TUM CTF 2016 WriteUp: hack_or_play

This past weekend was TUM CTF 2016, and I found some really fun challenges that aligned well with my recent game hacking. In hack_or_play and hack_or_hack you were given a set of old Windows DOS game files, for a german version of a game called "Tony and Friends in Kellogg's Land". Further, in 'hack_or_play' you are given the following hint, which implies you can beat the game to get the flag: "You will find the flag if you finish the game. How to get there? The choice is entirely yours." I got the game running across OS X, Linux, and Windows using dosbox. Looking at the strings in the main program file, I noticed something called "Kellogg's Cheat-Mode", which prompted me to look online for built in secrets and hacks.
This revealed a few, one that provided extra lives, one that enabled Cheat-Mode (which allowed you to jump levels), and a third that took you to a sound menu (a good test code). Using these I was able to grab extra lives and jump to the final boss, grabbing the flag for hack_or_play.



But this isn't really the end. . . This game comes back in another challenge called hack_or_hack. In hack_or_hack the flag is spread across the end of each level, and you are truly prompted to extract and visualize the .map and .are files in order to rebuild the flag, forcing one to go deeper. I found and used these python scripts to extract the .map and other media files from the PCKELL.DAT file. I could also use these scripts to parse the .map files into objects. I also found this extremely helpful article, where a hacker reverses a similar game to Kellogg's. He also released tools, but the links have been removed so the files are pretty hidden on the site, although you could still reach them: extract.c, pack.c, levelex.c, ico2bmp.c, and finally QuikyLevelEditor.zip (which also works for Kelloggs TLE1 maps :). Using these tools we can quickly visualize the final level in hack_or_play, and see the flag that way too.
However, doing this to look at the hack_or_hack game does not reveals the flags. Doing some hashing and diff'ing reveals the modifications aren't in the .map files, but rather the decorator .are files. Alas, I was unable to map the .are files to the visualizations and thus unable to solve hack_or_hack during the ctf, but maybe later :D