The chall was a RPG Pokemon-like client-only game.
The objectives are:
- Kill all the Mortys (but sadly every Morty is stronger than you)
- Find the flag
The first thing you can notice is the save function, that creates a
After some saves you can see that it saves the player position, which Morty you have caught and the helpers & objects you got.
But, at the end of the file there is a 256bit alywas-changing signature.
We started reversing the challenge’s binary file to understand how the signature was made, but then we stumbled upon the
Apparently the function is never called, so we decided to arbitrary call it.
We pathed the binary file.
Apparently every “level”/”stage” has its dedicated function that’s called once you enter it, so the game can draw the “scene” and place the “sprites”.
Last time we saved we were in level 7, so we decided to swap the call to
pausegame (the function that is called when you press ‘P’) with a call to
winFunc inside the
As simple as swapping
5CBC0000 at offset
PS: Those two are the relative offset for the CALL opcode in little endian form.
Then we started out patched binary, we loaded the savefile and pressed ‘P’.