WPICTF - Remy's Epic Adventure

description: A tribute to the former God Emperor of CSC and Mankind, Ultimate Protector of the CS Department, and Executor of Lord Craig Shue’s Divine will.

category: Miscellaneous - 150

You want some game play ?

Yeah I know I’m pretty good but not enough to win the game tho.

As you can see, it looks like the boss has infinity health (that’s not true, it’s a huge number…).

Okay, let’s launch Cheat Engine.exe

What are we looking for ? anything displayed on the screen that can make me win:

- `HP` ? I can put it to 200 and never lose life but that won't make me kill the boss faster.
- `Death` ? Hum I can identify the `die` function, so i won't die or maybe i can force the boss to die ?
- `level` ? Why not try to find the level in memory and change it to the level after the boss (boss should be level 6 if the level on the image is truly 1).

Modifying the level seems interesting. This is how I find the correct value:

So the level is stored at 0x6ff82c.

Let’s see what is accessing this value: right click -> Find out what accesses the address then finish the level to see what code is writing the next level:

The instruction is at 0xb50201.

cmon do it IDA (in debug mode of course):

.text:00B501E5 loc_B501E5:
.text:00B501E5 call    sub_B717B0
.text:00B501EA mov     edx, dword_C13BE4
.text:00B501F0 movzx   ecx, di
.text:00B501F3 shl     ecx, 10h
.text:00B501F6 movzx   eax, si
.text:00B501F9 or      ecx, eax
.text:00B501FB mov     eax, [edx+1F0h]
.text:00B50201 mov     [ebp-4], eax
.text:00B50204 mov     eax, [edx+0D8h]
.text:00B5020A mov     [ebp-8], ecx
.text:00B5020D test    eax, eax
.text:00B5020F jz      short loc_B5024E

The level is stored in [edx+1F0h]. all we have to do is to set this value to 7 (one more gif =) ):

Well, that was fast ! I recorded it with vlc, so I can go frame by frame:

The flag is WPI{j0in_th3_illumin@ti_w1th_m3}

PS1: I’m good @ gaming right ? You can find me on Twitch here =)

PS2: Best WPI challenge in my opinion, well done to the author ;)