TRYHACKME
Advent of Cyber 2022 [Day 10] -Hack a game You’re a mean one, Mr. Yeti
Scenario: The Bandit Yeti, unable to hack a thing, decided to go for eldritch magic as a last resort and trapped Elf McSkidy in a video game during her sleep. When the rest of the elves woke up, their leader was nowhere to be found until Elf Recon McRed noticed one of their screens, where Elf McSkidy’s pixelated figure could be seen. By the screen, an icy note read: “Only by winning the unwinnable game shall your dear Elf McSkidy be reclaimed”.
Day 10 Learning Objectives: Memory Manipulations.
- Learn how data is stored in memory in games or other applications.
- Use simple tools to find and alter data in memory.
- Explore the effects of changing data in memory on a running game.
The Memory of a Program
Whenever we execute a program, all data will be processed somehow through the computer’s RAM.
If you can modify the relevant memory positions, you could trick the game into thinking you have more HP than you should or even a higher score! This sounds relatively easy, but a program’s memory space is vast and sparse, and finding the location where these variables are stored is nothing you’d want to do by hand. Hopefully, some tools will help us navigate memory and find where all the juicy information is at.
The Mighty Cetus: Simple browser plugin that works for Firefox and Chrome, allowing you to explore the memory space of Web Assembly games that run in your browser. The main idea behind it is to provide you with the tools to easily find any piece of data stored in memory and modify it if needed. On top of that, it will let you modify a game’s compiled code and alter its behaviors if you want.
Answer of Questions
What is the Guard’s flag?
THM{5_star_Fl4gzzz}
What is the Yeti’s flag?
THM{yetiyetiyetiflagflagflag}
Sometimes we don’t know the value to search for in the memory address like in this example where we’ve to find the memory address of HP but we don’t have the HP value to search for so in this kind of case we use a technique called “differential search”.