CrackMe Challenge [Part 7] - Realistic Game (C#)

TheDoctor · May 26, 2016, 6:34am

Hey Mates,
in the last days I announced a realistic challenge for you. I worked hard, so here is a real challenge for you. If you stuck at some point you can search in the hints section for some help .

Description of the RE Challenge

This time you have a step-by-step challenge, which can’t be solved that easy. It’s a little Connect Four game with a good protection (But not that good; shouldn’t be too hard ;)) which has to be hacked. Ok, there are different difficultys. I recommend to take the hard way: In a realistic scenario you have the obfuscated client and no chance to touch the server, so try it first that way. Maybe you could have a look at the server if you stuck. Also you can find help in the hints section.

Difficulty 7/10

Requirements

Time
C# knowledge
Fun at Reversing
And if you don’t want to use the hints a knowledge of secure programming could be valuable

Download

This time I packed it into a .rar archieve because it’s way easier.
Obfuscated: https://mega.nz/#!6lIlBQRR!LFgB9DCKz_OUrJFP_qnIHopVrk30erdu7bhMIfKnOkU
Unobfuscated: https://mega.nz/#!CsZ20ahB!RBlTFgppXtaFsasbYe1wjrgqQ551nNOl8xm9Sh7J1Ac

Exercise

This time you have to find a vulnerability which can be used to win the game. Imagine Player 2 plays not on the same computer but via internet and you (player 1) want to win against him. It is not allowed to change the server. You didn’t won just because your client says you had; the server has to print out that you’ve won. Don’t touch any files in the server folder. Ok, I had to forbid much . I hope I didn’t forget anything…
Your exercise is to write a patched client which can be used for winning the game easily.

Hints

What is Heartbeat?

Heartbeat is a protection technique which sends every few seconds a hash of the client file to the server, that it can validate if it’s not patched.

How can I beat heartbeat in this case?

In this game it is not validated if the hash is really from the client. Just copy the unpatched client and rename it to “heartbeat.exe”. Now change the String in the client representing the file which has to be hashed to “heartbeat.exe”. Everything now works fluentless ;).

You got lost in the Code and have no idea where to look at?

Just think of it. Where can you change the server without changing the source? Yes, the input you give to the server. Have a straight look where you send input to your server and try to understand what you are sending. Maybe you then get an idea what could be bad validated…

You can’t find the vulnerability but want to go on hacking it. So where is it?

As I said before it’s a validation mistake of the server. Maybe you even tried to send the server two times in a row a position from player 1 and he said “No, that’s not true!”. That was a good start! But not the player is the vulnerability, it is the position itself. The server doesn’t validate if it’s already taken by a player, so you can put a coin in a place where player 2 already placed one ;).

Any other hints needed?
Just PM me or ask in the comments if you stuck at a particular thing and the hints above would help you too much or didn’t help you.

Conclusion

If you did that challenge without having a look at the server source and you used the obfuscated version you’re really an 1337 h4xx0r . This is a realistic example how a vulnerabilty could be exploited. As always I’m already working on the next part, but what do you want: More tutorials in C# and should they be harder or easier than this one? Or do you want a new language, maybe Java/Android reversing or C/C++?

|-TheDoctor-|

oaktree · May 26, 2016, 1:03pm

C or C++ would be great!

TheDoctor · May 26, 2016, 4:04pm

Ok, I’ll see what I can do. It could take some days to prepare everything because I’m a bit rusty with Binary reversing ;). As always I’ll try to not only publish a challenge but also a little guide how it can be done.

0x00pf · May 26, 2016, 5:10pm

Anything that does not require a Windows Box would be fine!

TheDoctor · May 26, 2016, 5:13pm

Yes, I’ll respect that . Would be interesting to know how much use Win and how much use Linux here on the board…

0x00pf · May 26, 2016, 5:16pm

Thanks … I would suggest to start a topic with a poll: Windows, Linux, Both, ??

TheDoctor · May 26, 2016, 5:19pm

Yep, thought the same but didn’t found the poll function… You know how it works?

0x00pf · May 26, 2016, 5:25pm

I think is

[poll]
- Windows
- Linux
- Both
[/poll]

JaCube · May 27, 2016, 8:49pm

I’m finished with this. I’m not sure that correctly understand how works heartbeat, so maybe my hack is not according to challenge rules Please, let me know if there is any mistake in workflow with server.
My steps to create solution:

[spoiler]How I say, I’m not sure that I’m correctly use the server and heartbeat. So I just run server and run client. Without touching heartbeat. If it’s not correct please let me know how it should be launched.

0.Preparing:
0.0) Google for game rules.
0.1) Run server and client to see how it works.
0.2) Use first hint to know what it is “heartbeat” (I don’t knew before what is it).
0.3) Deobfuscate and run it in linux (just because I don’t like Win ).
0.4) Move to Win because in linux client crashed
0.5) Learn deobfuscated code.
0.6) Just comment line with running thread heartbeat and test it. No kicking - is good.

Now my idea is to be able to place my markers in each cell of the board, even if cell already has “Player 2” marker.

1.Write code in ‘game’ class, to be able input my “hack” string.
Hack string has format: “hy:x”. Where h is just flag to enable cheat/hack; y, x it is row and column in the board.
2.Write code for sending to the server selected position, when “hack” string detected.

So now I can write in each cell of the board and even rewrite “Player 2” positions. Also I’m able to playing without hacking, just writing number (without ‘h’ flag), like in original client.[/spoiler]

P.S. I have many troubles with Windows, so I would be glad to solve next challenges without additional VM :). It’s can be C/C++ or Java or whatever running in linux without any issues

TheDoctor · May 29, 2016, 2:54pm

Sry for my late response; had some issues… The solution to send an already chosen position was exactly the one I wanted. Great work! In the hearbeat thing you’re right, it wasn’t allowed to change the server ;). [quote]It is not allowed to change the server. You didn’t won just because your
client says you had; the server has to print out that you’ve won. Don’t
touch any files in the server folder.
~TheDoctor[/quote]
Maybe you want to try beating the hearbeat system without changing the server? Anyway, I think you will be a very good reverser .

JaCube · May 29, 2016, 4:11pm

I think we didn’t understand each other, because I’m not touch any files in server directory. I just disabled (add comment) line in the client where new thread with heartbeat function starts. After that, server never kicks me. So, it was easy solution and I’m not believed that it’s will be work. This is reason for what I’m asked you about how to correctly start the server

TheDoctor · May 30, 2016, 1:36pm

And it worked? Mmh… tested it and it should kill the connection when the client doesn’t send a heartbeat . I made some minor changes after that test, so I think I broke it then ;). I’ll take a look at it .