Casual McDonald's Employee Scriptorium
BlogMemesGitHubAbout
  • root@JesusCries
  • ⛩️Red Teaming
    • Methodology
    • Red Team Infrastructure
    • Initial Access
    • Reconnaissance
    • Lateral Movement
    • Post-Exploitation
      • Credentials Dumping
    • Persistence
    • Evasion
      • Memory Scanner
      • Antimalware Scan Interface (AMSI)
      • Event Tracing for Windows (ETW)
      • Attack Surface Reduction (ASR)
      • Microsoft Windows Defender Application Control (WDAC)
      • EDR Evasion
    • Offensive Development
      • Process Injection & Shellcode Loader
      • Portable Executable (PE) Loader
      • User Defined Reflective Loader
      • Beacon Object Files
    • Command & Control (C2)
      • Cobalt Strike
      • Havoc
      • Mythic
      • Sliver
    • Miscellaneous
      • Interesting Read
      • Certification Reviews
        • Certified Red Team Lead (CRTL)
  • 🧊Active Directory & Pentest
    • Check List
  • 🚩CTF Writeups
    • Reverse Engineering
      • Wargames.MY 2024: World 3
      • Wargames.MY 2023: Defeat the boss!
      • ACS 2023: Licrackense Pt I
      • ACS 2023: babyrev
      • ACS 2023: expr
      • ACS 2023: rustarm
      • ACS 2023: Maze
      • SiberSiaga 2023: Obstacles
      • SiberSiaga 2023: Packed
      • SiberSiaga 2023: Malbot
      • SiberSiaga 2023: Vacine
      • ABOH 2023: MetalPipe
      • ABOH 2023: Grape
      • iCTF 2023: RemoteC4
    • Binary Exploitation
      • HTB Cyber Apocalypse 2024: SoundOfSilence
      • LACTF 2024: pizza
      • ACS 2023: Licrackense Pt II
      • ACS 2023: Shellcoding Test
      • ACS 2023: Coding Test
      • ACS 2023: register
      • Wargames.MY 2023: Pak Mat Burger
      • SiberSiaga 2023: Password Generator
      • NahamCON CTF 2023: nahmnahmnahm
      • NahamCON CTF 2023: Weird Cookie
      • TJCTF 2023: shelly
      • TJCTF 2023: formatter
      • ångstromCTF 2023: gaga2
      • ångstromCTF 2023: leek
      • Space Heroes 2023: Rope Dancer
      • corCTF 2022: babypwn
      • corCTF 2021: Cshell
      • HTB Cyber Apocalypse 2023: Void
      • HTB Cyber Santa CTF 2021: minimelfistic
      • HTB Challenge: pwnshop
  • 🤡Clown Chronicles
    • About Me
    • Blogs
      • How to Win A CTF by Overcomplicating Things
      • Exploring Dynamic Invocation for Process Injection in C# and Rust
    • Projects
    • Memes
    • Others
Powered by GitBook
On this page
  • TL;DR
  • Challenge Overview
  • Game Hacking
  • Stage 1: Boss Fight (Damage Multiplier)
  • Stage 2: Merchant Item (Unlimited Money)
  • Stage 3: Unreachable Chest (Player Teleportation)
  • Stage 4: Guessing Game
  • Getting the Flag
  1. CTF Writeups
  2. Reverse Engineering

Wargames.MY 2023: Defeat the boss!

Defeat the boss and you get the flag, probably, maybe, I think, hmmm

PreviousWargames.MY 2024: World 3NextACS 2023: Licrackense Pt I

Last updated 5 months ago

TL;DR

Game state/data is saved locally on a .RMMZSAVE file. Manipulate game variables using an Online Save Editor to buff our player stats, get unlimited money and teleport to out-of-bounds location.

Challenge Overview

Defeat the boss! is an RPG game that runs on NW.JS.

Game Hacking

There are 4 different challenges we have to overcome in the game to receive the flag. Our character starts with 1000 gold and base stats of Level 1.

Stage 1: Boss Fight (Damage Multiplier)

The 1st challenge is to defeat an overpowered evil boss.

The boss deals over a million damage and takes essentially no damage from our attacks since we are Level 1 with minimal stats.

Load the save file manually and the spoofed values are now reflected in game!

Since our character would always start with an action first, we can now one-shot the evil boss in just 1 hit.

First part of the flag obtained!

Stage 2: Merchant Item (Unlimited Money)

The 2nd part of the challenge is to earn enough money to buy a Dead Sea Scroll from the merchant. There is a dummy NPC available that we can farm to win 1G on each victory, but that would take a long time to reach 500k in gold.

Using the Save Editor from Stage 1, we can also spoof our money to afford the scroll.

Second part of the flag obtained!

Stage 3: Unreachable Chest (Player Teleportation)

The third part of the challenge is to loot this chest that seems impossible to reach based on the given route.

Changing the X and Y values to coordinates that are not populated by the map allows us to travel freely out-of-bounds.

Third part of the flag obtained!

Stage 4: Guessing Game

The last part of the challenge is a 7-digit number guessing game. We can technically brute force this until the right combination appears, but that would be a pain in the ass.

There are no signs of attributes that control the right combination, so I tried to identify the NPC's name through the save editor.

Then, I tried grepping the NPC's name from the binary to see if anything interesting was there and found the last piece of the flag unexpectedly.

Getting the Flag

Putting everything together gives us the base64-encoded flag.

Flag: wgmy{9dedace597929c5316d6443d2783d291}

After saving the game, the save data is saved into a .RMMZSave file locally on our machine. Using this , we can buff our character to have overpowered stats.

Using a different , we can manipulate our character's coordinates on the map. This is the exact location where our player is standing when the game is saved.

🚩
RMMZSave Editor
Save Editor Online