-
Notifications
You must be signed in to change notification settings - Fork 1
(Challenge 2) Clicker
We are given a program to run, in either Windows or Linux flavours.
From quick inspection, it's a simple coin clicker game, where each clicks increases the number of points we have by one. And we need to get 13371337 points. Which is quite a few, so we're not even going to be able to do it manually - even simulating the clicks might not complete in time.
For analysing a program like this, we can try two techniques, static analysis or dynamic analysis. I've done a solution for both, see below.
First we'll try some static analysis (by analysing the binary without actually running it.
Since we know that one of the previous challenges did some encoding using Base64, we could try looking for things that look like Base64 strings. We list all the strings that appear in the file using strings
, and filter them using grep
to only show things that use the characters from Base64 and have and =
in them, quite common in Base64 strings.
$ strings clicker | grep -P "[a-zA-Z0-9+/]+="
=s_af=0&M
_9V='
=n=yF
O/H?rc.B=
.7s=
FSEAr3pjq183nQD3K1p0AI9ZZQp1KmOTK2AfZJALsD==
to compile. Use runtime option --DRT-oncycle=print to see the cycle details.
That long FSEAr3pjq183nQD3K1p0AI9ZZQp1KmOTK2AfZJALsD==
looks quite interesting, so we can try decoding it, but it gives us garbage...
With a bit of playing around we can run it through ROT13 first, and then a Base64 decode to reveal our flag, HTM{w0w_7h47_W45_L075_0F_cl1cX}
. See a demo here.
Next we'll try doing some dynamic analysis by inspecting and modifying the program while it's running.
There are many, many tools for this kind of thing, but we'll be using Cheat Engine on Windows and Game Conqueror on Linux. Using these tools, we can scan and modify memory that contains specific values, in our case, the current value of the score.
Essentially, we follow this process:
- Change the score by clicking
- Scan for the new value of the score
- Repeat until there is only one variable left
The single variable left should be the score. We can then manually modify this value to 13371336
, click one last time to get to 13371337
and reveal the flag:
And once again we get HTM{w0w_7h47_W45_L075_0F_cl1cX}
.