-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlevel18.ts
More file actions
35 lines (32 loc) · 5.11 KB
/
level18.ts
File metadata and controls
35 lines (32 loc) · 5.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import { Level } from './types';
export const level18: Level = {
id: 18,
title: "Code Injection: The Trampoline Architect",
description: "Privilege escalation exploit requires code injection but target function IsUserAdmin() at 0x1000 is only 8 bytes - insufficient space for full payload. Real-world exploits (buffer overflows, ROP chains, shellcode injection) face this constraint constantly. Solution: Trampoline technique used in modern exploits, game trainers, rootkits. Process: (1) Allocate heap space for payload cave (executable memory region). (2) Write privilege escalation shellcode to heap. (3) Overwrite IsUserAdmin() prologue with JMP to heap (detour). (4) Payload executes in heap, sets ADMIN_FLAG. (5) Payload jumps back to original code flow (resume execution). Real-world examples: Cheat Engine's code injection allocates memory via VirtualAllocEx, writes assembly to allocated region, creates detour. Metasploit payloads use trampolines when inline space limited. Return-Oriented Programming (ROP) chains detour through gadgets. Your scenario requires five-stage configuration: HEAP_ALLOC (allocate executable memory at 0x5000, size 64 bytes), PAYLOAD_INJECT (write shellcode opcode 0xC3 = 'set admin flag'), DETOUR_JMP (overwrite function start with JMP opcode 0xE9 pointing to heap), PAYLOAD_EXEC (execute shellcode in heap context), RETURN_JMP (jump back to original code flow, opcode 0xEB). All five stages must be configured atomically - partial injection fails (crashes/detection). Techniques: Memory Scanner (locate and set stage values), Hex Editor (precise opcode/address manipulation), hybrid. Educational concepts: heap allocation, shellcode writing, detour creation, execution flow hijacking, code caves. This mirrors real exploitation: when inline hooking impossible due to size constraints, allocate remote memory, inject payload, detour execution. Understand memory allocation, code injection, trampolines.",
requiredSkill: "Multi-Stage Trampoline Code Injection & Execution Flow Detour",
objective: (s) => {
const heapAllocated = s.sortValue1 === 0x5000; // HEAP_ALLOC: Allocate at 0x5000
const heapSize = s.sortValue2 === 64; // HEAP_SIZE: 64 bytes
const payloadInjected = s.health === 0xC3; // PAYLOAD_INJECT: Shellcode opcode 0xC3
const detourCreated = s.ammo === 0xE9; // DETOUR_JMP: JMP opcode 0xE9
const returnJmpSet = s.score === 0xEB; // RETURN_JMP: Short JMP opcode 0xEB
return heapAllocated && heapSize && payloadInjected && detourCreated && returnJmpSet;
},
hint: "Five stages. Five opcodes. One trampoline. HEAP_ALLOC=0x5000, HEAP_SIZE=64, PAYLOAD_INJECT=0xC3, DETOUR_JMP=0xE9, RETURN_JMP=0xEB. Configure injection architecture.",
tutorPersona: "The Injector: Trampolines are the art of code detour when inline space insufficient. Target function IsUserAdmin() is 8 bytes at 0x1000. Your privilege escalation payload is 32 bytes. Cannot fit inline. Solution: five-stage trampoline architecture. Stage 1 HEAP_ALLOC: Allocate executable memory region. Set to 0x5000 (heap cave address, 20480 decimal). Stage 2 HEAP_SIZE: Reserve sufficient space. Set to 64 bytes for payload + metadata. Stage 3 PAYLOAD_INJECT: Write shellcode to heap. Opcode 0xC3 (RET instruction modified to set ADMIN_FLAG, 195 decimal). Stage 4 DETOUR_JMP: Overwrite IsUserAdmin() prologue with JMP to heap. Opcode 0xE9 (near jump, 233 decimal). Stage 5 RETURN_JMP: Payload must return to original flow. Opcode 0xEB (short jump back, 235 decimal). When configured correctly, execution flows: CPU calls IsUserAdmin() at 0x1000 → Detour JMP (0xE9) redirects to heap 0x5000 → Shellcode (0xC3) executes, sets admin → Return JMP (0xEB) resumes original flow → Privilege escalated. Real-world: Cheat Engine uses this for code injection. Exploits use this when ROP gadget space limited. Rootkits use this to hook kernel functions. All five stages required atomically - this is production exploitation architecture. In real Cheat Engine: allocate memory (VirtualAllocEx), write bytes (WriteProcessMemory), create detour (5-byte JMP: E9 XX XX XX XX). You are building that configuration. Understand heap allocation (where payload lives), shellcode opcodes (what payload does), detour mechanics (how execution redirects), return flow (how normalcy resumes). Set all five values correctly.",
memoryLayout: [
{ key: 'sortValue1', label: 'HEAP_ALLOC', type: 'int', offset: 0xA0 },
{ key: 'sortValue2', label: 'HEAP_SIZE', type: 'int', offset: 0xA4 },
{ key: 'health', label: 'PAYLOAD_INJECT', type: 'int', offset: 0x10 },
{ key: 'ammo', label: 'DETOUR_JMP', type: 'int', offset: 0x1C },
{ key: 'score', label: 'RETURN_JMP', type: 'int', offset: 0x50 }
],
initialState: {
sortValue1: 0, // HEAP_ALLOC (should be 0x5000 = 20480)
sortValue2: 0, // HEAP_SIZE (should be 64)
health: 100, // Repurposed as PAYLOAD_INJECT but needs >0 to prevent BSOD (should be 0xC3 = 195)
ammo: 0, // DETOUR_JMP (should be 0xE9 = 233)
score: 0 // RETURN_JMP (should be 0xEB = 235)
},
platforms: [{ id: 'p1', x: 0, y: 280, width: 800, height: 40, type: 'static' }]
};