ctfwriteup
  • ✅/home/ret2basic.eth
  • Web3 CTF
    • 👑Damn Vulnerable DeFi V4
      • ✅Unstoppable
      • ✅Naive Receiver
      • ✅Truster
      • ✅Side Entrance
      • ✅The Rewarder
      • ✅Selfie
      • ✅Compromised
      • ✅Puppet
      • ✅Puppet V2
      • ✅Free Rider
      • Backdoor
      • Climber
      • Wallet Mining (Todo)
      • Puppet V3 (Todo)
      • ABI Smuggling (Todo)
    • 👑Milotruck Challs
      • ✅1. Greyhats Dollar
      • ✅2. Escrow
      • ✅3. Simple AMM Vault
      • 4. Voting Vault
      • ✅5. Meta Staking
      • ✅6. Gnosis Unsafe
      • ✅7. Rational
      • 8. Launchpad
    • Secureum AMAZEX DSS Paris
      • ✅Operation magic redemption
      • Mission Modern WETH: Rescue the Ether
      • LendEx pool hack
      • Operation Rescue POSI Token!
      • Balloon Vault
      • Safe Yield?
      • ✅Crystal DAO
      • ✅Liquidatoooor
    • ✅Ethernaut
      • ✅Hello Ethernaut
      • ✅Fallback
      • ✅Fallout
      • ✅Coin Flip
      • ✅Telephone
      • ✅Token
      • ✅Delegation
      • ✅Force
      • ✅Vault
      • ✅King
      • ✅Re-entrancy
      • ✅Elevator
      • ✅Privacy
      • ✅Gatekeeper One
      • ✅Gatekeeper Two
      • ✅Naught Coin
      • ✅Preservation
      • ✅Recovery
      • ✅MagicNumber
      • ✅Alien Codex
      • ✅Denial
      • ✅Shop
      • ✅DEX
      • ✅DEX Two
      • ✅Puzzle Wallet
      • Motorbike
      • DoubleEntryPoint
      • ✅Good Samaritan
      • Gatekeeper Three
      • Switch
    • ✅Flashbots MEV-Share CTF
    • ✅Capture the Ether
      • ✅Lotteries
      • ✅Math
      • ✅Miscellaneous
    • ✅EVM Puzzles
      • ✅Puzzle 1
      • ✅Puzzle 2
      • ✅Puzzle 3
      • ✅Puzzle 4
      • ✅Puzzle 5
      • ✅Puzzle 6
      • ✅Puzzle 7
      • ✅Puzzle 8
      • ✅Puzzle 9
      • ✅Puzzle 10
    • ✅More EVM Puzzles
      • ✅Puzzle 1
      • ✅Puzzle 2
      • ✅Puzzle 3
      • ✅Puzzle 4
      • ✅Puzzle 5
      • ✅Puzzle 6
      • ✅Puzzle 7
      • ✅Puzzle 8
      • ✅Puzzle 9
      • ✅Puzzle 10
    • ✅QuillCTF
      • ✅MetaToken
      • ✅Temporary Variable
      • KeyCraft
      • ✅Lottery
      • ✅Private Club
      • Voting Machine
      • ✅Predictable NFT
      • ✅Invest Pool
      • PseudoRandom
      • ✅Gold NFT
      • Slot Puzzle
      • Moloch's Vault
      • ✅Donate
      • ✅WETH-11
      • Panda Token
      • Gate
      • ✅WETH10
      • ✅Pelusa
      • ✅True XOR
      • ✅Collatz Puzzle
      • ✅D31eg4t3
      • ✅Safe NFT
      • ✅VIP Bank
      • ✅Confidential Hash
      • ✅Road Closed
    • ✅unhacked
      • ✅reaper
  • Paradigm CTF 2023 (Todo)
    • Oven
    • Dragon Tyrant
  • Remedy CTF 2025 (Todo)
    • Diamond Heist
    • R vs Q
    • Rich Man's Bet
    • Casino Avengers
    • Frozen Voting
    • Lockdown
    • Proof of Thought
    • Maybe it's unnecessary?
    • Et tu, Permit2?
    • Not a very LUCKY TOKEN
    • risc4
    • HealthCheck as a Service
    • Restricted Proxy
    • Unstable Pool
    • Opaze Whisperer
    • "memorable" onlyOwner
    • World of Memecraft
    • Copy/Paste/Deploy
    • Peer-to-peer-to-me
    • Joe's Lending Mirage
    • Tokemak
    • OFAC Executive Order 13337
  • Game Hacking
    • 👑Pwn Adventure 3: Pwnie Island
      • ✅Prep: Speed Hack
      • ✅Prep: Infinite Health and Mana (Offline)
      • ✅Prep: Analyze Network Packets with Wireshark
      • Prep: Build a Proxy in Python
      • ✅Until the Cows Come Home
      • Unbearable Revenge
      • Pirate's Treasure
    • Cheat Engine Tutorial
      • ✅Step 1: Setup
      • ✅Step 2: Scan for "Exact Value"
      • ✅Step 3: Scan for "Unknown initial value"
      • ✅Step 4: Scan for float and double
      • ✅Step 5: Replace instruction
      • Step 6: Pointer scanning
      • Step 7: Code injection
      • Step 8: Multilevel pointers
      • Step 9: Shared code
  • RareSkills Puzzles
    • Solidity Exercises
    • Solidity Riddles
    • Yul Puzzles
      • ✅01 - ReturnBool
      • ✅02 - SimpleRevert
      • ✅03 - Return42
      • ✅04 - RevertWithError
      • ✅05 - RevertWithSelectorPlusArgs
      • 06 - RevertWithPanic
