Helping Zelda Capture Flags-Nullcon HackIM 2020

Writeup for all the Zelda Challenges in Nullcon’s HackIM 2020

Note: Everyone must have solved this differently ,Telling my method here

1. Zelda and the Zombies

The Binary/Game for all the first three challenges was same so we had to find all first three flags in the same game only.

Task : Kill any NPC to get the flag

So initially the game has 5 zombies attacking you whose life is shown at the Top Left corner.Their life gets decreased in two cases

  1. When They come in contact with Zelda
  2. When Zelda Fires using sword.

Solution :

Step 1 :Open Cheat Engine , As soon as the game starts ,Scan for unknown initial value

Step 2 :Now let the zombie come near you or attack any zombie

Step 3 :Go to a Safe Place Where they can’t touch you,Scan for a decreased Value and Repeatedly scan for unchanged value Since they dont have contact to you

Step 4 : Goto Step 2 Until the Values you get in Cheat engine are less than equals 5 (Since there are 5 zombies)

Step 5 :Now you have life of Zombies Just edit it to 1100000000 which would make the life of Zombie 18.8

Now go and kill some zombie you get the flag

Image for post
Image for post
Fig.Flag 1


2. Zelda at the Swamp

Task : Make Zelda reach the Flag in a restricted area which is a pond.Now ,I tried too many things for this challenge but wasn’t able to get the flag one is by changing the Zelda’s Y Axis When we reach near the pond.

It led me to this

Image for post
Image for post
Fig 2.Failed Attempt

Solution : This was an ingenious solution suggested by my brother after observing the game.Since we get thrown away when we come in contact with Zombie

Go Near the Pond Where It looks like land area ,Make sure a Zombie is following you Come near the zombie is such a way that you get thrown back to that entry area of the pond so the Zombie throws you into the pool.Hence you get thrown away to the Flag location.Thus we get the flag

Image for post
Image for post
Fig 3. Flag 2


3. Zelda crossing the land’s end

Task : Make Zelda cross the land’s end i.e. again Make him explore the unrestricted area that usually the character can’t explore .Here X and Y Axis of Player come handy.

Solution :

Step 1 :Open Cheat Engine , As soon as the game starts ,Scan for unknown initial value

Step 2 : Move Up and Scan for Increase Value , Move Down Scan for decreased value .Dont move and repeatedly Scan for unchanged value.Do this step until we get less than 40–50 values.

Step 3 : Since number used as the position of player is something like this 1120391929 try changing 203 part by increasing decreasing .If the player position changes we got the exact Y Axis .Save it.Similarly Find X-Axis value by moving left and right.

Step 4 :Go to the Castle walls ,Increase the Y Axis value and thus you’re out of the land .Reach Extreme up and follow a trail.Thus you reach to the final flag.

Fig 4.Flag 3


4. Zelda in space

Task : Now that all land challenges are over .Zelda is sent to space Where there are 6 buttons .Going through each button generates a keyword in top left cornet such as pepper , salt etc.We have to correctly generate the sequence and Reach final destination to get the flag

Solution : Now for this challenge I used DNSpy.It is .NET Debugger Utility.

Open DNSpy Open all Managed>Data files of the game

Search for pepper or salt in all files and boom you get code used in checkpoints

Image for post
Image for post
Fig 5.Checkpoint Check code

By looking at it we can see that not just the sequence of all pepper/masala etc. But the string “final” would also get added to the proper sequence.

Now just above it in the Project Explorer of DNSpy is PlayerAttrs class.Clicking on it We get the whole code for decryption as follows :

Image for post
Image for post
Fig 6.Decrypt Code
Image for post
Image for post
Fig 7. Additional Data

So the Cipher Text is pI0gDg911A3Qcf++L3rvfkwIEkXsg4jq6pwOHMgG1VlpPuE9t4eljr4fQvXUa9bMJN4TL+DzQoj8aHTe1sNt+y5FND+gqn04OOltMhv/sms=

Image for post
Image for post
Fig 8. Additional “0” String

Moreover the above block tells you one more thing that string “0” would also be added to the key.

So now that we have all the ingredients and start and end token of the key in the decrypt function.

One thing you can do is Copy the whole code, Make some changes ,Write a Main method Where you try all permutation of


Append every permutation in between “0” and “final” ,Give it as a key to Decrypt function and watch what output comes.

Following is the code with correct permutation.

This way we are able to find the flag

Flag : hackim20{z3lda_s0lved_the_sp4ce_puzzl3}

Thats it!

Shout out to Aneesh Dogra for all the challenges.

Challenges can be found here:

Thanks for reading :)

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store