Pwn Adventure 3: Pwnie Island

Pwn Adventure 3 Playlist


Part 1: Pwn Adventure 3 is a game with CTF challenges - it was created to be hacked. This is the first part of a longer series where we will have a look at all challenges from the game and just have fun hacking it.

Part 2: Before we can start with the hacks we have to setup a private server. I used this project to learn more about Docker myself and share my result so you can set it up easily.

Part 3: We start to get technical by gathering some information. This is a crucial step in order to get a better understanding about the game in order to hack it.

Part 4: We start reverse engineering! Luckily the game comes with not-stripped binaries which means all the class names are included. We can use the debug information to dump class definitions with gdb. This will be incredible useful when we create our first hack next video!

Part 5: Finally our first hack! We use the LD_PRELOAD feature to overwrite functions of the dynamic library libGameLogic.so. This allows us to change a lot of behaviour in the client.

Part 6: We continue with our LD_PRELOAD method and implement flying. We also discover our first secret where we get our first flag!

Part 7: We use chat messages to implement teleport commands and try to get access to more chests. But it's not that easy and we have to implement hovering.

Part 8: We are combining what we learned to find the hidden Golden Eggs. But the last egg has a little twist to it, so we had to reverse engineer a bit more.

Part 9: To analyse the game traffic, we are developing a simple proof of concept TCP network proxy. Then we can start to reverse engineer the protocol.

Part 10: With our TCP Proxy we can now parse the packets and analyse the protocol.

Part 11: We reverse engineer more network packets and then also add functionality to inject packets. With that we build a remote autoloot for easy farming.

Part 12: Killing the boss Magmarok in the Fire & Ice Dungeon with an integer overflow.

Part 12.2: Binary data can be interpreted in different ways. This is a bonus video along the integer overflow we exploit to provide a bit more context.

Part 13: We start looking into another challenge, Blocky's Revenge. I failed to reverse engineer this in the client, but had some success with the network packets.

Part 14: Totally failed at building a neural network or using other machine learning algorithms and in the end just used bruteforce.

Part 15: We start reversing VerifyKey for the "Pirate's Treasure" challenge. This will take us several videos. In this first part we look at the input validation.

Part 16: We reverse engineer more of the VerifyKey function and find a custom Base32 encoding.

Part 17: This video might be a bit more boring reversing, and I even failed to recognise the implemented algorithm.

Part 18: We are looking at how RSA is implemented in assembler for arbitrary large integers. Specifically modular exponentiation.

Part 19: I implemented the KeyGen in JavaScript based on the algorithms we reversed from the assembler code. The used the dlc unlock code to solve the last challenge - Pirate's Treasure.

Part 20: The End.

Search Tags