We are greeted with another game hacking challenge, we are using the same game as before however the task now is to not die when running through the “instant death” … lets get to it.
I will be using CheatEngine as i figured it is the best option for game hacking especially for someone that isn’t that much into the topic.
This is a game made using unity so the first idea i had was to reverse and modify the Assembly-CSharp.dll which usually contains most of the game/player functionality.
However it seemed like this dll as long as almost everything else interesting has been compiled into the main exe file.
I tried dumping that first however I figured there is probably a better and more elegant way to solve this.
What you can see above is the health adress. Finding this is fairly easy espically in this case. Our initial health is set to 100 so i scanned the game for that value. Next i changed my health by taking damage. We can do this by walking through the left red block, thereby reducing the health value by 5. Now after lowering the health we can scan again for the new health value (95, 80, 85 doesn’t really matter) and now there is only one result left. Depending on how complex the game is that may take a bit longer!
Now that that is out of the way we can right click the adress and look at what writes to this adress. I walked around in the game to take some more damage and ran through the instant death block to see which function is being called by the health adress when doing so.
We are left with 2 functions, the first one being called when taking damage and the other on when dying. To further inspect and edit these functions we can click on the show disassembler button which will open… you guessed it right the disassembler.
Now, the second function was called when walking through the instatnt death block, so I took a look at that first. After opening it in the disassembler we can right click and set the code to do nothing. However we were still respawning and the game wouldn’t output the flag.
So then i tried to do the same with the first function which ended up working out and we got the flag! No screenshot of the flag this time i forgot that, sorry.
