FlappyFlopper

Technical Walkthrough

Writeup

Challenge

• Name: FlappyFlopper
• Category: GamePwn
• Difficulty: Medium
• Mode: file

Summary

FlappyFlopper is an Android Unity IL2CPP game. The scenario suggests reaching a very high score, but the local binary shows the real win condition in the Score class. Once the score passes the threshold used by Score.UpdateScoreText, the game joins a static string array and displays the challenge flag. The solve is a local static extractor that reconstructs that array from IL2CPP metadata and relocation entries.

Artifact Inventory

Reference analysis/artifact-inventory.json and summarize the relevant files or remote surface.

The original artifact is files/a12c738a-8225-4ff0-b4fe-1981eb396e0a.zip, SHA256 <hash redacted>. It contains gamepwn_flappyflopper/Flappyflopper.arm64-v8a.apk.

The APK was unpacked into analysis/apk/. The relevant Unity/IL2CPP files are analysis/apk/lib/arm64-v8a/libil2cpp.so and analysis/apk/assets/bin/Data/Managed/Metadata/global-metadata.dat. il2cpp_dumper output is stored under analysis/il2cpp_dump/Dump0/, including dump.cs, script.json, stringliteral.json, and generated IL2CPP headers.

Analysis

Initial string and Unity asset triage identified a Unity scene with gameplay objects such as GameMain, ScoreCanvas, flopper, pipe, and pass_trigger. UnityPy and metadata strings confirmed custom scripts named BirdControl, GameMain, PipeMove, PipeSpawner, and Score.

il2cpp_dumper recovered method names and RVAs for the custom classes. The native disassembly is saved in analysis/custom-method-disasm.txt. BirdControl.OnTriggerEnter2D calls the score-update path after collisions with the pass trigger, which confirms that score changes are handled in the Score component.

The important logic is in Score.UpdateScoreText and Score.__cctor. Score.UpdateScoreText compares the score against 999; below that it converts the score to text, and above that it uses a joined value from the static Score.flag array. Score.__cctor builds that array by allocating 28 string entries and filling them from relocated StringLiteral_* pointers.

The raw .so GOT slots are zero on disk because Android relocations populate them at load time. The solve script therefore uses LIEF to read relocation addends, maps those addends to script.json ScriptString entries, and reconstructs the value in the same order as the static constructor.

Solve

Run the extractor from the repository root:

python3 GamePwn/FlappyFlopper/solve/solve.py

The script reads analysis/apk/lib/arm64-v8a/libil2cpp.so and analysis/il2cpp_dump/Dump0/script.json, resolves the 28 static-constructor string slots, validates the result against the expected HTB flag shape, and writes the raw flag to loot/flag.txt.

The solve avoids an emulator and avoids patching the APK. It depends on the local analysis dependencies already installed in analysis/python_deps.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• For Unity IL2CPP GamePwn challenges, method names from metadata are often enough to reduce a large APK to a few native methods.
• Android relocation tables can be more useful than raw bytes when IL2CPP static constructors reference string literal pointer slots.
• The scenario score can be a hint, but the binary-defined threshold and output path are the source of truth.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: FlappyFlopper
• Category: GamePwn
• Difficulty: Medium
• Mode: file
• Remote instance: none
• Start time: 2026-06-11T10:37:06Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• The downloadable archive is a <password redacted> APK package using the standard HTB archive convention.
• The APK is a Unity 2023.2.11f1 Android build using IL2CPP, with libil2cpp.so and assets/bin/Data/Managed/Metadata/global-metadata.dat.
• il2cpp_dumper recovered the custom gameplay classes: BirdControl, GameMain, PipeMove, PipeSpawner, and Score.
• BirdControl.OnTriggerEnter2D increments Score.score through the pass-trigger path, confirming the gameplay score route.
• Score.UpdateScoreText changes behavior when the score is greater than 999; the high-score branch joins a static Score.flag string array and assigns it to the UI text.
• Score.__cctor allocates a 28-entry string array and fills it from relocated StringLiteral_* entries. The reproducible extractor resolves those relocations and writes the resulting HTB-shaped value to loot/flag.txt.
• No emulator or APK patch was needed; static IL2CPP metadata plus relocation analysis was sufficient.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: GamePwn
• Challenge: FlappyFlopper
• Difficulty: Medium
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1.

Reusable Lessons

-

Dead Ends

-

Tool Quirks

-

Evidence Paths

-

Ingestion Decision

• Proposed for LightRAG: yes/no
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches