$ cat writeup.md…
$ cat writeup.md…
HackTheBox
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
No one has got 10000 score yet! Are you able to do so?
English summary: An Android APK (Flappyflopper.arm64-v8a.apk) is provided, which is a Flappy Bird clone built with Unity IL2CPP. The goal is to achieve a score of 10000 to get the flag, but the intended solution is to reverse engineer the IL2CPP binary to extract the flag directly from the static data.
The APK is a Unity game compiled with IL2CPP (Intermediate Language to C++), which compiles C# code to native ARM64 code. Key files extracted from the APK:
lib/arm64-v8a/libil2cpp.so - The compiled native codeassets/bin/Data/Managed/Metadata/global-metadata.dat - IL2CPP metadata (version 29)Using Il2CppDumper to recover class and method signatures revealed a Score class with a suspicious static flag field:
public class Score : MonoBehaviour // TypeDefIndex: 7209 { // Fields private static string[] flag; // 0x0 - the flag stored as char array! public Font myFontAaset; // 0x20 public Text scoreText; // 0x28 private int score; // 0x30 // Methods private void Start() { } // RVA: 0x9AD55C public void ScoreUp() { } // RVA: 0x9ACDD4 private void UpdateScoreText() { } // RVA: 0x9AD568 public void .ctor() { } // RVA: 0x9AD6E0 private static void .cctor() { } // RVA: 0x9AD6EC - initializes flag[] }
The static constructor .cctor() at RVA 0x9AD6EC is responsible for initializing the flag array. This is where the flag characters are assigned.
unzip Flappyflopper.arm64-v8a.apk -d apk_extracted/
DOTNET_ROLL_FORWARD=LatestMajor dotnet Il2CppDumper.dll \ apk_extracted/lib/arm64-v8a/libil2cpp.so \ apk_extracted/assets/bin/Data/Managed/Metadata/global-metadata.dat \ il2cpp_output/
This generates:
dump.cs - Reconstructed C# class definitions with RVAsscript.json - Method addresses and ScriptString mappingsstringliteral.json - String literals with addresses...
$ grep --similar