picoCTF Solutions
picoCTF 2023Reverse EngineeringHard

No way out picoCTF 2023 Solution

Published: April 26, 2023

Description

A Unity game walls you in with invisible boundaries. The flag is readable with strings, or you can use dnSpy to modify the game assembly and unlock infinite jumping to fly over the wall.

Setup

Download the game

Download and unzip the game.

Try strings on the level data file first for the fast path.

If you want to play the game and reach the flag legitimately, use dnSpy to patch the jump logic.

bash
wget https://artifacts.picoctf.net/c/504/no-way-out.zip && unzip no-way-out.zip
bash
strings 'no-way-out_Data/level0' | grep -i pico

Solution

Walk me through it
  1. Step 1Fast path: strings on the level data
    Unity games store scene data including text objects in the level data files. Running strings on the level0 file reveals the flag directly without running the game at all.
    bash
    strings 'no-way-out_Data/level0' | grep -i 'WELCOME\|picoCTF'
    bash
    strings 'no-way-out_Data/level0'
    Learn more

    Unity stores scene data for each level in a binary file called level0, level1, etc. inside the *_Data/ folder. Text objects placed in the scene (like 3D text meshes showing the flag) are stored as plain UTF-16 or UTF-8 strings in this file. The strings command extracts any printable run of characters, which surfaces the flag text without running the game.

    This is the fastest CTF approach: run strings on every data file in the game bundle before spending time on dynamic analysis. Unity games are particularly friendly to this because scene assets are not encrypted by default.

  2. Step 2Alternative: patch the game with dnSpy
    For the more interactive approach, open the game assembly in dnSpy and remove the grounded check from the jump logic so you can jump infinitely and fly over the wall.
    bash
    # Download dnSpy from https://github.com/dnSpy/dnSpy/releases
    bash
    # Open no-way-out_Data/Managed/Assembly-CSharp.dll in dnSpy
    bash
    # Navigate to PlayerController -> Update method
    bash
    # Remove the isGrounded condition from the jump check
    bash
    # File -> Save Module, then run the game
    Learn more

    dnSpy is a .NET assembly editor and debugger. Unity games compile C# scripts to Assembly-CSharp.dll in the Managed/ folder. dnSpy decompiles this DLL back to readable C# and lets you edit the code directly, then save the modified assembly.

    The jump logic in this game checks if (Input.GetButton("Jump") && canMove && isGrounded && !isClimbing). Removing the isGrounded condition lets you jump while airborne, effectively giving infinite flight. After patching, jump over the invisible wall, land outside, turn around, and read the flag displayed as a 3D text object in the enclosed area.

    The flag reads: WELCOME TO UNITY!!

Flag

picoCTF{WELCOME_TO_UNITY!!}

The simplest approach is strings on the level0 data file. The dnSpy patch is more fun but takes longer.

Want more picoCTF 2023 writeups?

Browse picoCTF 2023Full library

Useful tools for Reverse Engineering

Related reading

What to try next