TRYHACKME

Advent of Cyber 2022 [Day 10] -Hack a game You’re a mean one, Mr. Yeti

Scenario: The Bandit Yeti, unable to hack a thing, decided to go for eldritch magic as a last resort and trapped Elf McSkidy in a video game during her sleep. When the rest of the elves woke up, their leader was nowhere to be found until Elf Recon McRed noticed one of their screens, where Elf McSkidy’s pixelated figure could be seen. By the screen, an icy note read: “Only by winning the unwinnable game shall your dear Elf McSkidy be reclaimed”.

Day 10 Learning Objectives: Memory Manipulations.

• Learn how data is stored in memory in games or other applications.
• Use simple tools to find and alter data in memory.
• Explore the effects of changing data in memory on a running game.

The Memory of a Program

Whenever we execute a program, all data will be processed somehow through the computer’s RAM.

For video games, all attributes are loaded into RAM until the game running

If you can modify the relevant memory positions, you could trick the game into thinking you have more HP than you should or even a higher score! This sounds relatively easy, but a program’s memory space is vast and sparse, and finding the location where these variables are stored is nothing you’d want to do by hand. Hopefully, some tools will help us navigate memory and find where all the juicy information is at.

The Mighty Cetus: Simple browser plugin that works for Firefox and Chrome, allowing you to explore the memory space of Web Assembly games that run in your browser. The main idea behind it is to provide you with the tools to easily find any piece of data stored in memory and modify it if needed. On top of that, it will let you modify a game’s compiled code and alter its behaviors if you want.

Answer of Questions

What is the Guard’s flag?

THM{5_star_Fl4gzzz}

Play a random number game so we can grab that memory address that has a random number store init.

Now take that random number & search for it in your RAM’s Memory address.

In return, we’ll get that memory address that has that random number stored.

Data is stored in Hexadecimal in memory. Convert it.

Generate a new hex.

Place that hex value into memory address that he recently found (where the guard’s random number is stored)

Play a random number game with the guard again & when the guessing time came just give the number (in decimal) that we added in the last picture.

What is the Yeti’s flag?

THM{yetiyetiyetiflagflagflag}

In this level, we need to find the character’s HP memory address so we can bypass this snowball easily.

Sometimes we don’t know the value to search for in the memory address like in this example where we’ve to find the memory address of HP but we don’t have the HP value to search for so in this kind of case we use a technique called “differential search”.

After some iteration using a differential search technique

found a value that seems like an HP

starts with 100 every time at the start of the game

This value keeps changing after I get hit so surely it’s an HP of character

Change that HEX value to a higher so HP never ran out