This year Nullcon CTF had some amazing challenges and one of them was Zelda Adventures. To complete the whole challenge you had to get four flags. Three flags were hidden in the first game, the last flag was hidden in another game (Zelda Space Adventure).
When it comes to game hacking, my first thought is always Cheat Engine. So I’ve downloaded the Cheat Engine and attached it to the Zelda game process.
The first flag was simple — there are five NPC characters, they are called “zombies” inside the game, and each of them had 100 000 health points. You have to kill one of the zombies to get the flag. Those 5 characters are constantly chasing you and are blocking you from moving around the map, because when you collide with them, they push you back (in the opposite direction). They couldn’t kill you, but they were really annoying. If you decide to slash them with your sword, you would be playing the game for a long time.
The best way to kill one of them is to find the address of his HP in memory and change value to zero. Every NPC has his HP displayed at the top left corner:
I decided to kill the second one, so I’ve chosen the float type value, entered 999927 and clicked “First Scan”. As you can see, Cheat Engine successfully found the address.
The only thing left to do is to click the red arrow and put the address in “Address List” so I could modify the value and change it to 0. Right after I did it, zombie died and I got my first flag.
For the second and third flag, you had to somehow disable collision or find a way how to break through it. My idea was to use “Speedhack” that comes with the Cheat Engine.
The second flag was in the middle of the pond and by default your character cannot walk on the water. Change speed to 5 and you are good to go:
After I had collected the flag (object in game), it transported me to the part of the map where the real flag was written on the ground:
For the third flag, you had to break out of the map and find it somewhere. After running around with the speed hack on, exploring the outer parts of the map, I’ve finally found it — top right corner of the map (written on the ground):
The fourth flag was hidden in separate game named “Zelda Space Adventure”. You didn’t even have to play the game to get the flag. Because it was made in Unity game engine, I used some tool called “dnSpy” to reverse engineer it and read the code. The task was to find 6 keys around the map and somehow combine them to get the flag. After I had opened the game in “dnSpy” I found a class “RoomMove” with all 6 keys: pepper, salt, chilly, pickles, oregano and masala.
By looking around “dnSpy” I found a class that was very important — PlayerAttrs. That class contained some strange embedded string and also a function named “Decrypt”. My first thought was that I found the flag, I just needed a key to decrypt it.
Those 6 keys that I’ve found earlier had to be combined somehow in one word and used as the second argument of the Decrypt function where the first argument was the encrypted string. I made a separate C# program that brute forced all possible combinations of 6 keys (6! = 720 combinations) and used them within decrypt function against the string. I found the flag quickly: hackim20{z31da_s01ved_the_sp4ce_puzzl3}.
Thank you for reading, and see you in the next write up :)
