Dear readers,
Today’s reading is on HackyBird, a game-based Reverse Engineering challenge. It was created on 19th December 2020. Let’s get started!
Files given
- HackyBird.exe (32-bits)
You may also download the IDA database where I renamed some of the functions during reverse engineering here.
Tools required
- Cheat Engine
- IDA Pro (or any other WIndows supported disassembler)
Outlook of the game
This is basically a replication of the famous mobile game, Flappybird.
Analysis
If we open the file in IDA, the file is very big which will probably take takes to reverse engineer the whole file. To save time, we can use Cheat Engine to help us find the condition to win quickly.
Based on the game, the way to get the flag is probably a certain amount obstacle successfully bypassed to win. Therefore, we can first search for the counter variable on Cheat Engine.
1. Find the counter variable
Firstly, launch Cheat Engine, launch HackyBird, and attach Cheat Engine to HackyBird’s process
For the 1st time, we try to search for the address than contains the value 2. Remember to check the checkbox “Pause the game while scanning”.
Start the game and try to hit 2 points. When you hit two points, immediately press the “New Scan” button on Cheat Engine before failing at 2 points.
Based on Fig 5a, there are tons of addresses with value 2. It is still too hard for us to determine the value. Therefore, We can try again but this time around, zero the value to 0 and press the “Next Scan” button once the game starts. End the game before even clearing the 1st round. We would have narrowed it down to a few addresses left.
Based on the few address left, try to play the game and see if any of the addresses chang whenever you clear an obstacle and the points tally. I played until I clear the 2nd obstacle and immediately, I identified the address as shown in Fig 5b.
2. Verify the address is the variable of the counter
Next, double click on the address we suspected. It should appear on the list that is at the bottom of Cheat Engine. Change its value to any value and check the Active checkbox.
Play the game again. The score should immediately appear as the value you set. If it doesn’t it means you have identified the wrong address, thus repeat step 1.
3. Identify the winning instruction in IDA
Right-click on the address in the list and choose “Find out what access this address” (see Fig 5c). A debugger should appear.
Play the game. There should be two instructions that appear in the debugger. Play until you cross the 1st obstacle. Two more instructions will appear. Choose the instruction that has the “cmp” opcode (see Fig 5d).
Open up HackyBird.exe in IDA pro, press key G, input address “403133”, and press ENTER. IDA pro will bring you to that location (see Fig 5e).
Based on the assembly code, we can guess it means:
if (counter <= 999)
{
..Do something..
}
else
{
..Do something else..
}
Since we know that our score so far is below 0x3E7 (999), it means it means it needs at least 1000 to get the flag. Let’s set our counter to 1000 and clear the 1st obstacle.
However, when we clear the 1st obstacle, some weird string appears (see Fig 5f).
This issue still persists even if we set other high scores. Therefore, it could exactly be score 1000 is needed. Therefore, we can see the counter to value 999 and try to clear the 1st obstacle.
Flag obtained
True enough, we obtained the flag once the bird clears the 1st obstacle.
Flag: HTB{game_h3kk1n_is_funsies!}
I hope this post has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my milk tea addiction. The link is here. š
Lamecarrot 