Friday, October 3, 2014

Hacking 'I Wanna Be The Boshy' Game Saves


Background

It seems that the world missed the "good ol' days" of ridiculously hard platform games. Games that were made difficult mostly due to the fact that they had to be short to fit on a cartridge. Years ago, a guy known as Kayin created a game called "I Wanna Be The Guy" - a masochistic game to show us just how insanely difficult developers could make platform games.

The game is known for being legendarily difficult; sporting difficulty options for no saves, longer boss battles, and countless "gotcha" moments. Essentially, a compilation of ripped assets from roms to create something ridiculously difficult, but insanely fun:

Anyone who played IWBTG remembers the goddamned spike corridor at the bottom, lol.


Eventually, this went on to inspire a more polished indie game called:


Who dialed back the difficulty a bit and brought it more mainstream.



Eventually, this wave of super hard "throwback platformers" even reached Capcom when they developed 

and


... further proving that, not only can they still make nail ripping-ly difficult platformers, but are still pretty damn good at it.



During this time period, a guy who goes by the name of Solgryn developed a game much like "I Wanna Be The Guy", but added multiple characters:



And online play as well:


It's also much longer and calls itself "I Wanna Be The Boshy"


The game runs on Multimedia Fusion 2's engine - a staple for a lot of platformer indie games.

During a playthrough, I wondered what the game save format was like and if values could be modified to fully unlock the game and set options passed their normal limitations. 





The Save Format

By default, data is passed around in MMF2 in ini files - IWBTB is no different:



Unlike normal ini files, however, these are encrypted...

After running procmon to take a look at this massive 130MB executable, we can see that it unpacks itself and operates out of a directory...



In the directory, we see a whole bunch of mfx modules which are basically renamed .dll files. The most interesting of which is INI++... what could this be???


oh...
ooohhh....

OH!



Ok, so we have a custom module that basically acts like a read/write wrapper for the normally plaintext ini files, takes a password, and encrypts the data. It also supports MD5 hashing without changing the size of the output file (from the site).

Well... if  that's not information bleed...

So we have this crypto that is the same size as plaintext (meaning no key or salt attached to the encrypted data) and theres a password that somehow encrypts or decrypts it. Yay stored secrets!!!

Throwing their dll in IDA will get you something like this with IDAScope (I used it to see what crypto modules they're using):

Ok... just the MD5 inits - well, they already said they had the ability to store hashes of the strings instead, but MD5 is one way so thats no way to encrypt something (doesn't do ya much good if you can't recover it, haha).

So no fingerprints of a common crypto interface - looks like someone wanted to hand-roll their own crypto... the only thing someone should roll about that is their eyes (lel).

Well , guess it's time to start digging for "crypto" functions in the binary (Hint: just look for a bunch of bitwise operations and stupid array shaking).


....aaaaaand pwnt.


Alternatively, you could also just find that an open source python impl of MMF2 is online called anaconda. They happen to have this extension module already converted.


With this, I could make a python tool to encrypt/decrypt the data:




So now we know the algorithm... but we still don't know the damn password! Fortunately, MMFS2 is publicly available and so is this plugin.

Getting The Password


After making a small test project that simply starts and writes an ini file with some data into an encrypted file, I find that the password allows no special characters and one line.



I compiled my project and set out in its running memory to find my password in plaintext because... #YOLO I guess...




Doing the same thing on IWBTB will net you a lot more text, but looking near the areas in memory where I found my password, theirs stuck out as well






The result:

The src below will decrypt/encrypt any of Boshy's INI files - the algorithm is reversible... just run again to re-encrypt. Decrypt a fully unlocked save available online if you want :)

Fin






10 comments:

  1. I'm not 100% comfortable with python but that looks like rc4 to me. If it's not, it's closely related.

    ReplyDelete
  2. Do you have any advice/guidance for a programmer wanting to learn more about reverse engineering video games?

    ReplyDelete
  3. Hello, I tried using your pyhton code on my softlocked save file and it showed the contents of my save file perfectly. You said in your post that if you run it again, it will re-encrypt. So I did that, just changing the Y position in the .ini file that was output by your code. But the file wasn't like the original save file. Notepad shows chinese characters (instead of normal random characters), and using your code again to see its contents outputs garbage on the screen, and the computer emits a long beep sound. Could you check this, please? The same happens if I don't change the file at all. For example:

    (Decrypting my save file into boshytest.ini)
    python D:\src\gistfile1.py D:\Games\IWBTB\SaveFile2.ini > D:\src\boshytest.ini

    (Encrypting the boshytest.ini file into boshytest1.ini)
    python D:\src\gistfile1.py D:\src\boshytest.ini > D:\src\boshytest1.ini

    (Checking the contents of boshytest1.ini on the screen)
    python D:\src\gistfile1.py D:\src\boshytest1.ini

    It begins showing the contents correctly, then after some point it only displays garbage and a beep sound can be heard.

    I think it might occur with any IWBTB save file, so you might try it out with your own save file, but if you want to, I can send you my save file.


    P.S.: Just happy I finished Boshy today! Ez-mode, though. Just out of curiosity, how far have you got?

    ReplyDelete
    Replies
    1. You have to change the script to write to a file instead of just copy and pasting from the command line.

      Delete
  4. Cheers for this, me and my friend got messed up by going into the teleported at the end of W4 before completing the boss. This meant we didn't have to redo that fucking spike tower again, Cheers!

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. I shall suggest finding a save code or downloading one that can give you all thing of the o'mighty boshy game.

    ReplyDelete
  7. Can someone ELI5 this for me? I lost my save at RYU (randomly sent me to the tutorial, rip), don't want to do W2 again.

    ReplyDelete
  8. Can someone explain to me where to get those encrypt/decrypt programs @_@

    ReplyDelete
  9. Great article. I spent my spare time reading some blogs. And I found yours a great and knowledgeable content. Keep it up.

    Zean
    www.imarksweb.org

    ReplyDelete