TryHackMe: Advent of Cyber ’23 Side Quest 2 — Snowy ARMageddon— QR Code

Hello everyone! 🤶🎄❄

In this article I will show you how to find the QR code of the second side quest room for AoC’23.

On day 6 we get a hint that the QR code of side quest two is hidden in the memory corruption game.

Let’s go to PC and get 16 coins. This is enough to fill the name and the coins buffer (player_name[12], coin[4]). When you are working with buffer overflows or memory corruption a table like this or a converter is really handy.

ASCII and Hex table

Enter your name as A * 12 + ~ * 4.

Now we change our name again with:

A * 12 + ~ * 4 + A * 12 + B * 12 + C * 4 + a.

(player_name[12], coin[4], shopk_name[12], namer_name[12], empty[4], inv_items[16]. We just filled the first cell of inventory.)

Lowercase ‘a’ represents a Yeti Token. Go to shop keeper and the dialog changes telling that the Yeti Token is not original and they can sell it to us for a price. Type ‘a’ in the shop and enter.

Enter name

Shopkeeper dialog

Ghost spawns👻

Now let’s go and ask the ghost what they want.

The ghost asks for three conditions:

1. A cat named Snowball
2. Greedy merchant named Midas and switcher named Ted
3. Exactly 31337 coins

and when all the conditions are met, input the 30 lives secret code.

When I saw the 30 lives secret code I was like — wt@#?! — but after googling it I came across the Konami Code.

Konami Code

Now we know what to do so let’s get back to work!

Midas and Ted

To change their names to Midas and Ted we have to add null characters after every buffer. If there is no null character the buffer keeps getting read.

First we are changing namer_name because its at the bottom.

A * 12 + ~ * 4 + A * 12 + Ted

Then the shopk_name.

A * 12 + ~ * 4 + Midas

Coin

To get exactly 31337 coin we have to find the hex value of it. We should also consider we will change our characters name to Snowball which will cost us 8 coins. 31337 + 8 = 31345.

https://www.rapidtables.com/convert/number/decimal-to-hex.html

If we look at the ASCII table above:

7A → z (lowercase) and 71 → q(lowercase)

Because it is in little-endian order. We should type it as 'qz'.

First we should fill the last two index with null character because ‘space’ also has a hex value. The way we do this is:

1. Go to name changer
2. A * 12 + B * 3 (First null char comes to the last index of coin buffer.)
3. A * 12 + qz(The second null char and the amount is ready!)

Snowball and getting the QR code

Finally change the player_name to Snowball. Input the Konami Code above by using your keyboard and the screen will start glitching. Go to the house and you will see Yeti there. He will reveal the secret! 🔐

If you have any questions, please don’t hesitate to ask me. I am always eager to meet new people and learn more about cybersecurity!

• yaylacamsanemelif@gmail.com
• LinkedIn

HAPPY NEW YEAR!!!🥳🎄🎁