    • Huff Puzzles
    • Uniswap V2 Puzzles
    • Zero Knowledge Puzzles
  • Web2 CTF
    • Grey Cat CTF 2024 (web challs)
    • pwn.college
      • Introduction
        • What is Computer Systems Security?
      • Program Interaction
        • Linux Command Line
        • 🚩embryoio
      • Program Misuse
        • Privilege Escalation
        • Mitigations
        • 🚩babysuid
      • Assembly Refresher
        • x86 Assembly
        • 🚩embryoasm
      • Shellcoding
        • Introduction
        • Common Challenges
        • Data Execution Prevention
        • 🚩babyshell
      • Sandboxing
        • chroot
        • seccomp
        • Escaping seccomp
        • 🚩babyjail
      • Debugging Refresher
        • x86 Assembly
        • 🚩embryogdb
      • Binary Reverse Engineering
        • Functions and Frames
        • Data Access
        • Static Tools
        • Dynamic Tools
        • Real-world Applications
        • 🚩babyrev
      • Memory Errors
        • High-Level Problems
        • Smashing the Stack
        • Causes of Corruption
        • Canary
        • ASLR
        • Causes of Disclosure
        • 🚩babymem
      • Exploitation
        • Introduction
        • Hijacking to Shellcode
        • Side Effects
        • JIT Spray
        • 🚩toddler1
      • Return Oriented Programming
        • Binary Lego
        • Techniques
        • Complications
        • 🚩babyrop
      • Dynamic Allocator Misuse
        • What is the Heap?
        • Dangers of the Heap
        • tcache
        • Chunks and Metadata
        • Metadata Corruption
        • 🚩babyheap
      • Race Conditions
        • Introduction
        • Races in the Filesystem
        • 🚩babyrace
      • Kernel Security
        • Environment Setup
        • Kernel Modules
        • Privilege Escalation
        • 🚩babykernel
      • Advanced Exploitation
        • toddler2
    • pwnable.kr
      • fd
      • collision
      • bof
      • flag
      • passcode
      • random
      • input
      • leg
      • mistake
      • shellshock
      • coin1
      • blackjack
      • lotto
      • cmd1
      • cmd2
      • uaf
      • memcpy
      • asm
      • unlink
      • blukat
      • horcruxes
    • ROP Emporium
      • ret2win
      • split
      • callme
      • write4
      • pivot
    • ✅Jarvis OJ Pwn Xman Series
    • ✅Jarvis OJ Crypto RSA Series
    • ✅picoMini by redpwn
      • Binary Exploitation
      • Reverse Engineering
      • Cryptography
      • Web Exploitation
      • Forensics
    • ✅picoCTF 2021
      • Reverse Engineering
      • Web Exploitation
      • Forensics
    • ✅picoCTF 2020 Mini-Competition
  • Red Teaming
    • vulnlab
      • Active Directory Chains
        • ✅Trusted (Easy)
        • Hybrid (Easy)
        • Lustrous (Medium)
        • Reflection (Medium)
        • Intercept (Hard)
      • Red Team Labs
        • Wutai (Medium)
        • Shinra (Hard)
    • Hack The Box
      • AD
        • Intelligence
        • Pivotapi
        • Sharp
        • Monteverde
        • Resolute
        • Endgame: P.O.O.
        • Forest
        • Sauna
        • Active
        • Blackfield
      • ✅Linux
        • ✅Safe (Easy)
        • ✅Delivery (Easy)
        • ✅TheNotebook (Medium)
        • ✅Brainfuck (Insane)
    • TCM Windows Privilege Escalation Course
      • ✅Hack The Box - Chatterbox (Medium)
      • Hack The Box - SecNotes (Medium)
    • ✅TCM Linux Privilege Escalation Course
      • ✅TryHackMe - Simple CTF (Easy)
      • ✅TryHackMe - Vulnversity (Easy)
      • ✅TryHackMe - CMesS (Medium)
      • ✅TryHackMe - UltraTech (Medium)
      • ✅TryHackMe - LazyAdmin (Easy)
      • ✅TryHackMe - Anonymous (Medium)
      • ✅TryHackMe - tomghost (Easy)
      • ✅TryHackMe - ConvertMyVideo (Medium)
      • ✅TryHackMe - Brainpan 1 (Hard)
Powered by GitBook
On this page
  • Motivation
  • Infinite Mana Hack
  • Infinite Health Hack (failed attempt)
  • Infinite Health Hack (success)
  • Appendix: Cheat Engine edition
  1. Game Hacking
  2. Pwn Adventure 3: Pwnie Island

