Tryhackme

Advent of Cyber 2024 — Day 19: Game Hacking - Breaking Game Mechanics with Frida

Today’s challenge revolved around hacking a game with the help of Frida, a powerful tool for intercepting and modifying internal API calls in real-time. By leveraging Frida, we bypassed game logic and manipulated function behaviors to achieve otherwise tedious or impossible outcomes.

Learning Objectives

1. Understanding Executables and Libraries:

• Applications often rely on libraries (e.g., .so files) for modular functionality. These libraries expose functions that can be invoked by the application.
• Intercepting and modifying these function calls allows attackers to alter an application’s behavior.

2. Using Frida for Game Hacking:

• Frida enables injection of JavaScript code to modify function input, output, or both.
• Key functionalities:
• onEnter: Hooks into the function before its execution.
• onLeave: Hooks after execution, allowing modifications to return values.

3. Practical Application with Frida:

• Trace and hook library functions to manipulate game logic.
• Understand how arguments and return values are passed and modify them effectively.

Steps Taken

1. Unlocking the Door (OTP Flag)

Objective: Identify and use the correct OTP to unlock the door.

Process:

1. Intercepted the _Z7set_otpi function responsible for setting the OTP.
2. Logged the first parameter (OTP value) passed to the function.
3. Used the logged OTP to access the next game level.

• Result: Successfully unlocked the door using the OTP.
• Flag: THM{one_tough_password}

2. Purchasing the Billionaire Item

Objective: Bypass the coin requirement to purchase the “Right of Pass.”

Process:

1. Intercepted _Z17validate_purchaseiii function, which handles item purchases.
2. Logged its three parameters:

• Parameter 1: Item ID
• Parameter 2: Price
• Parameter 3: Player’s current coins.

1. Set the price parameter to 0 using args[1] = ptr(0).
2. Successfully purchased the item without spending coins.

• Result: Acquired the item effortlessly.
• Flag: THM{credit_card_undeclined}

3. Bypassing Biometric Authentication

Objective: Trick the game into accepting biometric authentication.

Process:

1. Intercepted _Z16check_biometricsPKc function, which takes a string as input.
2. Logged the function’s input (biometric key) and determined it was unhelpful.
3. Examined the return value of the function and found it was 0 (False).
4. Modified the return value to 1 (True) using retval.replace(ptr(1)).

• Result: Passed the biometric check and advanced to the final stage.
• Flag: THM{dont_smash_your_keyboard}

Game Logic Vulnerabilities: Games can be susceptible to logic manipulation, especially when relying on external libraries for critical functionality.

Frida’s Power: Frida simplifies the process of intercepting, analyzing, and modifying function calls, making it an invaluable tool for reverse engineering and security testing.

Importance of Secure Code: Proper validation and secure handling of inputs and outputs are essential to prevent such exploits.

This task highlighted how games and applications relying on external libraries can be exploited if not securely designed. With Frida, we unlocked doors, acquired expensive items, and bypassed security checks — all by manipulating internal logic. These insights are invaluable for understanding potential vulnerabilities in software and strengthening defenses against such attacks.