Blog Memes GitHub About

Wargames.MY 2023: Defeat the boss!

Defeat the boss and you get the flag, probably, maybe, I think, hmmm

TL;DR

Game state/data is saved locally on a .RMMZSAVE file. Manipulate game variables using an Online Save Editor to buff our player stats, get unlimited money and teleport to out-of-bounds location.

Challenge Overview

Defeat the boss! is an RPG game that runs on NW.JS.

Game Hacking

There are 4 different challenges we have to overcome in the game to receive the flag. Our character starts with 1000 gold and base stats of Level 1.

Stage 1: Boss Fight (Damage Multiplier)

The 1st challenge is to defeat an overpowered evil boss.

The boss deals over a million damage and takes essentially no damage from our attacks since we are Level 1 with minimal stats.

After saving the game, the save data is saved into a .RMMZSave file locally on our machine. Using this RMMZSave Editor, we can buff our character to have overpowered stats.

Load the save file manually and the spoofed values are now reflected in game!

Since our character would always start with an action first, we can now one-shot the evil boss in just 1 hit.

First part of the flag obtained!

Stage 2: Merchant Item (Unlimited Money)

The 2nd part of the challenge is to earn enough money to buy a Dead Sea Scroll from the merchant. There is a dummy NPC available that we can farm to win 1G on each victory, but that would take a long time to reach 500k in gold.

Using the Save Editor from Stage 1, we can also spoof our money to afford the scroll.

Second part of the flag obtained!

Stage 3: Unreachable Chest (Player Teleportation)

The third part of the challenge is to loot this chest that seems impossible to reach based on the given route.

Using a different Save Editor Online, we can manipulate our character's coordinates on the map. This is the exact location where our player is standing when the game is saved.

Changing the X and Y values to coordinates that are not populated by the map allows us to travel freely out-of-bounds.

Third part of the flag obtained!

Stage 4: Guessing Game

The last part of the challenge is a 7-digit number guessing game. We can technically brute force this until the right combination appears, but that would be a pain in the ass.

There are no signs of attributes that control the right combination, so I tried to identify the NPC's name through the save editor.

Then, I tried grepping the NPC's name from the binary to see if anything interesting was there and found the last piece of the flag unexpectedly.

Getting the Flag

Putting everything together gives us the base64-encoded flag.

Flag: wgmy{9dedace597929c5316d6443d2783d291}

PreviousReverse EngineeringNextACS 2023: Licrackense Pt I

Last updated