Hypn.za.net
Hacking, Coding and Gaming | @[email protected]
October 16, 2021
WarAndUnity - Making a Hackable Game

Why:

Over the years I've tinkered with game hacking - learning and using techniques like memory scanning and reverse engineering, and recently looking in Unity3D specific methods and tools. Unity3D is a widely used game development tool, providing loads of functionality for you to use in your game to accelerate the development process - I suspected this meant many games use similar logic, principles, and possibly flaws.

Inspired by "Pwn Adventure 3: Pwnie Island" which I found out about through LiveOverflow's video series, and challenges I did recently in RACTF 20221, I decided to make my own "game hacking ctf" challenge. I had both the internal "SenseCon" conference and CTF at work, and "BSides Cape Town" conference, coming up which I thought I could submit it to... but that didn't leave me with very much time, and I didn't have a clue where to start.

There were a bunch of things I wondered about in Unity3D games, such as:

  • does the player always start at XYZ coordinates 0,0,0?
  • how much does the player's location change by in a single move?
  • how do collisions work - do both objects register and respond to it? does only the player? is there a "collision" status flag somewhere?
  • does Unity provide a standard "inventory" system (for things like weapons, ammo, and keycards) or is this all custom code?
  • when decompiling Unity DLLs are there common functions I can ignore?
  • how do devs typically name their classes/functions/properties/objects (which could make finding them easier during decompilation / reverse engineering)?
  • how is the game state reset when the game is paused or restarted (eg: on death)

What:

I'd intended to mostly copy from RACTF's challenge... have the player in a square room with a few obstacles to interact with and come up with challenges relating to them. "SenseCon" was going to be WarGames (the movie) themed, which put a few ideas in motion. The name is obviously a merge of WarGames and Unity3D :P The arcade, NORAD, and the WOPR were chosen to make up the game and provide the challenges:

The Arcade would allow players to interact with ("play") different arcade machines, at the cost of a coin, and display a challenge flag when all had been "played". The catch was the player didn't have enough coins to play all the machines, requiring a "health/ammo" type of hack to either get more coins or avoid losing them.

I'm fairly impressed with how the arcade came out. We (@leonjza and I) chose to make cabinets match the WOPR games mentioned in the movie, rather than the actual arcade games, which meant hours making up fake arcade cabinet artwork for the units and screens. In hindsight it would've been nice - but likely more work (and possible legal issues?) - to have the original arcade games and actually see something like the demo-screens when using the arcades. I spent hours and hours trying to replicate the building from the movie and definitely have a new appreciation for the amount of work that goes into game level design and detail.

From the movie:

My game:

NORAD was effectively a vault with a huge door preventing the user from entering. Inside was the "WOPR" (the main computer from the movie) which the player had to reach in order to get a challenge flag. There were a few ways this challenge might've been solved - such as a "teleportation" hack - but this solution would be too similar to the previous one. While I didn't put any mechanism in to prevent players from teleporting into the room and reaching the WOPR, I did prevent the challenge flag from being visible unless the vault door had been disable by patching the game code.

While I longed to model the underground base from the movie, with black walls and illuminated computer screens, with multiple levels and railings, I just didn't have the mental ability or time to take on such a task - so a flat rectangular room it was. I did get to place some desks with computers though (which needed a custom Blue Screen of Death texture for their screens of course).

Luckily I was able to find a free WOPR 3D model online which I could import into my game world.

From the movie:

My game:

Two more challenge flags were hidden in the game, admittedly one was more of a "puzzle" than requiring a technical solution... and the player probably needed to have watched the movie or at least know some of the most common quotes/lines.

HOW:

I went into this process knowing very little - if anything - about Unity3D itself. I knew it typically used Mono to cross compile the games it produced to different operating systems, and I knew games were made up of multiple reusable components which had properties, but I literally didn't know how to put a cube on the screen or compile anything.

I came across a post on Instructables which is a bit outdated but got some stuff on my screen and a ball moving around. This answered a bunch of the questions I had previously, although not always the answers I'd hoped for:

  • "the player" is probably more camera than object (at least in terms of what is seen on the screen) and this camera does not necessarily share XYZ coordinates with the player object, and the player object likely does NOT start at 0,0,0 coordinates
  • movement of the player object and/or camera ultimately the code linked up to them, there is no standard movement rate or measurement
  • objects are given "collider" properties which Unity3D uses to prevent them passing through each other and to apply physics to - I didn't really look into this but did make use of it a lot

This gave me a ball I could move around, but the camera did not follow:

The challenges required the player to interact with objects. After a bunch of googling I found a good video on "raycasting" which allows you to detect the distance between the player and objects, and also showed how to do debugging logging which became incredibly useful as I learnt (and debugged). The video also answered some of my questions around collisions and inventory management:

  • ray casting lets you check for collisions and nearness to other objects (that might not be collided with)
  • there's no "inventory" system (that I know of), it's all your code and variables

By this point I felt like I'd learnt a lot, but somehow felt further from my goal than I'd started. I decided to start my learning over, and use what I'd gained so far as context and mental hooks I could attach new information to, as well as look out for solutions to the problems I felt I had. I came across a 2hour long, YouTube video described as the author's "most basic" tutorial, which was incredibly helpful and interesting. I realised that I knew more than I thought I did, and was closer to where I wanted to be than I felt, while filling in so many gaps and adding explaining stuff I'd stumbled into or over.

Through the help of a few other videos, assets and scripts (especially the "First Person All-in-One" package) from the Unity3D store I was able to achieve most of what I wanted, resulting in a keyboard+mouse controlled FPS-style game with a menu a "restart" option (resetting game state - it turns out that's mostly a 1 liner).

Easter egg: It wouldn't be a decent game if it didn't implement the Konami Code, now would it?

Downloads:

Although "SenseCon" was a private event, which has now ended, the flags can still be retrieved from the game clients, below. You're probably better off hacking at the Windows client, due to better tools available to do so with: