Skip to content

(Challenge 2) Clicker

Justin Chadwell edited this page Oct 27, 2019 · 2 revisions

We are given a program to run, in either Windows or Linux flavours.

From quick inspection, it's a simple coin clicker game, where each clicks increases the number of points we have by one. And we need to get 13371337 points. Which is quite a few, so we're not even going to be able to do it manually - even simulating the clicks might not complete in time.

Game Screenshot

For analysing a program like this, we can try two techniques, static analysis or dynamic analysis. I've done a solution for both, see below.

Static analysis

First we'll try some static analysis (by analysing the binary without actually running it.

Since we know that one of the previous challenges did some encoding using Base64, we could try looking for things that look like Base64 strings. We list all the strings that appear in the file using strings, and filter them using grep to only show things that use the characters from Base64 and have and = in them, quite common in Base64 strings.

$ strings clicker | grep -P "[a-zA-Z0-9+/]+="
=s_af=0&M
_9V='
=n=yF
O/H?rc.B=
.7s=
FSEAr3pjq183nQD3K1p0AI9ZZQp1KmOTK2AfZJALsD==
to compile. Use runtime option --DRT-oncycle=print to see the cycle details.

That long FSEAr3pjq183nQD3K1p0AI9ZZQp1KmOTK2AfZJALsD== looks quite interesting, so we can try decoding it, but it gives us garbage...

With a bit of playing around we can run it through ROT13 first, and then a Base64 decode to reveal our flag, HTM{w0w_7h47_W45_L075_0F_cl1cX}. See a demo here.

Dynamic analysis

Next we'll try doing some dynamic analysis by inspecting and modifying the program while it's running.

There are many, many tools for this kind of thing, but we'll be using Cheat Engine on Windows and Game Conqueror on Linux. Using these tools, we can scan and modify memory that contains specific values, in our case, the current value of the score.

Cheat Engine

Essentially, we follow this process:

  • Change the score by clicking
  • Scan for the new value of the score
  • Repeat until there is only one variable left

The single variable left should be the score. We can then manually modify this value to 13371336, click one last time to get to 13371337 and reveal the flag:

Game Completed Screenshot

And once again we get HTM{w0w_7h47_W45_L075_0F_cl1cX}.

Clone this wiki locally