back to home

ART/ARF Challenge #1 - DOOMSCROLL

This challenge can be found when the trio has to enter the "Quest for Doomscroll" skinscape.

The Setup

Eli and Wheeler have found this game in the restaurant.

It looks impossible to win at first but maybe you can get through the portal with some freebooting...

You can also run it locally on your system:

We are given a link to a web-based game, as well as binaries to run the file on mac/windows/linux.

The Cheat

The game looks like a dungeon crawler, where you can move around and use the space bar to defeat monsters and pick-up gold coins.

A portal asks you to get to 1000 points. There is one gold coin on the ground, which will give you one point, and five monsters spawn around you when you start. You can defeat the monsters at close range by hitting the space bar. They will each drop one gold coin, giving you each one point.

After some playing around, I figured out that points do not reset after you die, so in theory it is possible to get 5 points, get killed by the last monster, do it again 200 times until you get to 1000 points. I have not tried this and would not recommend it. There is a better way.

Taking a look at the Network tab from the Web Developer Tools of my browser, I can see that when I reload the page, a js, wasm and pck file are loaded. The js is JavaScript and will tell the browser how to load the two other files. The wasm is WebAssembly and contains the game logic (such as what happens when I press buttons). The pck contains the game assets, such as the images, constants and text.

By right-clicking on each request you can "Save Response As" and save each file. Now, let's run our trusted friend strings:

$ strings doomscroll-quest.js | grep KEY{

$ strings doomscroll-quest.wasm | grep KEY{

$ strings doomscroll-quest.pck | grep KEY{
KEY{something}

Whoop whoop the flag was successfully freebooted!

Another way to get the flag, a bit more cumbersomely, is via gdsdecomp, which is a reverse engineering tool for Godot projects. After decompiling the .pck file, you can find the flag in the scenes/flag.tscn file.

There was some discussion in the comic's Discord where people were wondering if this was the "intended" solution, and after taking a hard look at the files given, my impression is that it is. I could find no underflow to exploit, no backdoor to invoke to solve this challenge directly from the browser.

Eli's shortcut

Eli shared a shortcut to the flag: you can just download one of the zips, unzip it and run strings on everything.

But you can go even simpler than that: extract in-place in the pipe to strings.

unzip -p linux.zip | strings -n 11 | grep 'KEY{'

This also works with windows.zip and macos.zip.

Modifying Game Script Files

Another alternative to obtain the key would be to modify the resource files for the Doomscroll Quest game. This process was done on both the Linux (Debian) and Windows 11.

First you will need to unpack the files from the doomscroll-quest.pck file. This can be done by downloading the GDRE Tools (https://github.com/GDRETools/gdsdecomp) from GitHub. This simple to use application allows the user to recover the project files, create a pck archive, as well as several other functions.

After unpacking the .pck file, you will find that a folder titled Doomscrool Quest has been created. This folder that contains several folders that contain code, graphic & audio files. There are numerous approaches that could be taken for this approach. The simplest would be to modify the function that the game calls when making contact with the portal. This function determines if the player has enough coins to pass through the portal.

After making the needed script modifications, Create a new PCK archive from the Doomscrool Quest folder. There are two items that I expect are of importance when creating the new PCK archive. The first being the Godot engine version; when unpacking the original PCK archive, GDRE Tools indicated that the version was 4.4.1. Second, I did not change the name of the Doomscrol Quest folder, within the project file, "Doomscrool Quest" is referenced as the config name. I expect that the executable may look for this specific value in the PCK archive.

After creating the new PCK archive, rename it to match the executable file, except for the file extension.


If you found another alternative way of getting to the flag, I would be happy to document it here, shoot me an email!