Initial Exploration
In this challenge, you’re given a game with the source code. Basically you can move the baby to the left or right to find his lost bears by drilling up or down, but you need to be careful not to hit the boulders.
It’s the first challenge so should be easy I guess… Without further ado, let’s open the source code file to see what’s inside!
Analyzing The Code
At first glance, one thing that caught my eyes was the function GenerateFlagText.
This function basically takes a number, shifts it right by 8 bit to make a key, then XOR-decodes a hardcoded byte string with that key plus the character’s position to produce and return a decoded text.
def GenerateFlagText(sum):
key = sum >> 8
encoded = "\xd0\xc7\xdf\xdb\xd4\xd0\xd4\xdc\xe3\xdb\xd1\xcd\x9f\xb5\xa7\xa7\xa0\xac\xa3\xb4\x88\xaf\xa6\xaa\xbe\xa8\xe3\xa0\xbe\xff\xb1\xbc\xb9"
plaintext = []
for i in range(0, len(encoded)):
plaintext.append(chr(ord(encoded[i]) ^ (key+i)))
return ''.join(plaintext)How can we get that sum number to get the flag?
Further down, the GenerateFlagText function gets called when the baby hit the last bear at the last game level. The function takes the bear_sum variable, which is multiplied with the player’s x position every time the baby’s drill hits the bear.
...
def main():
...
bear_sum = 1
...
if player.hitBear():
player.drill.retract()
bear_sum *= player.x
bear_mode = True
if bear_mode:
screen.blit(bearimage, (player.rect.x, screen_height - tile_size))
if current_level == len(LevelNames) - 1 and not victory_mode:
victory_mode = True
flag_text = GenerateFlagText(bear_sum)
print("Your Flag: " + flag_text)
...Okay, how are those bears and boulders placed? Let’s look at the implementation of player.hitBear() and player.hitBoulder():
def hitBoulder(self):
global boulder_layout
boulder_level = boulder_layout[self.x]
return boulder_level == self.drill.drill_level
def hitBear(self):
return self.drill.drill_level == max_drill_levelApparently, the bears are all placed on the bottom-most tile of the game, while the boulders are placed according to some predefined layout at each x-position.
There should be an x-position without a boulder at each game level, right? We need to find the code that is responsible for placing the boulders.
If we follow the boulder_layout array, we should find that at the start of main():
background_tiles = BuildBackground()
player = DrillBaby(7, 2, max_drill_level)
boulder_layout = []
for i in range(0, tiles_width):
if (i != len(LevelNames[current_level])):
boulder_layout.append(random.randint(2, max_drill_level))
else:
boulder_layout.append(-1) With this, we can easily tell that the boulders are not placed at positions where the x-index equals the length of the level name! For other positions, boulders are placed at random depths. So all we need to do is calculate the product of all level names’ lengths and feed it to the GenerateFlagText function:
def GenerateFlagText(sum):
key = sum >> 8
encoded = "\xd0\xc7\xdf\xdb\xd4\xd0\xd4\xdc\xe3\xdb\xd1\xcd\x9f\xb5\xa7\xa7\xa0\xac\xa3\xb4\x88\xaf\xa6\xaa\xbe\xa8\xe3\xa0\xbe\xff\xb1\xbc\xb9"
plaintext = []
for i in range(0, len(encoded)):
plaintext.append(chr(ord(encoded[i]) ^ (key+i)))
return ''.join(plaintext)
LevelNames = [
'California',
'Ohio',
'Death Valley',
'Mexico',
'The Grand Canyon'
]
bear_sum = 1
for level in LevelNames:
bear_sum *= len(level)
print(GenerateFlagText(bear_sum))Your Flag: drilling_for_teddies@flare-on.com Thoughts
I solved this challenge in about 5 minutes. In my opinion this is an easy start for Flare-On 12. I know there are way better solutions out there, but this is my first time doing a CTF and being able to find the flag is super satisfying.