CTF Writeup: Log 'em All

hello my name is ron bose and i'm one of the ctf organizers for besides san francisco 2021 this is going to be a video walkthrough of one of my challenges called log mall which is a pokemon style collect them all challenge where your goal is to collect or at least see all 151 eskimo characters so if you were playing the ctf about 20 days ago when we ran it you would see our scoreboard like this with a log and ball challenge logan mob was sold by three different teams knock-knock goose perfect blue and fungible tokens so congratulations to those teams if you were playing while the server was still up this is the netga command you would

use to connect but because the game's been over for a while we've shut down the servers so instead if you want to run the server you can just use your docker file so besides sf slash ctf 2021 release is our source code for all of our challenges and the ones that server side components do have docker files so if you find log them all specifically and then go into the challenges directory you will see a docker file this is all you need enough obviously the code with it to run a challenge yourself so i've already checked out the code and as i said the dockerfile will let you run it yourself so i'll just run docker build and docker

run docker build obviously will build the docker container and docker run will run it for import 6x6 which is the port the game uses if you aren't sure which port is used by specific challenge just check out the readme file that's in each directory or the metadata file so once it's running you should be able to netcat to localhost on that port and get a copy of the game this is exactly what you would see if you're playing against a real server so the first thing is let's do a quick walkthrough of the game so what would you like to be known as wrong and which starting escape would you like plant frog fire lizard or

water turtle so which is your favorite let's try fire lizard wow that looks not at all familiar we could also try water turtle or we could try plant frog now a bit of an easter egg i didn't mention here is that i don't actually validate which one you choose so if you know the name of others you can choose them if you like let's take a look at that by first of all going into the game moving over to the pc over here and seeing a list of all the names so there's you know water turtle and stuff that we just saw there's butterfly there's bee there's a pigeon fancier pigeon and so on one of my favorites

is fire who's one of the legendaries so let's just get through this and quit the game for a second so we're gonna be ron and we're gonna try fire fire is one of the legendary birds you can also use missingno which you made which you might recognize from other exploits that doesn't actually help you any it's just a little easter egg that's there all right so let's use this fire because it's easier now we're in the game world you're at professor jackslab you see a pc which you've already seen and you see the professor if we talk to the professor we get a little bit of dialogue he says hi to you he introduces himself

and he asks you log all the all the eskimo on and then come back and talk to him so that's exactly what we're gonna do eventually so if we go out to the door we're going to see a little town this is a town of color not to make views of the palette and we can move around and we can go through um various areas i forgot this is called in combat i'm going to expand this window a little bit so you can see the combat better we are fighting a caterpillar what would you like to do let's attack it you attack for eight damage it hits you for two damage and so on you can just keep pressing

enter to uh repeat the command over and over again eventually we kill it would you like to replace it no we like ours so we can move around there's a whole bunch of different areas i don't want to go through the whole game but i will go through the viridian forest gray city this is my favorite areas here in the uh other game this is based on there's a museum in the city so i thought i'd put an eskymod museum but the museum is just the ascii table this is not meaningful for the game it's just a fun little uh flavor there's lots of flavor in this game i tried to make it really interesting

so that's basically the uh the game in a nutshell so my goal for this bug was to kind of recreate a popular bug from missingno as i already mentioned i have here the bulbapedia entry for the missing nail bug so what happens in the real game is that when you're first doing a tutorial there's a game that's there's a little battle that's done between the old man and a wild weedle now for this for this little battle this is the old days of memory management and what they would do is they would have the fight where they would take your name in memory and replace it with the old man's name and then do the fight and then restore

it the problem is your name needs to be temporarily stored somewhere and since these are days before like a lock and stuff or mad luck rather they would do things like copy your name to the encounter table then do the fight and then copy your name back to the encounter table to your name and then carry on then when you enter the next zone it just loads their encounter table replaces your name and everything's fine the problem is there's one area in cinebar island where there's no encounter table they forgot to load one that means that if you start wandering through there after you find after the old man fights for you it will it will have uh it will use your name as

