DEV Community

Mudacumura Brunoblaise
Mudacumura Brunoblaise

Posted on

No way out picoCTF

No way out

200 points

AUTHOR: KRIS

Description
Put this flag in standard picoCTF format before submitting. If the flag was h1_1m_7h3_f14g submit picoCTF{h1_1m_7h3_f14g} to the platform.
[Windows game], Mac game


My very first introduction to unity hacking!

In the game you're spawned inside an area with a ladder but you can escape because of an invisible border.

After trying to look for the flag inside the files of the compiled game, I searched on google (and was probably put in a watchlist) on how to hack a unity game.

Ctf writeups pointed me to dnSpy a C# decompiling program that can be used to hack/mod unity games.

Using it and opening the games Assembly-CSharp.dll I could look inside the code.

In there I looked at the PlayerController class to see if I could make it so that I could jump infinitely to bypass the border.

I found this line of code that operates jumping:

if (Input.GetButton("Jump") && this.canMove && this.characterController.isGrounded && !this.isClimbing)
{
    this.moveDirection.y = this.jumpSpeed;
}
Enter fullscreen mode Exit fullscreen mode

and I removed the condition where it checks if the player is grounded from the if statement.

Compiling and exporting and opening the game once again, I could jump in the air to bypass the border and get outside the region where, when I went far enough gave the flag string in the middle of the string:

welcome_to_unity!!
Enter fullscreen mode Exit fullscreen mode

So the flag was:

picoCTF{welcome_to_unity!!}

Top comments (0)