$ cat writeup.md…
$ cat writeup.md…
HackTheBox
Task: Unity Mono game with OPS Obfuscator string encryption and ACTk anti-cheat. Solution: Decompiled Assembly-CSharp.dll with monodis, identified decoy flag in ObscuredString, then extracted the real flag from a hidden Tilemap asset using UnityPy — the flag was drawn as pixel-art tiles revealed only at score >= 1M.
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
A game development startup has created 'InfiniteDoge', but it appears to be broken. If you manage to fix it, let us know if you enjoyed this promising game.
Assembly-CSharp.dll in Managed/ folder (NOT IL2CPP)decrypted[i] = encrypted[i] ^ i ^ 0xAA| Class | Purpose |
|---|---|
a | Camera controller — dw(int,int,int) moves camera to position |
b | Destroyer — destroys game objects after delay |
c | Holds ObscuredString brc field — DECOY flag HTB{S0m3th1ng_h3r3_h4ck!} (never displayed!) |
e | Doge/coin controller — score increment, win condition check |
o | TilemapRenderer controller — hides/shows tilemap with the REAL flag |
Player | Player movement, lives, score (ObscuredInt) |
<PrivateImplementationDetails> | OPS string decryption |
The static constructor (.cctor) of <PrivateImplementationDetails> class:
D_00017318a__[i] = (a__[i] ^ i ^ 0xAA) & 0xFFa(), b(), etc.) extract substrings by offset+lengthClass e (doge controller) Update() method checks if score >= 1,000,000:
IL_00ed: ldc.i4 1000000
IL_00f2: blt.s IL_0108
IL_00f4: ldarg.0
IL_00f5: ldfld class a e::brf
IL_00fa: ldc.i4 -387
IL_00ff: ldc.i4.s -11
IL_0101: ldc.i4.s -10
IL_0103: callvirt instance void class a::dw(int32, int32, int32)
When score >= 1M: camera moves to position (-387, -11, -10).
Class o (TilemapRenderer controller):
Start(): Gets TilemapRenderer component and disables it (set_enabled(false))Update(): When score >= 1,000,000, enables the TilemapRenderer (set_enabled(true))...
$ grep --similar