Jumper — TJCTF 2026

Description

Sometimes, it takes a broken pair of legs to accomplish your goals. URL: https://jumper.tjc.tf/

A Godot 4.6 platformer game exported to WebAssembly. The player controls a character that can move left/right and jump. The goal is to find the hidden flag, which is placed above the normal viewport and unreachable through normal gameplay because the required "mega_jump" action has no key bound to it.

Analysis

1. Reconnaissance

The target URL serves a Godot 4.6 game via WebAssembly. The HTML page loads three key files:

• jumper.pck — Godot package file (1.2 MB) containing all game assets
• jumper.wasm — WebAssembly binary (Godot runtime)
• jumper.js — JavaScript glue code

2. PCK Extraction

Downloaded jumper.pck and identified it as a Godot 4 pack (version 3 format) with GDPC magic bytes. The package contains Zstandard-compressed GDScript bytecode (GDSC format) with XOR-encoded (0xb6b6b6b6) UTF-32LE identifiers.

Initial manual parsing with a custom Python script (extract_pck.py) successfully listed all 23 files and extracted raw data, but the GDScript files were in compiled bytecode format. Used GDRE Tools (gdsdecomp) v2.5.0-beta.5 with --headless --recover CLI to fully decompile all GDScript source and scene files.

3. Code Analysis

player.gd — Standard platformer controller (CharacterBody2D):

const SPEED = 200
const JUMP_VELOCITY = 370
const GRAVITY = 10

func _physics_process(_delta):
    if Input.is_action_just_pressed("mega_jump") and is_on_floor():
        velocity.y -= 500          # Very powerful jump
    if jump_input and can_jump:
        velocity.y = -JUMP_VELOCITY  # Regular jump (-370)

Two jump types exist:

• Regular jump (Space/Z): velocity.y = -370 — standard height
• mega_jump: velocity.y -= 500 — much more powerful, only works on floor

project.godot — Input action mappings:

mega_jump={
"deadzone": 0.2,
"events": []       # <-- NO KEY BOUND!
}
jump={
"deadzone": 0.2,
"events": [Space, Z]
}

...