Day 19

I merely noticed that you’re improperly stored, my dear secret!

Welcome to Day 19 of Advent of Cyber

In today's challenge we use Frida to analyze and manipulate a game's behavior in real time.

Frida is a dynamic instrumentation tool kit that allows you to inject code into running applications to monitor and manipulate them in real time, which is useful for application security, penetration testing, reverse engineering, and malware analysis.

Let's hack the game:

• Start the machine and wait for it to deploy

• Access the machine for completing the challenge

Launch the game:

cd /home/ubuntu/Desktop/TryUnlockMe  
./TryUnlockMe

Just explore the game and see how it goes.

Level 1 - Hacking OTP

Run Frida with:

frida-trace ./TryUnlockMe -i 'libaocgame.so!*'

If you revisit the NPC, you can trigger the OTP function on the console displayed as set_otpi

Open a new terminal, go to the /home/ubuntu/Desktop/TryUnlockMe/__handlers__/libaocgame.so/ folder, and open Visual Studio Code by running:

Edit the JavaScript file set_otp.js:

codedefineHandler({
    onEnter(log, args, state) {
        log('_Z7set_otpi()');
        log("Parameter:" + args[0].toInt32());
    },
    onLeave(log, retval, state) {}
});

Restart Frida and now you will have the otp:

Level 2 - Buying the flag

For the second level the game lets you earn coins by using the old PC on the field, but getting 1.000.000 coins that way sounds tedious.

Use Frida to find the function:

• Edit the corresponding handler script:

  codedefineHandler({
      onEnter(log, args, state) {
          log('_Z17validate_purchaseiii()');
          log('PARAMETER 1: '+ args[0].toInt32());
          log('PARAMETER 2: '+ args[1].toInt32());
          log('PARAMETER 3: '+ args[2].toInt32());
          // Set price to zero
          args[1] = ptr(0);
      },
      onLeave(log, retval, state) {}
  });

• Restart the game and purchase the item without spending coins.

Level 3 - Passing the Biometric Check

We need to bypass the biometric check by manipulating the return value.

Observe the function _Z16check_biometricsPKc() in Frida.

• Edit the handler:

  codedefineHandler({
      onEnter(log, args, state) {
          log('_Z16check_biometricsPKc()');
          log("PARAMETER: " + Memory.readCString(args[0]));
      },
      onLeave(log, retval, state) {
          log("The return value is: " + retval);
          // Set the return value to True
          retval.replace(ptr(1));
      }
  });

• Restart the game and pass the biometric check.

That's all for Day 19!

Questions:

1.What is the OTP flag?

A: THM{one_tough_password}

2.What is the billionaire item flag?

A: THM{credit_card_undeclined}

3.What is the biometric flag?

A: THM{dont_smash_your_keyboard}

Stay tuned for Day 20 and Happy Hacking 🎄

Thank you!