Game Hacking: Hacking my own game - I
It was our turn to build the CTF. We were just days away and the team had zero clue on how to design challenges for CTFs, of-course it was our first time building one. Panic started when the idea of an internal CTF, which is essentially a hacking competition in a controlled environment, was announced and the entire team would be split-up into teams of 4-5 members. Each team would take turns in building the CTF and other the teams would play it (hack it).
Since Web application was common in CTFs, I wanted to move entirely into a different domain. I’ve had my fair share of experience in Mobile applications too, but it too felt a bit saturated. Then it struck me, why not try Game Hacking. Of course, I’d have to make the game on my own, but how cool would it be to hack your own game. I haven’t tried anything out of LiveOverflow’s Game Hacking videos, so it would also be a research opportunity for me.
I jumped to my PC, opened Youtube and started to learn some basics in Unity Game engine, since I had a bit of prior experience in it. Instructions to make a simple 2D game seemed to be easily comprehendible.
The Game
It was ready! My own rip-off version of Flappy Bird - Parakkum Thalika. It stands for UFO. So basically, this game is like Flappy Birds, but instead of a bird, it is a UFO that tries to avoid buildings. Each time the UFO passes a building without hitting it, we get one point.
Initially, I had planned this game for windows only. But since Unity supports exporting this game to different platforms, I exported it to all the platforms.
You can download the games from this Github Link.
Now, since this was developed for CTF, I should find a way to incorporate the flag for the game right? Attaining a certain score would print out the flag of the challenge. Now, I have to see if the game could be hacked to reveal the flag without having to actually attain the score.
Diving in
I was exhausted after being glued constantly to the screen for hours. I decided to pick it up the next day as I thought finding the vulnerability would be easy. My initial approach was to fire it up with Cheat Engine and edit the memory address which contains the game score.
[cheat engine]
Cheat Engine is a tool that could be used to edit the values of a game. Let’s say you want to edit the health of a player, Cheat engine can do that. Or, if you want to take zero damage, you can rewrite the code with cheat engine. I will write another article on the how to use Cheat Engine by demonstrating it with an intentionally vulnerable game. Also, I had taken a small session on Game Hacking for OWASP Kerala, and it is available on Youtube.
Method 1
The following day, I had jumped back in to my PC to hack my own game. I opened the game (felt proud again), opened Cheat Engine and stated to analyse the memory addresses. Ok, I realised I hit a roadblock. Apparently, the approach I had taken was wrong. Unity games use Mono scripting service and to play with the values, I had to activate mono features in Cheat Engine. I researched more on this and stumbled upon a tool called dnSpy. It seemed interesting and I decided to give it a shot.
I had to locate a file called ‘AssemblySharp.dll’ and open it up in dnSpy. It was located under ‘/managed/data’. Opening it in dnSpy showed me the script that I wrote for the game. The flag was hard coded in the code, but it was not visible in dnSpy. So now, all I had to do was to edit the code and compile it.
I had to figure out, as an attacker, where the code for revealing the flag was, or the score that was required to reveal the flag. It was written in a file called ‘’ and the value seemed to be 1000. So I had to attain 1000 points to reveal the flag. That seemed to be difficult and time consuming, considering that you have to start the game over if you ever hit a building. Let us edit the value to 0, or let it be 1. Giving it the value 0 will reveal the flag when the game opens. I wanted to play and win the flag, hence the value 1.
[screenshot editing the value]
Now, I will compile the code.
[screenshot compile the code]
Now, to save the module.
[screenshot save module]
Now, lets open the game and see.
[screenshot with flag]
Voila!! We have successfully hacked the game.
Method 2
Now, lets view this as someone who is not experienced in reverse engineering. The first intention would be to run strings against all the files hoping that the flag would be printed. The flag would be printed as I did not have enough time to research and obfuscate the flag, or even put the flag in a remote server. So, I encoded the flag in Base32, because base64 would easily be guessable. Here are some of the common encodings seen on CTFs: https://infosecwriteups.com/cryptography-essential-for-h4ck3r-and-ctf-player-0x1-encoding-b638ab5821a9
Using grep file by file is a tiresome job as the game consists of a lot of files, eventhough it is gonna be the initial instinct. However, there is an easy way to use grep
on folders. It is
grep -EHrin <string>
I won’t be explaining the use of each flag in that command, feel free to Google it. The format of the flag is ‘VAAS’, so searching it with that text results in nothing. Now, let us try the different encoding methods. We will encode just the ‘VAAS’ keyword in Base32 and search. grep -EHrin KZAUCUY
This will give the result
grep: parakkumThalika_data/level0: binary file matches
And sure enough, we got the flag. This approach could easily be adapted by anyone who is entirely new to reverse engineering. Keep in mind that this is a CTF and there will mostly be a shortcut to get the flag.
In the interest of keeping this article short, I will describe the other methods in another article.