Prep: Infinite Health and Mana (Offline)

PreviousPrep: Speed HackNextPrep: Analyze Network Packets with Wireshark

Last updated 4 months ago

Motivation

After the speed hack we do a quick infinite health and mana hack. Beware that this hack only works locally because we will only modify GameLogic.dll instead of tampering the messages between client and server. The game server performs checks on the value of health and mana, therefore this simple hack only works in offline mode.

Infinite Mana Hack

Search "Mana" in symbols and we find a function named Player::UseMana(int):

WTF is this->m_inventory._Myhead??? Rename the vars a bit:

char __thiscall Player::UseMana(Player *this, int manaUsed)
{
  World *gameWorld; // ecx
  std::_Tree_node<std::pair<IItem * const,ItemAndCount>,void *> *oldMana; // eax
  std::_Tree_node<std::pair<IItem * const,ItemAndCount>,void *> *newMana; // eax

  gameWorld = GameWorld;
  if ( GameWorld )
  {
    if ( !GameWorld->IsAuthority(GameWorld) )
      return 0;
    gameWorld = GameWorld;
  }
  oldMana = this->m_inventory.mana;
  if ( (int)oldMana < manaUsed )
    return 0;
  newMana = (std::_Tree_node<std::pair<IItem * const,ItemAndCount>,void *> *)((char *)oldMana - manaUsed);
  this->m_inventory.mana = newMana;
  gameWorld->SendManaUpdateEvent(gameWorld, (Player *)((char *)this - 112), (int)newMana);
  return 1;
}

The mana deduction happens at:

newMana = (std::_Tree_node<std::pair<IItem * const,ItemAndCount>,void *> *)((char *)oldMana - manaUsed);

We can "NOP" out the mana subtraction:

Save the patch and go back to the game. Click "Offline Play" and test if mana is infinite now. It should work.

Infinite Health Hack (failed attempt)

Similarly, we can search for "Damage" in symbols and find this Player::Damage() function:

Pseudocode:

void __thiscall Player::Damage(Player *this, Player *instigator, IItem *item, int dmg, DamageType type)
{
  int v6; // eax
  int m_health; // esi
  World *v8; // ecx
  int dmga; // [esp+14h] [ebp+10h]

  if ( (!GameWorld || GameWorld->IsAuthority(GameWorld)) && !this->m_changingServerRegion )
  {
    if ( instigator == this )
    {
      v6 = (int)(float)((float)dmg * 0.25);
    }
    else
    {
      if ( instigator
        && instigator->IsPlayer(instigator)
        && (!this->m_pvpEnabled || !instigator->IsPvPEnabled(instigator)) )
      {
        return;
      }
      v6 = dmg;
    }
    m_health = this->m_health;
    dmga = v6;
    Actor::Damage(this, instigator, item, v6, type);
    if ( this->m_health < m_health )
      this->m_healthRegenCooldown = 20.0;
    if ( item )
    {
      if ( dmga > 0 )
      {
        v8 = GameWorld;
        this->m_lastHitByItem = item;
        this->m_lastHitItemTimeLeft = 5.0;
        v8->SendLastHitByItemEvent(v8, this, item);
      }
    }
  }
}

If we set v6 to 0 we should be free from damage. So here we can patch the binary to mov eax, 0:

Press space key and hover your mouse on this line. Go to "Edit -> Patch program -> Assemble":

Well, the game crashes. We will try patching something else.

Infinite Health Hack (success)

Note that there is a "respawn" functionality in the game. Search "Respawn" in symbols and we can find a function named Player::PerformRespawn():

Pseudocode:

void __thiscall Player::PerformRespawn(Player *this)
{
  IUE4Actor *m_target; // ecx
  LocationAndRotation choice; // [esp+Ch] [ebp-18h] BYREF

  if ( this->GetHealth(this) <= 0 )
  {
    this->m_health = 100;
    this->m_mana = 100;
    Player::GetSpawnLocation(this, &choice);
    GameWorld->SendRespawnEvent(GameWorld, this, (const Vector3 *)&choice, &choice.rotation);
    m_target = this->m_target;
    if ( m_target )
      m_target->LocalRespawn(m_target, &choice.location, &choice.rotation);
  }
}

Basically this code says the character can be respawned with 100 health and 100 mana. If we set this->m_health to something like max Int32 (0x7fffffff), we could gain an insane amount of health when we respawn. This is the relevant assembly:

Patch 0x00000064 to 0x7fffffff:

Appendix: Cheat Engine edition

Go back to the game. Find a rat and get killed, respawn, now we have max Int32 amount of health

👑
✅
😎