BSidesCBR 2017 CTF Write-Up: Let’s Play a Game!

This is a write up of “Let’s play a game” (275 points) from the BSides Canberra CTF.

You can find the challenge here: https://github.com/OJ/bsides-2017-ctf-docker/tree/master/rev-letsplayagame.

Now that’s out of the way, let’s get to the challenge:

The landing screen (Made in RPGMaker)

This was the second Windows application we attempted in the BSides CTF. A standard RPG Maker VX game. Upon beginning play, we were presented with an island, and a helpful message:

A very helpful message

Taking this message at face value, we began to think about how we could move off the map. There wasn’t anywhere without collision, so we immediately figured we’d have to do some memory address manipulation.

The most obvious way to do this was CheatEngine. We moved the character to the top left corner of the screen with the knowledge that most common coordinate systems on tile based games start with (0,0) in the top left, and (maxX,maxY) in the bottom right.

We began searching for all variables, starting off with an unknown initial value. We then began moving 1 tile to the right, and one tile down, searching for increased values in the variables each time. By the sixth time, there was around 120 possible variables left.

We repeated the process, and soon thereafter were left with XY values:

We moved around a bit, and began to see that these values were never even. They always increased by two with each tile movement. We ignored the first Y value, as it was located in a completely separate place in memory to the X value and the second Y value. We then began to manipulate the numbers, looking for the flag, taking care to avoid even numbers, as these crash the game.

And after a while of simply looking around, we stumbled across the flag: BSIDES_CTF{RPG_FTW}.