Flare-On 7 2020 Challenge #3: wednesday

Tools to use:

  • IDA
  • x64dbg

When start the program, we received a game menu:

When pressing “DUDE” we have frog that needs to pass obstacles. It can do it by jumping or ducking:

When jumping or ducking successfully over an obstacle, we receive 1 point. We don’t know yet what is the limit of the score. The first thing I was interested in is, what score I need to finish this game? Can I just find the place where it compare the score to the winning score and bypass it? It sounds too easy but I thought it worth checking it.

After searching statically and dynamically I found interesting function named _winScene_eVaCVkG1QBiYVChMxpMGBQ:

After searching for its references I found that before this function, there is a comparing of some value to 0x128 (296):

I confirmed it, this is the score needed to win the game. Well, why not put breakpoint and just change our score (i.e. 1) to 297? turns out it didn’t help and we just received a winner window without any flag:

Next vector was to hack the obstacles, find the obstacles functions and change it so it will pass it and receive a score. I also had another thought, when it pass one obstacle give it 296 points instead of 1 but it also didn’t work so I won’t describe this way here.

There were lots of functions that contains the word collide, collision, onCollision, etc..

After checking number of them, I found the function checkCollisions that looked interesting for me. After checking this function I found that it leads a deeper onCollide_9byAjE9cSmbSbow3F9cTFQfLg@8 function that checks the scenario when you jump or duck:

I wanted to compare this function when I collide and when I jump or duck. I compare between a trace of colliding to ducking:

We can see that when duck, it call to jmp 0x00432172, so the first change I did is to change the code at 0x43215C to jump to 0x432172. But it wasn’t enough because it only bypass the case when the obstacle if for ducking but not for the one who intends for jumping.

The last change was at 0x432358:

I needed to route it to the program to 0x432261, like previously, I changed it to always jump to this address.

I did these changes in x32dbg because it easier to do such changes instead of IDA.

After these two changes it bypass everything:

After couple of minutes I got the flag:

flag: 1t_i5_wEdn3sd4y_mY_Dud3s@flare-on.com

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)