Hacking WebAssembly Games

TJCTF organized an online Capture the Flag competition from Fri, May 22, 2020 08:00 — Tue, May 26, 08:00 PHT. One of the challenges in the Web Category is about Hacking a Web Assembly Game created by boomo.

Challenge Details

Title: Gamer W
Author: boomo
Description: Can you figure out how to cheat the system? Grab his hat to prove your victory!
Link: http://gamer_w.tjctf.org/

Reconnaissance

Opening the given link brings me to a web page with an embedded game built with Unity WebGL.

In one of the messages, the author wants us to download a chrome extension called Cetus.

The author also gave a tip to use the extension to manipulate the game's values stored in memory.

Before manipulating the game, I decided to search for the CETUS chrome extension and found a GitHub repository created by Jack Baker.

Qwokka/Cetus

Browser extension for hacking WebAssembly games a la Cheat Engine - Qwokka/Cetus

QwokkaGitHub

Cetus is actually similar to Cheat Engine based on the explanation of the creator. It also allows the user to perform the following:

• Memory searching
• Watchpoints (Implemented via binary instrumentation using WAIL)
• Memory freezing
• Code disassembly
• Code patching

Memory Searching Process

The first thing to do is to search the memory addresses of the following:

• Health Points (HP)
• Gold (Game Coins)
• Range Damage
• Swing Damage
• Main Boss' Health Points

Follow the three (3) steps below to search the exact memory address.

1. Look for all value in memory that are equal to provided number of type float 32.
2. Make changes on the value by taking a hit (to decrease the HP), buy some items (to decrease the gold and to increase damage) and fire some bullets or slash them with a sword (to decrease enemy's HP).
3. Then provide the new value in the memory search tab to narrow down the list of memory addresses.

Memory Addresses

• Health Points (HP) = 0x02111f1c
• Gold (Game Coins) = 0x02111f3c
• Range Damage = 0x02111f4c
• Swing Damage = 0x02111f68
• Main Boss' Health Points = 0x02111e4c

Exploitation

Tick the checkbox in the Freeze column of 0x02111f3c to freeze the value of Gold and buy items in the shop.

Tick the checkbox in the Freeze column of the 0x02111f1c to freeze the the HP and kill the enemies.

Yes, kill them all, until you reach the main boss.

(If you will not use Cetus, you'll be dead when the main boss fires a bunch of bullets. Seriously, no one can survive that haha!)

I was able to fight back tho but wasn't able to kill the boss. Because he has a effin' magical potion that automatically regenerates his health points.

After he drank the potion, his HP automatically went back to full and told us this:

Based on the Bookmarks tab of Cetus,  the Main Enemy's HP is now 300. I tried to kill him using the Speed Hack but the potion helped him to quickly regenerate his HP.

Luckily, there's a Write Watch feature in the bookmarks tab of Cetus that allows us to monitor the functions when we do something based on the selected memory address.

To find the function that increases the damage of the swing, I seleted the Write Watch of the memory address of Swing (Sword).

The function is 34985.

To exploit the function, go to the Patch tab and modify the source code. I also noticed that the damage increases by 4 every time you buy it.

I looked for a set of instructions that adds 4 to the damage and found it on line #185.

I edited it from 4 to 100.

Getting the Flag

With the increased damaged and speed hack, I quickly defeated the enemies.

Oh, I also bypassed the "Teleportation" which is the last stage before getting the flag. I have no idea how I did it and I couldn't replicate it again but the time in the screenshot shows that I finished the game in 79 seconds.

I think maybe because my damage is too high and I'm too close in the hat or enemy before the teleportation.