Ghost in the ShellCode 2015 CTF WriteUp: Pwn Adventure 3: Until the Cows Come Home (radare2 Intro)
This year was another great Ghost in the ShellCode CTF. Like last year, it included a Pwn Adventure client you could download and hack just like before! This year I pulled the game down on OS X, and reading the apps main Info.plist quickly revealed it's another Unity game:
Pwn Adventure 3.app/Contents/Info.plist: Unity Player version 4.5.4f1 (e036f44c54c9)
Start by running the game and pulling down all of the updates.
Next, we locate the file we are going to hack:
up the SprintMultiplier: 48b809999
Woot woot! Now we have super speed.
The following are the edits that were made to get super jump:
To get specific assembly instructions, check out rasm2:
rasm2 -b 64 "mov rax, 4;ret"
We can also see the totality of our patches by running radiff2:
radiff2 GameLogic.dylib GameLogic.dylib.bkup
That's the general intro to patching w/ radare2, more to come later!
To solve 'Until the Cows Come Home', you really only need to find Cow Island. The best way to do this is with a compass, so I lookup and follow the Sun into the ocean, until I arrive at Cow Island.
Next, talk to Michael Angelo, he will give you the Rubik's Cube:
Pwn Adventure 3.app/Contents/Info.plist: Unity Player version 4.5.4f1 (e036f44c54c9)
Start by running the game and pulling down all of the updates.
Next, we locate the file we are going to hack:
Pwn Adventure 3.app/Contents/PwnAdventure3/PwnAdventure3.app/Contents/MacOS/GameLogic.dylib
However, this time our file is a Mach-O 64-bit dynamically linked shared library x86_64 running on OS X, so we are going to have trouble decompiling any .NET source code, like last time. So we are going to have to disassemble it for our super powers, enter radare2.
For OS X, I pulled it down using: brew install radare2
When analyzing w/ radare2, load file first as read only (no -w):
r2 GameLogic.dylib
r2 GameLogic.dylib
( Later we can also run as web server with a visual call graph and links using flags: r2 -n=H [file] )
Lets run radare2 analysis for color and context in the code
Run analyze all: aa
Lets also analyze the functions: af
Next lets list the functions and copy out interesting offsets
List all functions: afl*
Also show info of all symbols: is
Finally, we can search through these too, by issuing: is | grep -i [keyword]
Lets search for player run speed: is | grep -i run
Lets jump to that location: s 0x00221950
Go visual mode: V
Go visual mode: V
Go Disasm: p
Now that we see the constant value you want to patch:
0x00221954 mov rax, 0x3
Lets leave r2: q [enter] q [enter]
0x00221954 mov rax, 0x3
Lets leave r2: q [enter] q [enter]
#Patching
First make a backup of your file: cp [file] [file].bkup
Re-enter radare2 with write mode: r2 -w GameLogic.dylib
jump to a function: (:) s 0x00221954
double tap enter
Go visual: V
In Visual, go cursor mode: c
Replace Byte: i
up the SprintMultiplier: 48b809999
Woot woot! Now we have super speed.
The following are the edits that were made to get super jump:
To get specific assembly instructions, check out rasm2:
rasm2 -b 64 "mov rax, 4;ret"
We can also see the totality of our patches by running radiff2:
radiff2 GameLogic.dylib GameLogic.dylib.bkup
0x00221956 099990 => 030000 0x00221956
That's the general intro to patching w/ radare2, more to come later!
To solve 'Until the Cows Come Home', you really only need to find Cow Island. The best way to do this is with a compass, so I lookup and follow the Sun into the ocean, until I arrive at Cow Island.
Next, talk to Michael Angelo, he will give you the Rubik's Cube:
Use the Rubik's Cube on the Cow King, to get the power Static Link. You can then the power Static Link to kill the Cow King and get the Flag:
That's all for now! The game is still live, so you can join the fun and leave your patches in the comments!
Want more radare2 awesomeness? Checkout the following cheat sheet:
That's all for now! The game is still live, so you can join the fun and leave your patches in the comments!
Want more radare2 awesomeness? Checkout the following cheat sheet:
