HackTheBox – HackyBird Write-up

Dear readers,

Today’s reading is on HackyBird, a game-based Reverse Engineering challenge. It was created on 19th December 2020. Let’s get started!

Fig 1. HackyBird game-based reverse engineering challenge on HackTheBox

Files given

You may also download the IDA database where I renamed some of the functions during reverse engineering here.

Tools required

Outlook of the game

Fig 4a. The main page of the game
Fig 4b. Replication of the game Flappybird

This is basically a replication of the famous mobile game, Flappybird.

Analysis

If we open the file in IDA, the file is very big which will probably take takes to reverse engineer the whole file. To save time, we can use Cheat Engine to help us find the condition to win quickly.

Based on the game, the way to get the flag is probably a certain amount obstacle successfully bypassed to win. Therefore, we can first search for the counter variable on Cheat Engine.

1. Find the counter variable

Firstly, launch Cheat Engine, launch HackyBird, and attach Cheat Engine to HackyBird’s process

For the 1st time, we try to search for the address than contains the value 2. Remember to check the checkbox “Pause the game while scanning”.

Start the game and try to hit 2 points. When you hit two points, immediately press the “New Scan” button on Cheat Engine before failing at 2 points.

Fig 5a. Finding the address that has the counter based on value 2

Based on Fig 5a, there are tons of addresses with value 2. It is still too hard for us to determine the value. Therefore, We can try again but this time around, zero the value to 0 and press the “Next Scan” button once the game starts. End the game before even clearing the 1st round. We would have narrowed it down to a few addresses left.

Based on the few address left, try to play the game and see if any of the addresses chang whenever you clear an obstacle and the points tally. I played until I clear the 2nd obstacle and immediately, I identified the address as shown in Fig 5b.

Fig 5b. Found the address that contains the counter value

2. Verify the address is the variable of the counter

Next, double click on the address we suspected. It should appear on the list that is at the bottom of Cheat Engine. Change its value to any value and check the Active checkbox.

Play the game again. The score should immediately appear as the value you set. If it doesn’t it means you have identified the wrong address, thus repeat step 1.

3. Identify the winning instruction in IDA

Right-click on the address in the list and choose “Find out what access this address” (see Fig 5c). A debugger should appear.

Fig 5c. To open a debugger to trace the address that uses the counter

Play the game. There should be two instructions that appear in the debugger. Play until you cross the 1st obstacle. Two more instructions will appear. Choose the instruction that has the “cmp” opcode (see Fig 5d).

Fig 5d. Found instruction that uses the counter and compare with a value

Open up HackyBird.exe in IDA pro, press key G, input address “403133”, and press ENTER. IDA pro will bring you to that location (see Fig 5e).

Fig 5e. Counter being checked once clearing an obstacle

Based on the assembly code, we can guess it means:

if (counter <= 999)
{
    ..Do something..
}
else
{
    ..Do something else..
}

Since we know that our score so far is below 0x3E7 (999), it means it means it needs at least 1000 to get the flag. Let’s set our counter to 1000 and clear the 1st obstacle.

However, when we clear the 1st obstacle, some weird string appears (see Fig 5f).

Fig 5f. Weird strings appear after 1000 score

This issue still persists even if we set other high scores. Therefore, it could exactly be score 1000 is needed. Therefore, we can see the counter to value 999 and try to clear the 1st obstacle.

Flag obtained

True enough, we obtained the flag once the bird clears the 1st obstacle.

Fig 6. Flag obtained when the score hits 1000 after clearing the 1st obstacle

Flag: HTB{game_h3kk1n_is_funsies!}

I hope this post has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my milk tea addiction. The link is here. 🙂

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.