This was my first proper attempt at the GamePwn category on HTB. I mostly do web stuff so this felt like stepping into unfamiliar territory — but CubeMadness1 is rated Very Easy, and I'd heard Cheat Engine is the go-to tool for these challenges. I figured it was a good place to start learning. Turns out it was a lot more straightforward than I expected.
What even is this challenge
You extract the zip and get a folder with a Unity game inside.
Running the main executable opens a small 3D game — you're a little character on
a platform and there are cubes scattered around the map. The score counter in the
top-left reads 0 / 20.
I ran around collecting everything I could find.
Got to 6. Map was empty. 6 / 20 just sitting there.
No more cubes anywhere on the map — I checked every corner.
So the game wants you to collect 20 but only has 6 in the world. The other 14 don't exist. Which means you're not supposed to find them — you're supposed to make the game think you already have them. That's where Cheat Engine comes in.
What Cheat Engine actually does
If you've never used it — Cheat Engine is a memory scanner for Windows processes. You attach it to a running program and it lets you search through that program's memory for specific values, then change them on the fly. People have used it for years to do things like give themselves infinite health or max ammo in games. In CTF context it's a legitimate tool for runtime memory analysis.
The idea here is simple: somewhere in the game's memory there's an integer that stores the current cube count. Find it. Change it to 20. Done.
Attaching to the process
With the game running, I opened Cheat Engine and clicked the process selector — the little flashing monitor icon at the top left. It shows you all running processes on your system. I selected the CubeMadness1 process and hit Open. Now Cheat Engine is reading the game's memory live.
Initial scan
My current cube count is 0. In Cheat Engine I set the scan type to
Exact Value, the value type to 4 Bytes
(integers in games are almost always stored as 4-byte values),
typed 0 in the value field, and hit First Scan.
Result:Thousands of addresses — all holding the value 0. That sounds overwhelming but it's completely normal. Every variable, counter, or chunk of memory that happens to be zero right now gets flagged. This first scan is just setting the baseline. The real work is filtering from here.
Narrowing it down — one cube at a time
I went back into the game and picked up exactly one cube. Score: 1 / 20.
Back in Cheat Engine, I changed the scan type to
Increased value by..., entered 1, and hit
Next Scan. CE immediately discards every address that
didn't go up by exactly 1. Down to around 37,000.
Still a lot. Picked up a second cube. Next Scan again. Few thousand left. Kept going — third, fourth, fifth, sixth cube, running a Next Scan after each one. By the time I'd picked up all 6 available cubes and filtered at every step, Cheat Engine had narrowed it down to just 3 addresses.
All three were holding the value 6 and had tracked my pickup
count perfectly through every single scan. That's our target.
Unity sometimes stores the same game variable in a few mirrored memory
locations simultaneously — that's why we get 3 instead of 1.
Doesn't matter, we just change all of them.
# After collecting all 6 cubes — 3 addresses remain
# All holding value: 6
# These are example addresses, yours will be different each run:
0x206FEA32A40
0x206FEA32A44
0x206FEA32A48Changing the value
I selected all 3 addresses from the results list, clicked the red arrow
to move them down to the address list at the bottom of the CE window,
then double-clicked the value field on each one and typed 20.
Switched back to the game.
The counter jumped straight to 20 / 20 and the flag popped up on screen.
HTB{CU83_XXXXXXX_XXXXXXXXX}Why this works
The cube count is just a number living in memory. There's nothing on a server checking it, no anti-cheat, no integrity verification — the game runs entirely locally so we have full control over its process. Cheat Engine is just a systematic way to find which number it is among the millions stored in memory.
The technique of scanning → changing the real value → scanning again is called multi-pass scanning. Each round filters out everything that didn't change the way you expected. Do it enough times and you zero in on exactly the memory address you're after. It's genuinely elegant once you see it in action.
First impressions of GamePwn
Coming from a web background this was a fun detour. The thinking is different — instead of exploiting logic flaws in an app, you're working directly with runtime memory. But the core idea of "find the thing, change the thing" isn't too far off from what we do in web exploitation.
CubeMadness2 apparently adds encryption on top of the stored values so the number you see in CE isn't the actual cube count — it's some encoded version of it. I've already done that one too and it's noticeably trickier. Writeup coming soon.