redpwnCTF 2020: i-wanna-find-the-flag (Rev)

Little Brother: Help! I can’t beat this game. It’s too hard. You’re a pro gamer, right?

You: SURE :)

i-wanna-find-the-flag.exe

In this challenge, we’re given a windows binary which seems to be a game. So let’s run it to see what happens.

Well, all it does is display some platforms which are arranged to form the word Redpwn. It was only after the CTF when I saw some discussions and realized this was supposed to be a fully functional spin-off of IWBTG. As of the time of writing this writeup, I have yet to get it to get past the Redpwn screen :*(.

Since this challenge was a game, I figured that analyzing it in Resource Hacker might provide some useful insight.

I then noticed that there was a Cabinet archive in the resources, and it contained some strings which included some .ogg audio files, a ini file for options, a binary named YoYoYo_Engine.exe, and a file called data.win. YoYoYo_Engine.exe looks interesting enough, let’s attempt to extract it out. I decided to just run the game once more and use task manager to dump the process memory to extract YoYoYo_Engine.exe.

As seen above, opening the memory dump in Visual Studio shows us that YoYoYo_Engine.exe was actually unpacked into the Temp directory in the AppData folder. Let’s copy out the binary and analyze it with Resource Hacker once again.

Ah, looks like this game might have been made with a software called Gamemaker:Studio. After looking up some reverse engineering tutorials for games made with Gamemaker, I realized that the data.win would contain most of the game data that we would need to solve this challenge. Additionally, we can just extract data.win from the original binary given to us by opening it in WinRAR.

Alright, looks like I could have just extracted YoYoYo_Engine.exe by using WinRAR instead of using my roundabout method. Oh well, live and learn I guess. After extracting data.win, I opened it in UndertaleModTool as suggested by a really helpful reddit post.

Oh what do we have here? A room called rWinner? I like the sound of that! Let’s take a look at the room data.

Awesome, looks like we got our flag!

Flag: flag{gms_succs_kiddo}