Dungeon Server
In the game, Pepper Minstix gives the source code for a Dungeon game that she like to play.
Alabaster Snowball also speaks of the game Dungeon.
The dungeon url was found in the SantaGram apk by using JadX. The url that needed to be tested was found
in the Resources>resources.arsc>values>strings.xml. The url is http://dungeon.northpolewonderland.com.
in the Resources>resources.arsc>values>strings.xml. The url is http://dungeon.northpolewonderland.com.
If one navigates to the http://dungeon.northpolewonderland.com port 80, they will get instructions about how to
play. The game cannot be played via port 80.
play. The game cannot be played via port 80.
One can run an nmap scan to see if the game is available over any other port.
nmap -T4 dungeon.northpolewonderland.com -p 0-65535
The game is on port 11111.
Using netcat, one can play the game.
nc dungeon.northpolewonderland.com 11111
The player may want to explore the game offline, though, to see if there is any way to cheat. Dungeon can
take a while to play.
take a while to play.
If one uses strings, they can find out some interesting information about the game. In this particular game, a
debugging tool was left in the game. This is how players can cheat. The debugging tool is GDT. The creators
of the game used it to test features of the game without having to play through the whole game or die. In
some versions there is a password. In this version, there was not a password required to use it.
debugging tool was left in the game. This is how players can cheat. The debugging tool is GDT. The creators
of the game used it to test features of the game without having to play through the whole game or die. In
some versions there is a password. In this version, there was not a password required to use it.
The commands for this debugger are listed in strings as well.
*NTM: Some people got this one just by printing out the game strings.*
Commands of note: AH: alter here, ND: no deaths, NT: no troll, NC: no cyclops, NR: no robber. The only
command that was absolutely necessary was AH.
command that was absolutely necessary was AH.
The object of this game of dungeon is to find an elf and give them a trinket.
In order to win, all someone had to do was these commands:
Room 8 is the living room. Room 0-not sure what it is, but it has many objects as well as the robber, cyclops,
and troll. (The writer remembered that computers counted from 0, so when she was testing AH, she decided
to see if there was a room 0 and what was in it. Room 192 is the room
and troll. (The writer remembered that computers counted from 0, so when she was testing AH, she decided
to see if there was a room 0 and what was in it. Room 192 is the room
with the elf that the player is supposed to find.
>GDT
GDT>ND
GDT>AH
GDT>8
GDT>EX
>take lantern
>GDT
GDT>AH
GDT>0
GDT>EX
>turn on lantern
>take all
>GDT
GDT>AH
GDT>AH
GDT>192
GDT>EX
>give diamond to elf
Now, do the same in the online version.
When you've completed it online, you receive a message prompting you to e-mail
peppermint@northpolewonderland.com:
peppermint@northpolewonderland.com:
Peppermint sends you discombobulatedaudio3.mp3
Mitigation:
Don’t leave tools to test the functionality of the game in the final game. If you insist on doing so, at least try to
obscure them and require password access. Make an extremely strong password. Do not store the password
in the game, either.
obscure them and require password access. Make an extremely strong password. Do not store the password
in the game, either.
No comments:
Post a Comment