memory for value changes you’ll probably immediately know what’s the gist here.
If you haven’t, this is a good learning opportunity. Essentially since we’re losing HP each time we get hit we want to either make our HP high enough so that losing it doesn’t matter, or make it not decrease in the first place. But first we need to found out the memory address of the HP. For this we will use what’s called a Differential Search, basically a way to look for values that have changed since the last time we looked for values.
First we need to clear the search and find our baseline, so let’s just use the EQ Comparison Operator with an empty value to find all the values the game is storing. We’ll find a little under 500 000 values, so we definitely need to slim these down. In order to make the values change we need to get hit by a snowball, thus losing our HP. After that we can change the Comparison Operator to LT (Less Than) and run our search again. The amount of results will go down dramatically, but we should probably do this couple more times to narrow the possible values down even further.
Finally we arrive to just a few values and figuring out which is the one we need to focus on becomes easy. Now we can bookmark the value and check the Freeze checkbox to make sure that the value will not be changing. This allows us to walk through the snowballs without getting hurt, and even the Yeti at the end of the bridge can’t touch us.
Grab the flag and be victorious!