Cracker Cavern Reborn 2
Estimated reading time: 3 minutes.
Hacking Ⅱ: Going places
Fine. Client-side hacking is easy, but that was obviously just warming up. Next, it’s time to get your hands a little dirty: we must load the map with ID 0x1337. The server now won’t let us load further floors until we do.
Out of all the ways to go about this, I initially went with the most complicated one: since I know the map has to be loaded at some point, put a write breakpoint on the map data, and trace back to the save file code.
I’ll be short: this didn’t really turn up anything. I was hoping that it might give a head start into disassembling the save file and that might prove useful for later challenges, but progress was kind of slow.
No, instead, Kirby703 noted that the map IDs were unchanged1 from the 2018 edition.
Armed with this knowledge and the wiki, it’s actually possible to use a cheat search to find the “current map ID” variable’s address:
…then, we can set a write breakpoint on it when changing maps…
short type here because the value is 16-bit, and short is a 16-bit type (on this CPU) that GDB is aware of. Normally I'd use u16, but that's unavailable because I couldn't load debug info.
…and override the map being transitioned to to 0x1337:
p is a shorthand for the "print" command. Similarly, c is short for "continue".
Success! 2 Resetting the game showed that the rock barrier was now open, granting access to the third floor.
Well, most map IDs are unchanged. At least Central Square’s was changed, but you can also notice that the map is very different. pfero found an unused map which looks a lot more like the original.
As it turns out, the “Mysterious” map has terrain at the location you’d spawn at if you went through the bottom-right ladder in CCR2. Ah. Oh well, the check still passes.
pfero’s setup
I should mention at this point that pfero was working on a custom client.
TODO: MITM setup.
Anyway, this is entirely irrelevant to what will happen in the third challenge. Totally.
