[CrackMyApp] Pawn Takes King 풀이

CrackMe

A chess cheater has rigged the game, surrounding your lone pawn with an army of queens. Their hubris shows - they've left their king exposed, but reaching it seems impossible through normal moves.

The Challenge:
Control a single white pawn against a black king protected by 22 black queens. The queens follow standard chess rules and will capture your pawn if given the chance.

Victory Conditions:
- Patch the game to help your pawn capture the black king
- Any modification that leads to checkmate is valid
- Modifying the board is a valid solution
- Modifying the rules is a valid solution
- For the ultimate challenge, make the pawn capture the king directly

Patching is required - modify the rules creatively to achieve victory. Choose your approach wisely and show that even a pawn can take down a king.

const X = h === "victory" ? "Checkmate!" : "Defeated",
        T = h === "victory" ? "Incredible! Despite the cheater's army of queens, your lone pawn managed to reach their king. Your patch ensured victory!" : "The chess cheater's unfair advantage proved too much this time. Their queens have blocked all paths to victory. Can you patch to victory?",
        F = h === "victory" ? "bg-mocha-green" : "bg-mocha-red",

rust (tauri) crackme로 js에서 결과를 처리한다.

1. 게임 결과 조작

const z = m.map(fe => fe.map(te => te === null ? null : te)),
                        $ = await Rl("get_valid_moves", {
                            request: {
                                position: {
                                    row: U,
                                    col: I
                                },
                                piece: ie,
                                board: z
                            }
                        });
                    b($.valid_moves), $.game_state === "Victory" ? h("victory") : $.game_state === "Defeat" && h("defeat")

get_valid_moves 호출 이후 game_state에 따라 결과가 업데이트된다.

패치: game_state를 항상 "Victory"로 설정한다.

pawn-takes-king.exe+4647E:
xor eax,eax
db 90 90

처음 시도한 방법. 정답으로 인정받지 못했다.

2. 보드 조작

crackme엔 4개의 handler가 존재한다.
그 중 get_challenge_board를 조작한다.

get_challenge_board의 user_handler를 보면 "k", "q", "P"로 king, queen, pawn을 board에 놓는다.

여기서 바로 잡을 수 있는 위치에 "k"를 써준다.
기존 king은 지우지 않아도 확인하지 않는다.

alloc(newmem,2048,"pawn-takes-king.exe"+DC02F) 

label(returnhere)

label(originalcode)

label(exit)


newmem:

push rax

mov rax,[r12+8]

mov byte ptr [rax+10],0

mov rax,[r12+98]

mov byte ptr [rax+c],'k'

pop rax

originalcode:

mov rbp,[rsp+68]


exit:

jmp returnhere


"pawn-takes-king.exe"+DC02F:

jmp newmem

returnhere:

// [r12+8+(i*18h)] = iy board
// iy_board + (i*4) = ix position