HackyBird | HackTheBox Walkthrough

Nihir Zala

4 min readFeb 7, 2023

You may also download the IDA database where I renamed some of the functions during reverse engineering here.

TOOLS REQUIRED

Cheat Engine
IDA Pro (or any other WIndows supported disassembler)

OUTLOOK OF THE GAME

ANALYSIS

If we open the file in IDA, the file is very big which will probably take takes to reverse engineer the whole file. To save time, we can use Cheat Engine to help us find the condition to win quickly.

Based on the game, the way to get the flag is probably a certain amount obstacle successfully bypassed to win. Therefore, we can first search for the counter variable on Cheat Engine.

1. FIND THE COUNTER VARIABLE

Firstly, launch Cheat Engine, launch HackyBird, and attach Cheat Engine to HackyBird’s process

For the 1st time, we try to search for the address than contains the value 2. Remember to check the checkbox “Pause the game while scanning”.

Start the game and try to hit 2 points. When you hit two points, immediately press the “New Scan” button on Cheat Engine before failing at 2 points.

Based on Fig 5a, there are tons of addresses with value 2. It is still too hard for us to determine the value. Therefore, We can try again but this time around, zero the value to 0 and press the “Next Scan” button once the game starts. End the game before even clearing the 1st round. We would have narrowed it down to a few addresses left.

Based on the few address left, try to play the game and see if any of the addresses chang whenever you clear an obstacle and the points tally. I played until I clear the 2nd obstacle and immediately, I identified the address as shown in Fig 5b.

2. VERIFY THE ADDRESS IS THE VARIABLE OF THE COUNTER

Next, double click on the address we suspected. It should appear on the list that is at the bottom of Cheat Engine. Change its value to any value and check the Active checkbox.

Play the game again. The score should immediately appear as the value you set. If it doesn’t it means you have identified the wrong address, thus repeat step 1.

3. IDENTIFY THE WINNING INSTRUCTION IN IDA

Right-click on the address in the list and choose “Find out what access this address” (see Fig 5c). A debugger should appear.

Play the game. There should be two instructions that appear in the debugger. Play until you cross the 1st obstacle. Two more instructions will appear. Choose the instruction that has the “cmp” opcode (see Fig 5d).

Open up HackyBird.exe in IDA pro, press key G, input address “403133”, and press ENTER. IDA pro will bring you to that location (see Fig 5e).

Based on the assembly code, we can guess it means:

if (counter <= 999)
{
    ..Do something..
}
else
{
    ..Do something else..
}

Since we know that our score so far is below 0x3E7 (999), it means it means it needs at least 1000 to get the flag. Let’s set our counter to 1000 and clear the 1st obstacle.

However, when we clear the 1st obstacle, some weird string appears (see Fig 5f).

This issue still persists even if we set other high scores. Therefore, it could exactly be score 1000 is needed. Therefore, we can see the counter to value 999 and try to clear the 1st obstacle.