AoC 2022 Day 10: Hack a game – You’re a mean one, Mr. Yeti

The Memory of a Program

Every time we run a software, the RAM of the computer will somehow process all of the data (Random Access Memory). Think of a video game where your health points (HP), location, movement speed, and direction are all stored in memory and updated as the game progresses.

 

Game memory layout
You could trick the game into thinking you have more HP than you actually do, or even a higher score, if you can change the relevant memory places. Although it may seem simple, a program’s memory space is enormous and sparse, making it impossible to manually locate the place where these variables are kept. We can hopefully navigate memory and locate all the important information with the aid of some instruments.
Cetus Logo

The Mighty Cetus

Cetus is a straightforward browser add-on that lets you look into the memory of Web Assembly games that are running in your browser and is compatible with Firefox and Chrome. Its major goal is to give you the resources you need to quickly locate and edit any piece of data that is stored in memory. Additionally, if you choose, you can change the built code of a game to change how it behaves.

Accessing Cetus

To open the game, go to your deployed machine and click the “Save Elf McSkidy” icon on the desktop. This will open Google Chrome with Cetus already loaded for you.

Game Icon in Machine

To find Cetus, you need to open the Developer tools by clicking the button on the upper-right corner of Chrome, as shown in the figure below:

Developer Tools

Cetus is located in one of the tabs there:

Finding Cetus

With Cetus open, hit the refresh button to reload the game. If you installed Cetus on your machine, you can find the game at https://MACHINE_IP/. Cetus should detect the web assembly game running and show you the available tools:

Cetus Interface

Note: If Cetus shows the “Waiting for WASM” message, just reload the game, and the tools should load.

Guess the Guard’s Number

If you walk around the game, you will find that the guard won’t let you leave unless you guess a randomly generated number. At some point, the game must store this number in memory. Cetus will allow us to pinpoint the random number’s memory address quickly.

As a first step, talk to the guard and try to guess the number randomly. You probably won’t guess it first try, but take note of the guard’s number.

Guard random number

You can use Cetus to find all the memory addresses used by the game that match the given value. In this case, the guard’s number is probably a regular integer, so we choose i32 (32-bit integer) in Value Type.

Cetus also allows you to search for numbers with decimals (usually called floats), represented by the f32 and f64 types, and for strings encoded in asciiutf-8 or bytes. You need to specify the data type as part of your search because, for your computer, the values 32 (integer) and 32.0 (float) are stored in different formats in memory.

We will use the EQ comparison operator, which will search for memory addresses which content is equal to the value we input. Note that you can also search values using any of the other available operators. For reference, this is what other operators do:

Operator Description
EQ Find all memory addresses with contents that are equal to our inputted value.
NE Find all memory addresses with contents that are not equal to our inputted value.
LT Find all memory addresses with contents that are lower than our inputted value.
GT Find all memory addresses with contents that are greater than our inputted value.
LTE Find all memory addresses with contents that are lower than or equal to our inputted value.
GTE Find all memory addresses with contents that are greater than or equal to our inputted value.

Since the guard uses a random number, you will likely find the memory address on the first try. Once you do, click the bookmark button on the right of the memory address:

Searching the guard's number

You can then go to bookmarks to see your memory addresses:

Cetus Bookmarks

Note that Cetus uses hexadecimal notation to show you the numbers. If you need to convert the shown numbers to decimal, you can use this website.

With Cetus on the bookmarks tab, talk to the guard again and notice how the random number changes immediately. You can now guess the number:

Guessing the number

Convert the number from hexadecimal to get the guard’s number (0x005c9d35 = 6069557). You defeated the guard (sort of)!

Note: You can also modify the memory address containing the random number from the bookmarks tab. Try restarting the game and changing the guard’s number right before the guard asks you for your number. You should now be able to change the guard’s number at will!

Getting through the bridge

You are now out of your cell, but you still have to overcome some obstacles. Can you figure out how?

The Bridge

While you are wondering what other data in memory could be changed to survive the bridge, Elf Recon McRed tells you that he read about differential search. Differential Search, he said, allows you to run successive searches in tandem, where each search will be scoped over the results of the last search only instead of the whole memory space. Elf Recon thinks this might be of help somehow.

To help you better understand, he used the following example: suppose you want to find an address in memory, but you are not sure of the exact value it contains, but you can, however, manipulate it somehow by doing some actions in the game (you could manipulate the value of your position by moving, for example). Instead of doing a direct search by value as before, you can use differential search to look for memory positions based on specific variations on the value, rather than the value itself.

To start the differential search mode, your first search needs to be done with an empty value.

Differential Search 1

This will return the total number of memory addresses mapped by the game, which is 458753 in the image above. Now, suppose you want to know which memory addresses have decreased since the last search. You can run a second search using the LT operator without setting a value to search:

ElfRecon2

The result above tells us that only 44 memory positions of the total of 458753 have decreased in value since the last search. You can of course, continue to do successive searches. For example, if you now wanted to know which of the 44 resulting memory addresses from the first search have increased their value, you could simply do another search with the GT operator with no value again.

ElfRecon3

The result tells us that from the 44 memory addressed from the last search, only 26 have increased in value. If you are searching for a particular value, you can continue to do more searches until you find the memory address you are trying to get.

~ Source: Tryhackme.

Challenge Solution

Leave a Reply

Your email address will not be published. Required fields are marked *