StayInTheBoxCorp

HackTheBox

Unity IL2CPP Mario-like 2D platformer game. The goal is to find the hidden flag by analyzing game assets.

game_hacking texture_extraction unity asset_extraction il2cpp xor_encoding anti_cheat sprite_analysis native_plugin hidden_sprites

unitypy_asset_extractionsprite_position_analysistransform_coordinate_sortinggap_based_separator_detectionxor_string_decoding

$ ls tags/ techniques/

game_hacking texture_extraction unity asset_extraction il2cpp xor_encoding anti_cheat sprite_analysis native_plugin hidden_sprites

unitypy_asset_extractionsprite_position_analysistransform_coordinate_sortinggap_based_separator_detectionxor_string_decoding

StayInTheBoxCorp — HackTheBox

Description

Within the enigmatic corridors of StayInTheBoxCorp, a company operating on a shoestring budget at the frontier of digital innovation, an challenge awaits. Only those who can dance on the edge of shadows shall pierce the veil of the unhackable.

Unity IL2CPP Mario-like 2D platformer game. The goal is to find the hidden flag by analyzing game assets.

Analysis

Technology Stack

Unity IL2CPP — identified by GameAssembly.dll (14MB) + global-metadata.dat in il2cpp_data/Metadata/
Native anti-debug plugin — StayInTheBoxCorp_project.dll with XOR-encoded debugger names (key: 0x37)
2D platformer — Mario-style game with lasers (Goomba enemies) and flag pole at the end

Asset Extraction

Using UnityPy to extract Texture2D assets revealed ~80 textures:

Normal game sprites: Cloud, Hill, HardBlock, GroundBlock, Castle, FlagPole, Goomba_Walk2, Heart, Bar
Suspicious textures: Many files with random names (ewfg, g09, gi3, gj9, htrh, f202, etc.)

Hidden Flag Discovery

The randomly-named textures were individual green letter/number sprites forming the flag:

Texture	Character
`ewfg`	`HTB{`
`htrh`	`0`
`f202`	`v`
`g09`	`3`
`gi3`	`r`
`gmoe`	`c`
`09t`	`0`
`f4g2`	`m`
`rgeh4`	`1`
`f221`	`n`
`l32`	`g`
`gh9`	`W`
`g3`	`3`
`g3`	`4`
`pi8o`	`k`
`32g3`	`U`
`04g`	`s`
`qwq`	`e`
`gi3`	`r`
`4ge`	`M`
`09t`	`0`
`gj9`	`d`
`qwq`	`e`
`gej4`	`_` (bar)
`g3`	`4`
`f221`	`n`
`5235`	`t`
`rgeh4`	`1`
`hre`	`C`
`h43`	`h`
`g09`	`3`
`g3`	`4`
`5235`	`t`
`90f2g`	`}`

Sprite Position Analysis

The flag characters were placed far outside the playable game area:

X coordinates: ~-650 to -608 (playable area starts around x=0)
Y coordinate: ~-270 (well below visible screen)

Sorting sprites by X coordinate and analyzing gaps:

Average gap between consecutive characters: ~1.16 units
Gaps > 2.0 units indicated underscore separators
One explicit bar sprite (gej4) placed between word groups

Native Plugin Anti-Debug

StayInTheBoxCorp_project.dll contained:

5 exported functions: A, DB, GH, RG, TD
XOR-encoded (key 0x37) anti-debugging strings (debugger names like "x64dbg", "x32dbg")
IsDebuggerPresent API import
Key marker string: 7777777777777777

Solution

Step 1: Extract Textures with UnityPy

#!/usr/bin/env python3
import UnityPy
import os

env = UnityPy.load("gamepwn_stayintheboxcorp/StayInTheBoxCorp_1_Data")
os.makedirs("extracted", exist_ok=True)

for obj in env.objects:
    if obj.type.name == "Texture2D":
        data = obj.read()
        img = data.image
        img.save(f"extracted/{data.m_Name}.png")
        print(f"Extracted: {data.m_Name}.png ({img.width}x{img.height})")

Step 2: Extract Sprite Positions

#!/usr/bin/env python3
import UnityPy

env = UnityPy.load("gamepwn_stayintheboxcorp/StayInTheBoxCorp_1_Data")

sprites_with_pos = []

for obj in env.objects:
    if obj.type.name == 'SpriteRenderer':
        data = obj.read()
        try:
            sprite = data.m_Sprite.read()
            go = data.m_GameObject.read()
            
            # Get Transform component for position
            for comp_ptr in go.m_Components:
                comp = comp_ptr.read()
                if hasattr(comp, 'm_LocalPosition'):
                    pos = comp.m_LocalPosition
                    sprites_with_pos.append({
                        'name': sprite.m_Name,
                        'x': pos.x,
                        'y': pos.y
                    })
                    break
        except:
            continue

# Sort by X coordinate
sprites_with_pos.sort(key=lambda s: s['x'])

# Print sorted sprites
for s in sprites_with_pos:
    print(f"X={s['x']:.2f} Y={s['y']:.2f} → {s['name']}")

Step 3: Reconstruct Flag from Positions

#!/usr/bin/env python3
# After sorting by X coordinate and mapping texture names to characters:

char_map = {
    'ewfg': 'HTB{',
    'htrh': '0', 'f202': 'v', 'g09': '3', 'gi3': 'r',
    'gmoe': 'c', '09t': '0', 'f4g2': 'm', 'rgeh4': '1',
    'f221': 'n', 'l32': 'g', 'gh9': 'W', 'g3': '34',
    'pi8o': 'k', '32g3': 'U', '04g': 's', 'qwq': 'e',
    '4ge': 'M', 'gj9': 'd', 'gej4': '_', '5235': 't',
    'hre': 'C', 'h43': 'h', '90f2g': '}'
}

# Sorted positions reveal: HTB{0v3rcom1ng_W34k_UserM0de_4nt1Ch34t}

Step 4: Verify Flag Semantics

Decoded from leetspeak: "overcoming Weak UserMode antiCheat"

This perfectly fits the challenge theme — user-mode anti-cheat (like the native plugin's IsDebuggerPresent) is notoriously weak compared to kernel-mode anti-cheat solutions.