- Published on
Cyhub CTF 2025 - Oh My BSD
- Authors
- Name
- Varik Matevosyan
- @D4RK7ET
Oh My BSD
For Cyhub CTF 2025, I created a reverse engineering challenge centered around a Godot game. The challenge combined game hacking with traditional reverse engineering techniques, offering players multiple paths to victory. Several teams managed to solve it, with some opting for the quick memory editing approach while others went the full reverse engineering route.
Challenge Description
Jump to reach the FreeBSD logo and capture the flag! But wait... something seems off with the jump mechanics...
Players were provided with a game executable (macOS .dmg or Linux binary) where the objective appeared simple: jump to reach the FreeBSD logo. However, upon playing, it quickly becomes clear that the player's jump velocity is intentionally set too low, making it impossible to reach the goal through normal gameplay.
Category: Reverse Engineering
Difficulty: Easy
Flag Format: cyhub{xxxxx}
Challenge Overview
The game is built with Godot Engine, which presents an interesting reverse engineering target. Unlike compiled binaries where source code is compiled to machine code, Godot games package their project files (scripts, scenes, assets) in a relatively accessible format. This makes them vulnerable to extraction and modification.
The core issue: the jump velocity is set to -300.1337, but reaching the FreeBSD logo requires at least -500 to make the jump possible.
Solution Walkthrough
Method 1: Memory Editing (Quick and Dirty)
The fastest way to solve this challenge is by using memory editing tools to directly modify the jump velocity in the running game process.
Using cheat-engine-rs:
Launch the game and keep it running
Identify the target value: The game displays the jump velocity on screen:
-300.1337- This value in hexadecimal is:
9a779ca223c272c0
- This value in hexadecimal is:
Scan memory:
- Use cheat-engine-rs to scan the game process memory for the hex value
9a779ca223c272c0 - This will return 2 results (the value is stored in multiple locations)
- Use cheat-engine-rs to scan the game process memory for the hex value
Modify the values:
- Edit both memory addresses to the new value:
-500.1337 - In hexadecimal:
9a779ca223427fc0
- Edit both memory addresses to the new value:
Win the game:
- With the increased jump velocity, you can now jump high enough to reach the FreeBSD logo and capture the flag!
This method bypasses the need to extract and decompile the entire Godot project, making it much faster and easier for players familiar with memory editing techniques.
Method 2: Full Reverse Engineering
For those who want to take the traditional reverse engineering approach:
Stage 1: Extracting the Godot Project
Use GDRE Tools: Download and install the Godot Reverse Engineering Tools (gdsdecomp)
Extract the project:
- Open GDRE Tools
- Load the game executable (
.dmg,.exe, or Linux binary) - Extract the entire Godot project to a directory
Stage 2: Analyzing the Jump Mechanics
Locate the player script: Find the player character's script in the extracted project (typically in a file like
player.gdor similar)Find the jump velocity: Look for the jump mechanics in the code:
var jump_velocity = -300.1337Identify the problem: The current jump velocity of
-300.1337is insufficient to reach the FreeBSD logo
Stage 3: Modifying the Game
Edit the jump velocity: Change the jump velocity to at least
-500:var jump_velocity = -500.1337Save the changes
Stage 4: Running the Modified Game
Open in Godot: Open the extracted and modified project in Godot Engine
Run the game: Press the play button or F5 to run the game
Reach the goal: With the increased jump velocity, you can now jump high enough to reach the FreeBSD logo
Capture the flag: When you reach the FreeBSD logo, the flag will be revealed
Solution Video
Here's a video walkthrough showing the memory editing approach:
Key Technical Details
- Original jump velocity:
-300.1337(insufficient) - Required jump velocity:
-500or higher - Game Engine: Godot Engine
- Extraction method: GDRE Tools to decompile the game binary
- Memory editing: Two instances of the jump velocity in memory
Tools Recommended
- cheat-engine-rs - Rust-based memory scanner/editor (quickest solution)
- GDRE Tools (gdsdecomp) - Godot Reverse Engineering and decompilation toolkit
- Godot Engine - To run and test the modified project
The challenge source code can be found here