We used .NET Reflector with the Reflexil plugin for the occasional patching.
Cave of Nope and Moon BootsAfter solving Ad Subtract, Cave of Nope was the second task we've solved. We discovered what to do pretty easily after exploring the area called "Creepy Cave". Here is a picture of the huge gap that we needed to get through in order to fight the Spider Queen.
|Mind the gap|
We started exploring the .NET assembly and found something very promising shortly.
We also updated the constants in UpdateMovement to make the running speed much faster. This allowed us to get past the gap and two of us successfully defeated the evil Spider Queen.
The final solution was to create a negative gravity and jump out of bounds on a normal map. This teleported us to the moon.
|Changing -9.81 to 0.5 did the trick|
UnbearableFor this task we had to crack a chest in a map full of bears. The chest took 5 minutes to crack and the less time we had, the more dangerous it was. In the last 90 seconds, bears actually start shooting at you with machine guns. It was clear that we need to be invincible to solve this. We tried patching the client in many different ways, but nothing seemed to take effect on the server side. Then we found out about driking wine through reading the code. This solved our problems. We also needed to jump on top of the chest to avoid other attacks, but we already had high jumps patched.
A Boaring Quest
For this task, we needed to take down 9800 boars. This seemed too tedious, so we decided to cheat. We came up with a rather ugly solution, but it worked. In GameServerConnection we found a QuestKill method, which had the following anonymous method inside:
internal void <>m__51()
GameServerMessage message = new GameServerMessage(GameServerMessage.Command.QuestKillCommand);
this.$this.bytesSent += message.length;
Instead of returning from the function in the end, we just jumped to the beginning again. This is not an elegant solution at all.
Rabbit of Caerbannog
To solve this task, we needed to defeat a rabbit, which seemed invincible at first. After reading parts of the code, we realized that we need a "Holy Hand Grenade" to kill it. To get the grenade, we needed 89 gears, which were supposed to be purchased using real money as an in-game purchase (this part wasn't implemented, just suggested). Here is the relevant code:
"IAP", -this.quantity * this.itemPrice))
this.result = false;
this.error = "Not enough Gears for this purchase.";
// Get the item
If -this.quantity*this.itemPrice is a negative value (as supposed), we will never have enough gears to buy something, since there is no mechanism in the game to get gears. However, if we do an integer overflow, the sign of the expression will change and we not only get a lot of grenades, but a lot of gears too.
Entering 999,999,999 for the number of grenades to buy did the trick.
Pwn Adventure 2 was the most impressive CTF task (well set of tasks) I have seen. Thanks again to the Ghost in the Shellcode team.