Description:
Collect green stuff, avoid red guys. Easy as pie, right? Not even your speedhacks will help you here! You might have to take a closer look and inspect it carefully. Have fun & good luck! The flag does not conform with the default regex. Public files
Author:
Moritz Thomas | NVISO
The challenge gives us two Unity game files, one for Windows and one for Linux. Let's unpack it and run the Windows one to see what happens.
This game will test your reaction time, skills and patience.
Goal:
- Avoid the red stuff
- Collect the green stuff
- Reach 100% progress!
Controls:
- [A] Move left
- [D] Move right
Q&A: Q: "Is it even possible to beat this?" A: "No, lol"
Got it, an impossible game where you avoid stuff. Can't be that hard right?
One minute in and the game is already roasting me, great!
The game is pretty simple, you're driving a car and red stuff comes at you and the goal is to avoid them while collecting the green stuff.
When we collect the green stuff we can see at the bottom that a flag gets filled in
Obviously it's not that simple. You need to hit a green piece to get a single character of the flag, and that's impossible without cheating since there are too many enemies. I've used countless of my brain cells to make the game easier. I first wanted to reverse the GameAssembly.dll that was given to us using dnSpy, but there was one problem...
This was all we got. I really didn't know what to do next, but then I noticed the "il2cpp". I knew I've seen that term before, and then I remembered LiveOverflow's devlog video where he talked about it.
IL2CPP stands for Intermediate Language to C++, this way of compiling makes it harder to reverse engineer as we saw in dnSpy.
"The game hacking community has written crazy tools again, which can help with the reverse engineering process. And from looking at the writeups, a common tool used is Il2CppDumper which can be used to extract all the symbol names ..."
~ LiveOverflow
Instead of looking up Il2CppDumper, I decided to read the writeups. I searched for "il2cpp ctf" in the hacking tool Google and found some interesting results like this one.
Instead of using Il2CppDumper he just used Cheat Engine and somehow it still worked to extract class names, so I tried to do the same thing. Cheat Engine is a powerful tool to inspect and modify values in memory, so it's widely used in the game hacking community.
When attaching the game to Cheat Engine, we can apparently use the Dissect Mono feature to reverse engineer the game.
It surprisingly worked, even when the game was compiled with il2cpp. This makes our lives so much easier.
If you ever see the file Assembly-CSharp.dll, that's what you want to look at first.
We see a lot of interesting function names. The one that stood out to me was DieOnCollision. With Cheat Engine we can make that function do nothing, which will make us invincible!
When expanding the function, we see that there are fields and methods:
Fields can be things like our health, speed, position etc. Methods are functions that execute stuff. In this case, we only have methods. The one that says OnCollisionEnter looks interesting to me, so I'll click on that and inspect it with Right click > Jit. This will bring you to a memory viewer.
All I know about Cheat Engine's memory viewer is that you can replace instructions with instructions that do nothing (nop or no operation). So I began looking for instructions we can disable and found this sucker:
A function call to GameOver! Let's disable this, lol. Right click on it and select "replace with code that does nothing".
And suddenly we got rid of the function call! Go back to the game and now you won't die from the red stuff, amazing!
Until we get launched in the air...
I don't know what causes this to happen, it's probably randomized? I'm just not going to bother with that.
After getting 100% progress, we can see that we collected some of the characters of our flag:
We only missed some because we got launched in the air, but we can try again and see how many we get
We got 5 new characters! Let's keep doing this until we get the rest.
We win!! It only took me 4 tries.
CSR{Guess this: 'CaGjFedg6BlfnL14dSO9qyzct8HACa1pREKT'}
(If you want a more visual guide to the techniques I used here, you can watch this video from Stephen Chapman since I've also used it to learn about Mono Dissect.)
A huge thanks to the person who took the time to create this amazing challenge!