YTread Logo
YTread Logo

Teleporting and Hovering (Unbearable Revenge) - Pwn Adventure 3

Jun 01, 2021
The fact that we were able to walk at a super fast speed and were able to fly is an indication that the server does not really verify the position sent by the client. So I think we should try

teleporting

! So how can we make teleportation work? When you look at the methods of the Player class, or to be more specific, the Actor class that the Player inherits from, you can see a SetPosition method. It takes a three-dimensional vector as a parameter and vector3 has x, y and z values. Seems like a very good candidate to try.
teleporting and hovering unbearable revenge   pwn adventure 3
But… how to make teleportation usable and fun in the game? So my first plan was to implement a small command and control server. I wanted to use the tick function, which is called several times per second, to check if a command arrives. And then I could write a neat control panel to teleport me wherever I want. But… there is a much cooler idea. As you know, I try to solve these challenges on my own, which means I haven't looked for any articles or solutions from other people. But of course, because these items exist, sometimes they accidentally mess you up.
teleporting and hovering unbearable revenge   pwn adventure 3

More Interesting Facts About,

teleporting and hovering unbearable revenge pwn adventure 3...

And I glimpsed one of them when I analyzed some problems I was having. I try to be careful not to mess up any solutions, and in this case I didn't. It's a very good idea that I'm now stealing from someone else. Unfortunately, I can't properly credit where I got it from now because I don't remember and I'm afraid to look for it again, not that it ruins anything serious. The great idea was to use chat messages. So the player class has a Chat method that takes a string as a parameter. So when we override this method and add a printf that simply prints the string passed as a parameter, we can see everything we type in the chat.
teleporting and hovering unbearable revenge   pwn adventure 3
And now we can use it to handle commands. How about a teleport command? To do that we do a strncmp on the incoming message to check if it starts with "tp". Next we want to read some coordinates, which we can do with sscanf. So we create a new 3D vector and then use sscanf to scan the input chat message for 3 float values ​​and assign them to the xy and z attribute of the vector. Now we simply have to establish the position of the player. But you know what's cool? Since we are inside the player class, we can now use this, which is the instance of the player object where this method is called.
teleporting and hovering unbearable revenge   pwn adventure 3
Then we can simply do this-Set position to new position. So let's try this. We compiled it again as a shared library. Then LD_PRELOAD in the game process. Access. And here we go. “tp 0 0 0”. Damn, it worked! We teleport to 0 0 0. And we are somewhere underground! Mhhm… these blocks here look like hallways. I think this is the block dungeon challenge. Remember the crazy big room with all the logic doors that need to be set correctly to open this door and get to the chest? Maybe we can just teleport to him! Let's add another convenient command to our chat control. “tpz” to teleport only in the vertical z axis.
We basically do the same thing, we check that the message starts with the “tpz” command, we take a 3d vector, but this time we can get the current position of the player, because we only want to change the z coordinate, and then we use sscanf to just look for a value float assigned to z. So let's teleport back to 0 0 0. And then walk to where the chest might be. It should be at the end of the large room, so maybe here. So let's try it. Tpz 1000. Ah, not high enough. Tpz 2000? Tpz 3000? Oh. We didn't make it all the way, but we made it to the large room.
So let's walk to the window. Teleport back under the map. Take a small step forward and teleport back. Boom, here we go! But well... we can't open the chest. It would have been too easy for 400 points. But it was worth a try, right? Maybe we'll revisit that bear hunt. During the game we learned that when we try to open the chest, a 5 minute timer starts and bears attack us. But now we can teleport and fly! So let's try it again. Let's activate the chest and teleport to this conveniently located tree! So now we are out of range of the bears.
Look at the hordes of bears who can't do anything. Now we just have to wait! ……….. Oh, some big bears are joining in, but they can’t climb the trees…. What the fuck? Achievement, the right to arm bears and we were killed by a bear with an AK47? What the hell? Are bears supposed to have assault rifles? Well, that didn't work... The bullets can hit us in the tree. And at first I didn't know what to do. But then I remembered that we could also move under the map. Can we shoot the chest and hide from the bullets?
Let's try that. Activate. Teleport down. And we're falling... ah damn. We fell too far and the timer went off. Hmhmh... but if we could somehow float just below the surface, we could still not be seen and stay in the circle! So let's schedule that. I create a new command, an exclamation point, that I use to trigger a position freeze. For that I define two global variables, a boolean freeze and a freeze position. So if we are not frozen, we set a frozen position to the current one and set the frozen flag. But if we were already frozen, we simply set the frozen value back to false.
We can then use the tick function which is called several times per second to check the frozen variable and if it is on we set the player position to the frozen position. Pretty simple, but hopefully effective. Let's try it... We jump into the air and then activate the freeze. Oh damn, that's shaking... mmhmh... how could we make it smoother? Let's go over the methods again. Ah... maybe it's the speed that pushes us down. So how about we also set the speed to 0 when we freeze? That should solve it. Oh, and in order for us to teleport while frozen, we also have to update the freezing position in a teleport.
Now let's go back to the bears and try it. We activate the chest. Freeze quickly. And teleport just below the surface. Awesome… now we're just chilling here until time runs out. Oh man? Did we somehow get out of the loop again? Because? At first I was really confused, but when I looked at my floating character from another perspective, I understood why. The server obviously still thinks I'm falling. It will constantly reset to our scroll position, but sometimes I just get unlucky and the server drops me too low before the new update arrives. We can also see that when we check the velocity before resetting it to 0.
It will always have the negative value of the gravity that is pulling us down. And sometimes that's too much. And what happens if we set a positive velocity in our freezing section? So whatever the server applies to it, it won't sink us too much. While it seems like a good idea, it didn't work either. Although I found a way to make it work, but it's not very elegant... I noticed that when I keep jumping constantly, the character floats perfectly. So I was trying to invoke the jump programmatically, which I thought was done using the SetJumpState command, which triggers a server refresh, but apparently it's not enough.
Also, SetRemotePositionAndRotation didn't. So if anyone has a good easy idea that doesn't involve a press space macro, please let me know! But I really want this flag now, so I suck it up and go to the chest again, activate it, teleport under the chest, and then I get carpal tunnel syndrome. Stupid, but it works! We are not going to leave the circle and that is why now we just have to wait. ….. Here we go! Mission complete. We did it! Now we just have to get to the chest. Let's try to deploy and spam the E key to collect the contents of the chest.
Holy shit. What just happened. Probably all these objects that were squeezed into that tight space were just thrown at me. Oh, and it threw me straight to the island with the cows. There you have a new speedrun strategy! Let's log out to make sure all the bears are gone, go to the chest again and we'll finally get our flag! Bear flag. They couldn't stand to see you. And we have a new weapon. The remote exploit. A 1337 sniper rifle. Reach out and exploit your enemy's vulnerability to large caliber bullets. Awesome!

If you have any copyright issue, please Contact