the encounter table and because your name is not a valid encounter table it will cause strange bugs so i try to recreate that as a uh as a ctf challenge so before we actually uh exploit this let's take a quick look at the uh at the binary so in the disc files folder i gave logan wall and i gave a sample of data i'm just gonna ignore the sample data since i have the real data here but if you were actually playing you would need to use this to run a local server instead i'm going to take a logan model binary and run strings on it so if you run strings in the binary you're going to see a lot of the

assistant hands it uses nothing too exciting or the ordinary as you scroll down you're going to see some of the directories these are kind of cut off because of how i open the files it's not a big deal but you're eventually going to see is available commands was help and quit if you were playing the game and ran help this is what you would see but you're also going to see some other commands like flying to various cities encounters on off encounter show hide these are all hidden quality of life commands you don't necessarily need these to solve the challenge but reversing it just enough like i just did to see these are really helpful i'm

going to move these to my other monitor but keep them visible because i might actually need them so let's catch the game again i'm going to be wrong i'm going to play with fire i'm gonna say i'm sure so first off i'm gonna go and have an encounter it appears that this encounter is necessary to get things to to work right memory i should mention this as i use after free bug so use after freeze are notoriously difficult to actually exploit i tried to make this as simple as possible for the purpose of the challenge so i'm gonna fight the caterpillar i'm not gonna replace my pokemon i mean my ask him on but i will finish

the fight now from here you would have to explore obviously to find these things but i know from experience i need to fly to deep blue deep blue is a town that has on the right hand side in the original game this week bill's house but i made this ron's house that's me and these various circles are all rons who are who will give you a little bit of hints in particular they mention once again that you have to collect all 151 pokemons ascii ones to get the uh to get the flag also they mentioned the pc and they mentioned secret fight command which is one of the other hidden commands i have and it mentions

there's also other quality of life commands so i really want to make this like hinty give you lots of hints speaking of account speaking of hitting commands let's actually turn counters to show you'll see a new ui element signal encounters here if you watch an area that has encounters we're going to see chancellor counter four percent and the three encounters and their numbers that we might encounter the last thing i should mention is this r here this is a renamed character he's the official name raider he'll write your nickname and let you change your nickname remember that i was trying to make a vulnerability involving your name so keep that in mind so here we're going to trigger a fight

we're going to fight an enraged siamese cat we're going to attack attack attack until it's dead and then we're going to replace our our cat our fire legendary with this cat now we have our comedian a companion which is a jaime's cat he's number 53 or she and the encounter table still has pony number 77 a wild sami's cat 53 and a pitcher plant number 69. so now we're going to do a second encounter this is where the bug is going to get triggered so we're going to fight a pitcher plant we're going to attack attack attack attack attack and eventually we're going to defeat it and you're victorious would you like to replace it yes

now when i replace it it's going to free the cat that i had in my as my companion and doing so it's also going to incorrectly free the cat that was in the encounter table and now the second encounter on the encounter table is pointing to memory that's been freed the memory that's been free just happens to have three seven one etc as part of its as part of it now if i do the encounter or leave this area and the counter triggers it's going to have some weird behavior probably crash with the use after free bug or a double free bug or something however what we can do is talk to the renamer he's going to read a nickname say that

we're wrong what would you like it to be i'm going to send a bunch of a's so you want to change round to a's yes and now suddenly we have an encounter table entry that is my nickname so the first field is a bunch of a's the number field if you convert this from decimal to hex is gonna be four one four one four one which is also a aaa and these are all zeros because they're past the a's the a's aren't enough to hit those if we talk the renamer again and change it into something else every second one is not going to do anything because it's a uh it frees it allocates that frees and out cases

and freeze so for each given name change allocates a second block and freeze the first this was done mostly to make an exploitable more easily so this one is going to be the second one allocated and we're going to end up with free memory again so this is again free garbage memory but if we rename again let's change our name this time to just a single a yes now the pokemon's name or the uh the name of it is blank but the number is 65 which represents a now if we do a fight and enrage blank draws near wow you haven't seen a blank before you make a note so and of course we immediately are

victorious because it has zero hit points and we're not going to replace it if we actually capture the blank i'm not sure what would happen but it probably wouldn't be good so now that we've seen one let's turn the counters off because i want to accidentally encounter something and go back to ron's house ron's house has a pc in it we're gonna go talk to the pc and we're gonna see now we've encountered a siamese cat which we legitimately encountered in the wild we encountered harry houdini number 65 which we've never seen that was our fake encounter we did and then number 69 pitcher plant we have logged and oh yeah fire of course our starter

reloc we logged so we've now encountered pokemon in the wild that doesn't actually exist anywhere in the game except of course in the pc and in memory so that's basic vulnerability is to do that 151 times essentially which is obviously a little bit uh a little bit long let's um i have a window over here let's go back to this one with the solution so my solution file is just a simple solve the rb let me uh open over here bring it back so after it loads what we're going to see is that it connects a socket i have a bunch of code that just does receives and fighting this is all pretty bad code it's just enough to make

it work as an exploit often is but i'm not super proud of it so here's what you're actually going to see so it connects to the server it runs the command wrong it selects the fire starter it confirms it turns on the encounter table it flies to color it does a bunch of moving it this fight attack is a kind of a macro that will fight the caterpillar as she also mentioned there's no rng in this game it uses a static seed of one three three seven so no matter what you do it's always going to be the exact same encounters in the exact same order technically i could have made it random but it wouldn't have really added

anything that's gonna fly a deep blue it's gonna move it's gonna capture a pony it's gonna capture siamese cat and that second capture just like before is gonna trigger the actual vulnerability then 151 times it's going to capture everything except for number 10. number 10 is a caterer pillar caterpie is obviously the uh the other game that we don't talk about and then it's going to capture it's going to skip number 146 because that's that's fire and after each time it's going to change our name to the character that it wants to capture and then it's gonna name it hi just so we see something happening that's gonna fight and run and repeat that's pretty much it for the exploit let me uh

run it over here here we go uh solve we're gonna solve against logo host 666 and that's gonna run very quickly but we don't want to be that quick i give it a a parameter that lets me adjust the speed so let's just do speed one second delay per move right now so it's going to choose it's going to turn the capture table on it's going to fly to the closest place to a caterpillar it's going to very slowly move up now let's uh let's adjust that speed down just a little bit 0.5 turn the counter table on move around it's going to do the fight it's going to win the fight i don't think i actually have to beat this fight

i just have to see it but it doesn't really matter it was just as easy to fight it then it's going to move around it's going to go to the renamer this is all done hands-free of course it's going to fight the pony and so on and so on i don't want to stay here for 20 minutes while it does this so i'm going to set this delay to i think 0.1 is still enough that it'll work very quickly i'm going to shrink that down and let that run over here and let it do its thing in the meantime i'm just going to uh yep we got the catch number one we capture number two

we catch number three and so on let's all let that keep going i'll let it stay in the corner there well this is running i'll show you a couple of the easter eggs that i added because i think they're kind of cool so there's a town called indigo indigo uh fly indigo oh you can't fly there that's right fly oh what did i call it this is where i did my uh my tutorial my strings tutorial uh it is called ah let's just walk there we'll fly to the color area then we're going to walk to the plateau we have lots of time while the exploit runs in the background we're going to go to the cave oh yeah i

think i have to turn off too which is going to make this extra easy hey here we are the teagle plateau of course indigo becomes teal so from the teal plateau we see the elite four one three three seven and each time has its own little dialogue some kid came by we weren't prepared for useful strategies in our day we can work hard and get ahead these days you've got to be born lucky i wish the world revolved around us the way we're all down red and blue you're obviously breaking the fourth wall just a little bit however if you try to actually go through the doors into the final fight from the original game there's a barricade

uh-oh there's exciting fighting this is kind of a last-minute change i used to just have the barricade here and if you went through the door you would just run into a run back to starting area because it's invalid but i decided to be fun to add a little bit of uh flavor so let's remember it's called teal we'll fly the dark blue inside deep blue we'll move up one and then fly back to teal now we're on the barricade and we can walk through the door if we do walk the door we're gonna see the red versus blue fight if we try to talk to red he says can't you see i'm busy fighting blue

press enter if you fight blue it's going to say can't you see i'm busy fighting red all right if we talk to the versus sign it says watching red and blue fight is all fun and games but you have a feeling you're in the wrong place but since you made it here have you found a lot quality in all the hidden quality of life commands they aren't required but they're helpful this is once again just me making sure i'm constantly hinting to the players like maybe you came here thinking this was a solution but this is just an easter egg the solution is actually to to uh to capture them all and then talk to jack

so i tried to mention if you talk to npcs throughout the game there will be other hints and mentions of uh of the quality of life commands and of what you need to do so we're up number 58 on our exploit so while that's running let's just kill that do i have another window i don't want killer servers let's just cd to projects ctf release and then chat then log them all log them all challenge and then here this is stuff we did not give away when we're actually running the game but it's things i think you might enjoy as you're learning how the game works so if you look at the data directory you'll see all the various uh

artwork then you'll see let's cat um data 100.txt this is just the artwork 101 102 and so on you can also get data slash the uh csv whatever i call it see it's all the uh all the stats so you can make your own mods to this game if you really want and then the um maps directory is just all the names of the maps if you cut them like let's cat color you'll see uh the first line is the name the second line is a one line description that you'll see then the next four lines are the up down left right map names and then the rest of it is just a map literally as as ascii

and i actually designed these maps using a uh a spreadsheet on google maps so this is what the maps look like when i actually made them i took all these maps exported to a csv file then i cleaned it up a little bit to make it work better so all of this was designed in uh in google sheets of all places so that's what the maps look like what else do i have i have encounters so let's see the concrete table these are the encounters for each of the areas that has encounters if you cut them let's just cat uh route route three all you see is the odds of having a counter i'm not really sure why i made this

configurable but the odds are at least four and then you can have up to eight different counters in that section so the three encounters are sparrow or else snake and rat i don't think there's any particular encounter anything that has more than three or four encounters so that's the uh that's the data for it let's take a look at the source so i'm just going to open this up in vi in engine actually i see we're up to a number 101 here so we're two thirds of the way there so if you look to the source you'll see a whole lot of c code and a lot of really you know so so c code

some of it's good some is bad here's the hidden hidden commands the drawing functions and so on you'll see lots and lots of code that is repeated here what i think is the most interesting is encounters.c because the capturing c has the vulnerability so this is the uh the encounter handler this is how it handles input the attack defend run etc i should also mention the attack defund and run formulae formulas are actually the exact ones from the original pokemon games i don't know if anybody reverse engineered them this the dispositions all my stuff just to make it more interesting but the actual formulas i use for for um the encounters uh calculate damage for example this is

just from the pokemon wiki from pokemon red and blue the encounter the um the run chance the run the chance of running oh yeah this is kind of funny um there's a one 256 chance that you just miss there's no missing in this game all accuracy of your attack move is 100 except for the one in two to the eighth chance of missing which is loyal to the original game which always had one in two to the eighth chance of missing just due to a programming bug the damage calculations are original the uh the run the chances of running this this line here this is from the original game as well so i thought i'd be loyal as much as i

could to the original games i thought it'd be kind of fun then here when you actually when you finish the encounter the enemies blank fades you're victorious would you like to replace yours yes or no if you say yes it assigns character companion to the enemy directly note that it doesn't clone the enemy or anything like that if this was like a high level language you would expect to see clone in ruby python rust go etc but in c you would expect at least to see a mem copy or something along those lines but it doesn't do that it just directly references it and then when you already have you always already have a companion you can

never have a blank companion without exploiting a bug so it frees your current companion that means if you capture a second enemy and then it frees your current enemy that will also free it from the encounter table and that's exactly what we saw where it frees it while it's being used and creates a use after free bug so that's pretty much the main source code if you look to the rest it's going to be a lot of just making the game work there's probably off by one bugs and stuff like that i think logan mall.c you're gonna see the bug where you can choose any yeah here's your starting eskimon which ones would you like

and then it loads it does no checks whatsoever to make sure it's one of the three and i see that this just finished it went back to professor professor jack and talked to him and now that you've seen all 151 wild eskimons he will now say wow you've logged them all and he gives you the flag i just keep repeating this i'm going to kill this as soon as it shows the flag wow that's all in his claims and reaches into his pack this is for you and the flag and this is the solution so this game largely you could solve this by hand you could go through and do all 151 yourself but my intention was that you would

probably stumble on this bug at some point accidentally just by capturing things and then exploit it by writing a little script like this so that's pretty much all i have um thank you for watching this video and uh yeah feel free to play this game i think i think it's a really fun one to work on and to solve yourself have a good day