Wednesday, June 29, 2011

Solutions: The Hex Factor v2010 (Level B100)

For the easiest Pwned level we choose the old classic Snake game. The challenge is straight forward, just get into the top 10 (Yes, you can do this the manual way, but it would take you at least 200 blocks :p)

There are two ways to solve this challenge. The first one is the easiest.

By using the program Cheatengine (www.cheatengine.org), we scan the memory for the location of the Snake score and alter it before submitting.

Step 1: Start CheatEngine and select the Internet Explorer process.

Step 2: Do an initial scan for memory addresses that contain the value 80 (10 points x 8).

Step 3: Take a second block in order to change the score to 20.

Step 4: Do a new scan on the initial list of addresses for a location that now contains the value 160 (20 points x 8)

Step 5: If there are still multiple memory addresses in the list, repeat steps 3 and 4. As we only have one memory address left, we found the address containing the score. Set its value to a new high score.

Step 6: Take a new block and abracadabra, you'll notice that the score is set to the value that was set in the previous step.

Here a short video showing the solution:

Solutions: The Hex Factor v2010 - Level B100 from KVB on Vimeo.


The second solution is to use a local proxy (burp, webscarab, paros, ...) and intercept the http request when submitting the score. Of course our application is protected with a checksum that checks if the score is not tampered with. However, after capturing several request, you should be able to tell that the checksum is calculated as followed:
(score)² + 1337