Friday, October 3, 2014

Hacking 'I Wanna Be The Boshy' Game Saves


Background

It seems that the world missed the "good ol' days" of ridiculously hard platform games. Games that were made difficult mostly due to the fact that they had to be short to fit on a cartridge. Years ago, a guy known as Kayin created a game called "I Wanna Be The Guy" - a masochistic game to show us just how insanely difficult developers could make platform games.

The game is known for being legendarily difficult; sporting difficulty options for no saves, longer boss battles, and countless "gotcha" moments. Essentially, a compilation of ripped assets from roms to create something ridiculously difficult, but insanely fun:

Anyone who played IWBTG remembers the goddamned spike corridor at the bottom, lol.


Eventually, this went on to inspire a more polished indie game called:


Who dialed back the difficulty a bit and brought it more mainstream.



Eventually, this wave of super hard "throwback platformers" even reached Capcom when they developed 

and


... further proving that, not only can they still make nail ripping-ly difficult platformers, but are still pretty damn good at it.



During this time period, a guy who goes by the name of Solgryn developed a game much like "I Wanna Be The Guy", but added multiple characters:



And online play as well:


It's also much longer and calls itself "I Wanna Be The Boshy"


The game runs on Multimedia Fusion 2's engine - a staple for a lot of platformer indie games.

During a playthrough, I wondered what the game save format was like and if values could be modified to fully unlock the game and set options passed their normal limitations. 





The Save Format

By default, data is passed around in MMF2 in ini files - IWBTB is no different:



Unlike normal ini files, however, these are encrypted...

After running procmon to take a look at this massive 130MB executable, we can see that it unpacks itself and operates out of a directory...



In the directory, we see a whole bunch of mfx modules which are basically renamed .dll files. The most interesting of which is INI++... what could this be???


oh...
ooohhh....

OH!



Ok, so we have a custom module that basically acts like a read/write wrapper for the normally plaintext ini files, takes a password, and encrypts the data. It also supports MD5 hashing without changing the size of the output file (from the site).

Well... if  that's not information bleed...

So we have this crypto that is the same size as plaintext (meaning no key or salt attached to the encrypted data) and theres a password that somehow encrypts or decrypts it. Yay stored secrets!!!

Throwing their dll in IDA will get you something like this with IDAScope (I used it to see what crypto modules they're using):

Ok... just the MD5 inits - well, they already said they had the ability to store hashes of the strings instead, but MD5 is one way so thats no way to encrypt something (doesn't do ya much good if you can't recover it, haha).

So no fingerprints of a common crypto interface - looks like someone wanted to hand-roll their own crypto... the only thing someone should roll about that is their eyes (lel).

Well , guess it's time to start digging for "crypto" functions in the binary (Hint: just look for a bunch of bitwise operations and stupid array shaking).


....aaaaaand pwnt.


Alternatively, you could also just find that an open source python impl of MMF2 is online called anaconda. They happen to have this extension module already converted.


With this, I could make a python tool to encrypt/decrypt the data:




So now we know the algorithm... but we still don't know the damn password! Fortunately, MMFS2 is publicly available and so is this plugin.

Getting The Password


After making a small test project that simply starts and writes an ini file with some data into an encrypted file, I find that the password allows no special characters and one line.



I compiled my project and set out in its running memory to find my password in plaintext because... #YOLO I guess...




Doing the same thing on IWBTB will net you a lot more text, but looking near the areas in memory where I found my password, theirs stuck out as well






The result:

The src below will decrypt/encrypt any of Boshy's INI files - the algorithm is reversible... just run again to re-encrypt. Decrypt a fully unlocked save available online if you want :)

Fin