Rating:
We're given a Windows/Linux Unity maze game and we can extract the relevant source code by decompiling /CTF_DATA/Managed/Assembly-CSharp.dll. We used we used JetBrain's dotPeek to decompile the dll file. We find 3 relevant files:
GameManager.cs
public class GameManager : MonoBehaviour
{
private bool isCollidingBox1;
private bool isCollidingBox2;
private bool isCollidingBox3;
private bool isCollidingBox4;
private bool isCollidingBox5;
private bool isCollidingBox6;
[SerializeField]
private string Box1;
[SerializeField]
private string Box2;
[SerializeField]
private string Box3;
[SerializeField]
private string Box4;
[SerializeField]
private string Box5;
[SerializeField]
private string Box6;
private void OnTriggerEnter(Collider other)
{
if (other.tag == "Box1")
{
if (this.isCollidingBox1)
return;
this.isCollidingBox1 = true;
UiManager.current.UpdateTexte(this.Box1);
Object.Destroy((Object) other.gameObject);
}
if (other.tag == "Box2")
{
if (this.isCollidingBox2)
return;
this.isCollidingBox2 = true;
UiManager.current.UpdateTexte(this.Box2);
Object.Destroy((Object) other.gameObject);
}
if (other.tag == "Box3")
{
if (this.isCollidingBox3)
return;
this.isCollidingBox3 = true;
UiManager.current.UpdateTexte(this.Box3);
Object.Destroy((Object) other.gameObject);
}
if (other.tag == "Box4")
{
if (this.isCollidingBox4)
return;
this.isCollidingBox4 = true;
UiManager.current.UpdateTexte(this.Box4);
Object.Destroy((Object) other.gameObject);
}
if (other.tag == "Box5")
{
if (this.isCollidingBox5)
return;
this.isCollidingBox5 = true;
UiManager.current.UpdateTexte(this.Box5);
Object.Destroy((Object) other.gameObject);
}
if (!(other.tag == "Box6") || this.isCollidingBox6)
return;
this.isCollidingBox6 = true;
UiManager.current.UpdateTexte(this.Box6);
Object.Destroy((Object) other.gameObject);
}
}
UiManager.cs.
public class UiManager : MonoBehaviour
{
[SerializeField]
private Text textHolder;
private string cText;
private int counter;
public void UpdateTexte(string textToAdd)
{
++this.counter;
this.textHolder.text += textToAdd;
if (this.counter != 6)
return;
this.cText = Encrypt.current.DecryptString(this.textHolder.text);
this.textHolder.text = this.cText;
}
}
Encrypt.cs
public class Encrypt : MonoBehaviour
{
[SerializeField]
private string cipherText;
public string DecryptString(string key)
{
byte[] buffer = Convert.FromBase64String(this.cipherText);
using (Aes aes = Aes.Create())
{
Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(key, new byte[13]
{
(byte) 73,
(byte) 118,
(byte) 97,
(byte) 110,
(byte) 32,
(byte) 77,
(byte) 101,
(byte) 100,
(byte) 118,
(byte) 101,
(byte) 100,
(byte) 101,
(byte) 118
});
((SymmetricAlgorithm) aes).Key = rfc2898DeriveBytes.GetBytes(32);
((SymmetricAlgorithm) aes).IV = rfc2898DeriveBytes.GetBytes(16);
try
{
using (MemoryStream memoryStream = new MemoryStream())
{
using (CryptoStream cryptoStream = new CryptoStream((Stream) memoryStream, ((SymmetricAlgorithm) aes).CreateDecryptor(), CryptoStreamMode.Write))
{
cryptoStream.Write(buffer, 0, buffer.Length);
cryptoStream.Close();
}
this.cipherText = Encoding.Unicode.GetString(memoryStream.ToArray());
}
return this.cipherText;
}
catch (Exception ex)
{
return "wrong Order mate ";
}
}
}
We see that the program takes a permutation of the strings of box1 to box6 and attempts to decrypt it.
What we need now is to find what the values of strings are, specifically those with [SerializeField].
We use a Asset Bundle Extractor and import the level0 asset file in /CTF_DATA find files MonoBehaviour:CTF.Encrypt, MonoBehaviour:CTF.UiManager, MonoBehaviour:CTF.GameManager.
Viewing the raw data of those files, we find the values to each string
cipherText="jR9MDCzkFQFzZtHjzszeYL1g6kG9+eXaATlf0wCGmnf62QJ9AjmemY0Ao3mFaubhEfVbXfeRrne/VAD59ESYrQ=="
textHolder.text="";
Box1="Tanit";
Box2="Astarté";
Box3="Amilcar";
Box4="Melqart";
Box5="Dido";
Box6="Hannibal";
We the brute force all possible permutations and the permutation HannibalDidoMelqartAmilcarAstartéTanit gets us the flag.
Flag: 3K-CTF-GamingIsNotACrime
Note: the flags for game1 and game2 seemed to be switch as this flag was accepted for game1
