Writeup: FlareOn 2020: 003 - wednesday

1. TLDR

2. Input data

The challenge file is here. Password: flare.

The subject of the task is a platform game mydude.exe:

According to the content of the quest, I saw the README.txt file:

██╗    ██╗███████╗██████╗ ███╗   ██╗███████╗███████╗██████╗  █████╗ ██╗   ██╗
██║    ██║██╔════╝██╔══██╗████╗  ██║██╔════╝██╔════╝██╔══██╗██╔══██╗╚██╗ ██╔╝
██║ █╗ ██║█████╗  ██║  ██║██╔██╗ ██║█████╗  ███████╗██║  ██║███████║ ╚████╔╝ 
██║███╗██║██╔══╝  ██║  ██║██║╚██╗██║██╔══╝  ╚════██║██║  ██║██╔══██║  ╚██╔╝  
╚███╔███╔╝███████╗██████╔╝██║ ╚████║███████╗███████║██████╔╝██║  ██║   ██║   
 ╚══╝╚══╝ ╚══════╝╚═════╝ ╚═╝  ╚═══╝╚══════╝╚══════╝╚═════╝ ╚═╝  ╚═╝   ╚═╝   

                        --- BE THE WEDNESDAY ---

                                   S
                                   M
                                   T
                                  DUDE
                                   T
                                   F
                                   S

                --- Enable accelerated graphics in VM ---
                  --- Attach sound card device to VM ---
                    --- Only reverse mydude.exe ---
                       --- Enjoy it my dudes ---

I haven’t found any important tips here apart from those that make it easier to run the game in a virtual machine.

3. Inspecting mydude.exe file

I verified the file using file tool:

$ file mydude.exe
mydude.exe: PE32 executable (console) Intel 80386, for MS Windows

The game consisted in collecting points which were awarded after the frog successfully passed the obstacle. The player could force the frog to jump up or crouch:

The failure of the player was caused by a collision between a frog and an obstacle. At the beginning of the game and the defeat, an animation was launched, showing the circle decreasing:

4. Static analysis

Due to the fact that the player’s failure was caused by a collision with an object from the game world, I decided to start looking for the fragment of the code responsible for collision detection. The analysis of the disassembled code allowed to identify the @play__ekc9cEXgy7z9cRAqIYID39ccg@8 function, which was responsible for recreating the circle animation. Why did I find this feature interesting? The circle animation appeared each time the game was restarted after the player’s defeat. And the player’s defeat was inevitably the result of a collision.

The @play__ekc9cEXgy7z9cRAqIYID39ccg@8 function was called in three places::

Two calls to this function were in the @onCollide__9byAjE9cSmbSbow3F9cTFQfLg@8 function, which was responsible for handling collisions:

• @onCollide__9byAjE9cSmbSbow3F9cTFQfLg@8+137

The marked jump was responsible for controlling the instruction pointer to the block calling the play function, written as:

• @onCollide__9byAjE9cSmbSbow3F9cTFQfLg@8+260

The marked jump was responsible for controlling the instruction pointer to the block calling the play function, written as:

5. Code modification

In order to enable the immortality of the frog, I made modifications to the fragments of the @onCollide__9byAjE9cSmbSbow3F9cTFQfLg@8 function described above :

5.1 Modification near @onCollide__9byAjE9cSmbSbow3F9cTFQfLg@8+137

I changed the instruction:

.text:00432232                 js      loc_4321A2

encoded as

to two instructions:

.text:00432232                 nop
.text:00432233                 jmp     loc_4321A2

by modifying the bytes as follows:

5.2 Modification near @onCollide__9byAjE9cSmbSbow3F9cTFQfLg@8+260

I changed the instruction:

.text:00432358                 jz      loc_432261

encoded as

to two instructions:

.text:00432358                 nop
.text:00432359                 jmp     loc_432261

by modifying the bytes as follows:

5.3 Applying changes

Below I presented the modifications made to the executable file:

Then I approved the changes:

6. Reading the flag

It remains to start the program, make coffee or tea and, in the meantime, wait for the frog to avoid all obstacles without colliding and collect 296 points: