AoCyber: Side Quest 2 Part 0

TL;DR: Buy the real yeti charm from the vendor, and null terminate the values to match what the ghost NPC tells you about the legend. Finish it off with the konami code to get your QR.

Phil Almueti

2 min read
AoCyber: Side Quest 2 Part 0

If you found this post, you probably already found https://tryhackme.com/room/armageddon2r

See this years' other rooms as well:

SQ 1: Day 0
SQ 2: Day 6
SQ 3: Day 11
SQ 4: Day 20

Index of this challenge:

SQ2-0
SQ2-1
SQ2-2
SQ2-3

This one was a doozy. Finding it was pretty simple in Day 6's challenge with a hint about a ghost.

The task itself is spelled out pretty well in the prompt: Modify your memory buffer to override stored variables. The answers to the questions are out of scope for this article, but let me give a quick breakdown of the path to find the quest room:

1) Overwrite the buffer at the name changer to give yourself as much money as you can, an ascii table would probably be useful here:

2) Talk to the merchant to buy a missing item from her inventory. If you hack in item "a" to your inventory, it's revealed that it's actually a fake item and that she's willing to sell you the real one:

3) Talk to the glitch and learn the requirements for the puzzle:

  • Have exactly 31337 coins
  • Be named Snowball
  • Have a merchant named Midas
  • Have a shop keep named Ted
  • Have the blue yeti coin in your inventory
  • Play the "30 lives" konami code

The big trick was to look back to the prompt to see what's storing the variables. C++ is using little endian (so everything's reversed) and the strings are terminated on null values.

So simply keep talking to the name changer to fill these values in backwards, one at a time from bottom to top (Note that you need to modify the coins to leave yourself enough for the right amount of cash to change your name one last time)

Side note: There is an alternative path forward to this as well. If you inspect the javascript of the index.js file in a browser with WASM debuggers like Chrome, you can find reference to this qr.map and a byte index. If you were to extract that byte index start -> end from index.data.gz, you can get a copy of the qr map with an easy map of bytes to convert to white and black to arrive at this same answer.

On to the actual quest!

Part 1