Monday, January 20, 2014

Ghost in the Shellcode 2014 - Pwn Adventure 2 writeups

Pwn Adventure 2 is a full MMO-like game designed by the creators of the CTF, with some pwning in mind. It uses Unity, and there is a separate DLL file (on Windows) for the game logic, which was allowed to be reversed and patched.

We used .NET Reflector with the Reflexil plugin for the occasional patching.

Cave of Nope and Moon Boots

After solving Ad Subtract, Cave of Nope was the second task we've solved. We discovered what to do pretty easily after exploring the area called "Creepy Cave". Here is a picture of the huge gap that we needed to get through in order to fight the Spider Queen.

Mind the gap

We started exploring the .NET assembly and found something very promising shortly.


We also updated the constants in UpdateMovement to make the running speed much faster. This allowed us to get past the gap and two of us successfully defeated the evil Spider Queen.

Reenactment
Even though Moon Boots is based on something very similar, we ended up solving that at the very end. It took us time to figure out how to enter the Moon level, and we only realized how to get there based on IRC logs. Initially we tried to enter the level by replacing level files, but this didn't allow us to take the items from the chest. Then we realized that if this worked, we would have been able to solve every task this way.

The final solution was to create a negative gravity and jump out of bounds on a normal map. This teleported us to the moon.

Changing -9.81 to 0.5 did the trick

Unbearable

For this task we had to crack a chest in a map full of bears. The chest took 5 minutes to crack and the less time we had, the more dangerous it was. In the last 90 seconds, bears actually start shooting at you with machine guns. It was clear that we need to be invincible to solve this. We tried patching the client in many different ways, but nothing seemed to take effect on the server side. Then we found out about driking wine through reading the code. This solved our problems. We also needed to jump on top of the chest to avoid other attacks, but we already had high jumps patched.




A Boaring Quest

For this task, we needed to take down 9800 boars. This seemed too tedious, so we decided to cheat. We came up with a rather ugly solution, but it worked. In GameServerConnection we found a QuestKill method, which had the following anonymous method inside:
internal void <>m__51()
{
    try
    {
        GameServerMessage message = new GameServerMessage(GameServerMessage.Command.QuestKillCommand);
        message.GetWriter().Write(this.enemyName);
        message.Serialize(this.$this.stream);
        this.$this.bytesSent += message.length;
    }
    catch (Exception)
    {
        this.$this.Stop();
    }
}
Instead of returning from the function in the end, we just jumped to the beginning again. This is not an elegant solution at all.

Rabbit of Caerbannog

To solve this task, we needed to defeat a rabbit, which seemed invincible at first. After reading parts of the code, we realized that we need a "Holy Hand Grenade" to kill it. To get the grenade, we needed 89 gears, which were supposed to be purchased using real money as an in-game purchase (this part wasn't implemented, just suggested). Here is the relevant code:
if (!this.$this.player.inventory.AdjustQuantityForItem(
    "IAP", -this.quantity * this.itemPrice))
{
    this.result = false;
    this.error = "Not enough Gears for this purchase.";
    this.doneEvent.Set();
}
else
{
    // Get the item
}
If -this.quantity*this.itemPrice is a negative value (as supposed), we will never have enough gears to buy something, since there is no mechanism in the game to get gears. However, if we do an integer overflow, the sign of the expression will change and we not only get a lot of grenades, but a lot of gears too.



Entering 999,999,999 for the number of grenades to buy did the trick.

Pwn Adventure 2 was the most impressive CTF task (well set of tasks) I have seen. Thanks again to the Ghost in the Shellcode team.

1 comment:

  1. Excellent write up! I used similar techniques but a different tool for patching, would love if you could check and comment my methods at: http://lockboxx.blogspot.com/2014/01/ghost-in-shellcode-2014-ctf-writeup.html

    ReplyDelete