Welcome to this new blog series about Pwn Adventure 3: Pwnie Island! In this series, we will cover different aspects of security that we often have to deal with during our penetration test, such as network analysis, reverse engineering and packet tampering.
PwnAdventure3 is a game developed by Vector35 for the Ghost in the Shellcode 2015 CTF. The purpose of the game is to reverse engineer the GameLogic as well as the network in order to finish quests that would be impossible otherwise.
Pwn Adventure 3: Pwnie Island is a limited-release, first-person, true open-world MMORPG set on a beautiful island where anything could happen. That’s because this game is intentionally vulnerable to all kinds of silly hacks! Flying, endless cash, and more are all one client change or network proxy away. Are you ready for the mayhem?!
- Unbearable Revenge – 200 Points
- Until the Cows Come Home – 100 Points
- Overachiever – 200 Points
- Egg Hunter – 250 Points
- Pirate’s Treasure – 500 Points
- Fire and Ice – 300 Points
- Blocky’s Revenge – 400 Points
The game also allows you to play in a team and enable the PvP mode for a full madness experience where each user can fight against each other to compare their skills but especially their „improvements“/hacks.
Before we start, we need to install the client and configure the server, which is composed of a master server and one or several game servers. While the client installation is quite straight-forward, i.e. you just need to download the client (available for Windows, Linux and macOS), the server requires a few steps which are described in this blog.
I would recommend to have the master server and the game server(s) on a different hardware than your client(s). Not only the server and client are quite exhausting for your CPU, but it will also make things easier later for the reverse exercises.
Now that you have the game installed, let’s discover Pwnie Island!
For this blog series, we will focus on the online game only as the offline mode „too easy“ since the entire logic is in our control. With the online adventure, a part of the logic and verification is done on the server side, which at the time of the CTF, was not under our control. Of course, here in this case, since you set up your local instance, you still can change files on the server, but you will miss the real value of this exercise: reverse engineering a game with real-world constraints.
When you first run the client in online mode („Play Game“), you will be asked to register a new account. You can either join a team or create a new one. Note down your team hash if you want to invite other user to play in the same team. Once the account created, the user can log in and create its character. In total, you have 6 different avatars that you can customise with different colours for the clothes and hairs.
Once the character created, you can finally join the game and play with your freshly created character. The control is like any other game:
- W A S D or arrows to move your character around
- ESC to access the menu
- 0 1 2 3 4 5 6 7 8 9 to select you weapon or spell
- Click to shoot
- R to reload
- I to open you inventory
- O to list you online teammate and get your team hash
- P to toggle between first and third person view
- J to open you quests journal
- L to list you achievements
- MAJ to walk instead of running
- SPACE to jump
- ENTER to opens the chat dialog
Here is a video that shows how the game looks like: https://www.youtube.com/watch?v=PHZJ443zVM0
Now that we have a better idea of what Pwn Adventure 3 is, let’s hack it! In the next post, we will see what are the techniques to understand and reverse the custom network protocol used between the client and the game server.
Blog series: Introduction – Reverse Engineering Network Protocol – Pwn Adventure 3 Network Protocol – Building a Wireshark Parser – Asynchronous Proxy in Python – Intercepting Packets – Reverse Engineering Binary – Patching Binary – Hooking shared library