|
| 1 | +# No way out |
| 2 | + |
| 3 | +I will be completing this challenge on windows using game cheat techniques because they are fun. |
| 4 | + |
| 5 | +## Looking at what was given |
| 6 | + |
| 7 | +Upon downloading the zip file from the site, we get a folder with an executable inside. The screenshot below shows the first thing I was presented with upon running it (aside from windows telling me it was a virus lol). |
| 8 | + |
| 9 | + |
| 10 | + |
| 11 | +It is pretty apparent where I'm supposed to go, however I am not immediately able to climb the ladder. The name of the challenge is beginning to make sense: |
| 12 | + |
| 13 | + |
| 14 | + |
| 15 | +## The approach |
| 16 | + |
| 17 | +Despite this being a reverse engineering challenge, I believe I can do this without even opening a decompiler or trying to understand the binary. Instead, I decided to use my knowledge of cheating in games to attempt a very primitive teleportation cheat. |
| 18 | + |
| 19 | +### Cheat-engine |
| 20 | + |
| 21 | +Cheat engine does a bunch of stuff, but for this challenge I will be using it to search for the player's position values in memory and modify them during runtime allowing me to, ideally, teleport straight through the wall. |
| 22 | + |
| 23 | +I've never used Cheat engine on Mac, but there is supposedly Mac support: https://www.cheatengine.org/downloads.php |
| 24 | + |
| 25 | +Attaching the process to cheat engine is very simple. Once we do this we will be able to gather a set of memory addresses and narrow down on them as they change. Here is a screenshot of me attaching the game to Cheat-engine: |
| 26 | + |
| 27 | + |
| 28 | + |
| 29 | +## The exploitation begins |
| 30 | + |
| 31 | +As mentioned earlier, I want to find some sort of position value in memory and change it to achieve teleportation. However, I do not know what the exact values are of the players position or what types they are. However, I can make a reasonable assumption that the X, Y and Z values of my player are likely implemented as floats. I can begin my memory scanning without knowing the starting value. Here is my configuration for the first scan: |
| 32 | + |
| 33 | + |
| 34 | + |
| 35 | +After hitting the first scan button, you can see the set of addresses it's gathered is quite large. But there are things I can do to narrow my search. |
| 36 | + |
| 37 | + |
| 38 | + |
| 39 | +I can make a reasonable assumption that the map most likely wasn't massive and that the player was probably placed somewhere near the center: |
| 40 | + |
| 41 | + |
| 42 | + |
| 43 | +But this didn't really help much. The way I can really start narrowing down on the search is by incrementing one of my positional values by a small amount and then searching for values that incremented. When I cannot walk forward anymore, I will do the same but walking backwards and scanning for decreasing values. Which way is positive? Your guess is as good as mine as this approach is all about guess work. My first assumption was that posative was straight forward, because I could imagine the author of the game didn't really have a reason to rotate the character in any particular direction unless they wanted to throw people making this assumption off. I begin by will walking to the position you can see in the screenshot below, scanning for changed values, and then scanning for increased values every time I walk a little bit forward: |
| 44 | + |
| 45 | +NOTE: An occasional moment of standing still and scanning for unchanged values can also help a bit as well. |
| 46 | + |
| 47 | + |
| 48 | + |
| 49 | +My first step forward followed by an increased value scan already brought it down to just over seven million: |
| 50 | + |
| 51 | + |
| 52 | + |
| 53 | +## After walking back and forth for a while ... |
| 54 | + |
| 55 | +I was able to narrow down the search to 304 results. Not bad: |
| 56 | + |
| 57 | + |
| 58 | + |
| 59 | +Still, 304 is a lot and I don't want to test each one individually, so instead I can bring all of these addresses down into the table below where I can control them. What I typically like doing is locking half |
| 60 | +the results I find and trying to move around (locking a value will prevent it from changing). If I locked the correct value, I won't be able to walk. With this method you can sort of perform a binary search to narrow down the results pretty quickly. I ended getting this effect when locking the first half of the results I gathered. Here is what that looked like: |
| 61 | + |
| 62 | +https://user-images.githubusercontent.com/96510931/228140333-4bd5dc38-b8f6-41df-a0c3-042fe81a22cf.mp4 |
| 63 | + |
| 64 | +You have to be careful tinkering with some of these values. It will require some trial and error, as I ended up clipping myself through the map at one point: |
| 65 | + |
| 66 | + |
| 67 | + |
| 68 | +There is not really any recovering from this, if this happens you get to start over. If you are REALLY not careful you could easily crash the entire game (yes, it's quite frustrating). |
| 69 | + |
| 70 | +## After some trial and error ... |
| 71 | + |
| 72 | +I was finally able to determine that the wall behind me in the video was in between -12 and -5, and I used those values to greatly narrow down my search. I ended up with 38 values, and locking them and setting them to -13 teleported me outside of the wall. Once you are out, you can unlock the values and move around freely: |
| 73 | + |
| 74 | + |
| 75 | + |
| 76 | +You can get the flag by walking closer to the large while flag pole: |
| 77 | + |
| 78 | + |
| 79 | + |
| 80 | +gg2ez |
0 commit comments