DEV Community

Mudacumura Brunoblaise
Mudacumura Brunoblaise

Posted on


No way out picoCTF

No way out

200 points


Put this flag in standard picoCTF format before submitting. If the flag was h1_1m_7h3_f14g submit picoCTF{h1_1m_7h3_f14g} to the platform.
[Windows game], Mac game

My very first introduction to unity hacking!

In the game you're spawned inside an area with a ladder but you can escape because of an invisible border.

After trying to look for the flag inside the files of the compiled game, I searched on google (and was probably put in a watchlist) on how to hack a unity game.

Ctf writeups pointed me to dnSpy a C# decompiling program that can be used to hack/mod unity games.

Using it and opening the games Assembly-CSharp.dll I could look inside the code.

In there I looked at the PlayerController class to see if I could make it so that I could jump infinitely to bypass the border.

I found this line of code that operates jumping:

if (Input.GetButton("Jump") && this.canMove && this.characterController.isGrounded && !this.isClimbing)
    this.moveDirection.y = this.jumpSpeed;
Enter fullscreen mode Exit fullscreen mode

and I removed the condition where it checks if the player is grounded from the if statement.

Compiling and exporting and opening the game once again, I could jump in the air to bypass the border and get outside the region where, when I went far enough gave the flag string in the middle of the string:

Enter fullscreen mode Exit fullscreen mode

So the flag was:


Top comments (0)