Tags: game rev
Rating: 5.0
So...what we have here is a simple racing game. Complete with a nice soothing soundtrack, some nice animations, and a very pleasant vaporwave aesthetic. It's also programmed to have alot of enemies. And by alot, I mean...*alot*. Impossibly alot.
Upon downloading the game and viewing the files (I used the windows version rather than the linux version since game hacking is much more straightforward on Windows thanks to tools like Cheat Engine), I quickly realized that the game engine used was the Unity game engine. However, the game is compiled using IL2CPP rather than the standard method of compilation, which means that reversing the code is going to be a bit more difficult due to the source code not being made visible to us.
![](https://i.imgur.com/eQclV35.png)
### Decompiling the game
-----
In order to inspect the source code, I used a program known as [IL2CPP Inspector](https://github.com/djkaty/Il2CppInspector), which essentially just allows us to take the GameAssembly.dll file and convert it into DLL files which are readable by .NET decompilers like dotPeek (Which was the program I used).
![](https://i.imgur.com/saithQi.png)
And now we have access to Assembly-CSharp.dll, which is basically the main DLL usually containing the game's main code. What we can do from here, then, is to simply open it up in whichever .NET decompiler you wish to use. From there, we're able to see the names of the methods, variables, classes, etc. We aren't able to see the actual source code since we're only relying on metadata supplied, but it's still better than nothing.
![](https://i.imgur.com/3TLvHCZ.png)
![](https://i.imgur.com/6053IBn.png)
Hmmm...this looks strange. There's a class called "DieOnCollision". Perhaps this might come in handy if we find some way to disable it.
### Exploiting
-----
Let's get back to the game and open up Cheat Engine. From there, we're going to select our game's process so we can gain access to it. After doing so, we're going to be using CE's support for Mono (Located under the mono tab). This is very handy since it essentially speeds up the hacking process for us with .NET games due to it providing a very easy-to-use and straightforward interface regarding the classes and variables loaded into the game.
![](https://i.imgur.com/6kY9lmX.png)
Perfect! We have a list of all the classes the game's using. Now, let's go edit that interesting "DieOnCollision" class I mentioned earlier. More specifically, the OnCollisionEnter method, since this is what actually gets executed upon colliding with the enemy.
![](https://i.imgur.com/bFGF5i1.png)
When we double click we're greeted with the actual assembly code of that method. And when we scroll down, we're eventually greeted with an operator that calls the method "GameOver", which does what you think it does. Infact, the developers actually made this quite easy for us by making the Unity API methods call their own methods, since all we have to do is just replace this one line and we're essentially...well...done.
![](https://i.imgur.com/uHh7I2b.png)
![](https://i.imgur.com/ZWd53LQ.png)
**GREAT!**
Now if we go back to our game and test it again...*it works!* When we hit the enemies, we don't die! Infact, it's quite funny to look at, since it kind of looks like we're plowing into a swarm of insects who can't do anything but obstruct our vision.
![](https://i.imgur.com/Yrk3upP.png)
*...except for one thing...*
It appears that, in my moment of pure bliss for figuring out how we might actually get the flag...I forgot to realize that even though I'm no longer dying upon hitting them....I'm still being affected by physics. So much so that my car actually started to turn into an airplane because I was colliding with so many entities at once (You can even see my task manager in the screenshot because of how much I was practically rushing to get this screenshot, lol.)
![](https://i.imgur.com/zyXHlZn.png)
Infact I also forgot the fact that when we fall off the map, the same "OnCollisionEnter" code I modified is *also* present. Therefore, in an attempt to restart the game by intentionally producing a Game Over...I ended up just continuously falling off the map. It was quite a sorrowing, sad experience if I'm being honest.
![](https://i.imgur.com/mc2niiX.png)
So yeah. Time to restart the game and try another route.
### A quick adjustment
-----
After this occured though, another thought came into my head. Surely if these enemies exist, they have to be *spawned*, right? *why didn't I think of this earlier??*
Anyway; turns out I was correct. There's a Spawner class, which (as you can guess) handles the spawning of enemies. And if we took a closer look at it, we can see that there's an "Update" method present. Judging by our last experience, rather than editing the "SpawnPrefab" method directly, we could instead just edit the Update method as it's probably attempting to handle enemy spawning by executing every frame and whatnot. Turns out, I was correct.
![](https://i.imgur.com/nmncIea.png)
So, from here, we can simply do what we did last time: replace the method call with a bunch of "nop" operations. And once that is complete, we can play the game again and see what happens.
And after doing so....*it works,* again. What used to be a bustling map full of enemies to bother us has now become (essentially) a ghost town.
![](https://i.imgur.com/rfGrd9d.png)
From there, I enabled the speedhack functionality in Cheat Engine to (ironically) *slow* the game down so I could have more time to think and react toward catching the orbs. And if I'm being honest: it was quite tranquil. I don't know. Something about driving across a neon light street completely alone and surrounded by vaporwave mountains as synthwave was blaring in the background was just....divine. But once my peaceful driving session was over and I managed to reach 100%....there it was. The flag.
![](https://i.imgur.com/lu1WHnx.png)
*Ignore the missing closing bracket at the end. No idea why that didn't show up for me, but rest assured it was confirmed to be a closing bracket.*
Anyway, big thanks to the makers of this CTF for making this challenge! It was quite fun and I did learn quite a lot :)