Tuff Game

Bitskrieg CTFby smothy

Tuff Game - Reverse

Points: 500 | Flag: BITSCTF{Th1$_14_D3f1n1t3ly_Th3_fl4g} | Solved by: Smothy @ 0xN1umb

big brain time

what we got

Unity game zip. challenge says our friend Kekwman challenged us to reach a million metres. classic "hack the game" vibes.

extracted it and immediately saw the MonoBleedingEdge folder - Unity Mono backend, so the game logic lives in Assembly-CSharp.dll. time to decompile.

the solve

step 1: decompile the dll

bash
ilspycmd Tuff_Game/Tuff_Game_Data/Managed/Assembly-CSharp.dll

found three interesting classes right away:

  • FlagGeneration - XOR encrypted bytes with key 0x5A
  • NotAFlag - RSA with 9 moduli (n1-n9) and a ciphertext
  • ScoreManaged - needs requiredDistance = 1000000f to show a flagImage

step 2: falling for every single trap (lol)

trap 1 - the XOR "flag"

python
enc = [33, 15, 55, 55, 5, 110, 57, 46, 47, 59, ...]
key = 0x5A
dec = bytes([b ^ key for b in enc])
# {Umm_4ctually_unx0r11ng_t0_g3t_fl4g_s33ms_t00_34sy}

literally tells you it's too easy. should've listened lmao

trap 2 - the RSA

NotAFlag class has 9 RSA moduli. ran GCD on all pairs and n6/n7 share a common factor:

python
p = gcd(n6, n7)  # shared prime factor
q6 = n6 // p
phi6 = (p - 1) * (q6 - 1)
d6 = pow(65537, -1, phi6)
m6 = pow(ct, d6, n6)
# b'BITSCTF{https://blogs.mtdv.me/Crypt0}'

decrypts to a URL... which is a rickroll site. got absolutely baited ngl

rickrolled

trap 3 - the flag images

extracted Unity assets with UnityPy and found Fl4g_first_Half.png and Fl4g_second_Half.png. thought this was it fr.

first half shows BITSCTF{D0... on a screen, second half says otcha, perhaps think verticaly.

so it's "Gotcha, perhaps think vertically". another troll BUT this one is actually the hint we needed.

step 3: the actual flag (think vertically)

noticed 900 tiny sprites named rq_X_Y.png in the assets - X and Y both range 0-29. that's a 30x30 grid.

rq is literally qr backwards. it's a QR code split into tiles.

the hint said "think vertically" - meaning transpose the grid (swap X and Y axes):

python
from PIL import Image

# assemble with swapped coordinates
qr = Image.new("RGB", (150, 150))
for x in range(30):
    for y in range(30):
        tile = Image.open(f"rq_{y}_{x}.png")  # y,x instead of x,y
        qr.paste(tile, (x * 5, y * 5))

out pops a clean QR code:

assembled qr

python
from pyzbar.pyzbar import decode
decode(qr)  # BITSCTF{Th1$_14_D3f1n1t3ly_Th3_fl4g}

the rabbit hole count

  • XOR decoy flag
  • RSA rickroll (actual crypto challenge just for trolling)
  • fake flag image halves with the hint baked in
  • the actual QR code hidden as 900 scrambled tile sprites

this challenge author had WAY too much fun lmao

flag

BITSCTF{Th1$_14_D3f1n1t3ly_Th3_fl4g}

smothy out ✌️

Previous

The Professor

More from Bitskrieg CTF

Chaos

by smothy

Cider Vault

by smothy

El Diablo

by smothy

Back to all writeups