How to open calc.exe from S&Box | PJB blog
Skip to main content
How to open calc.exe from S&Box
Thursday May 21, 2026
So, S&Box went “open source”. I don’t personally have any interest in the platform, but I did have interest in how they securely execute C# code…
So S&Box is “Garry’s Mod 2”, or maybe it’s Roblox Source 2, I really don’t care about it directly. The thing that’s relevant to me is that instead of using Lua or something, they use full powered C# for game scripting. C#/.NET is not Lua: it is not designed to run untrusted code, so how do they get away with it? The solution is quite simple: they scan your code and block loading it if you use any APIs like File.Open(). Now, is this secure? Well…
To be clear: if you are a security-minded person, this is an atrocious idea. The .NET runtime is not hardened to intentionally execute hostile code like a browser Javascript engine is. It used to be in the .NET Framework days, but they gave up on that with modern .NET, and I’ve heard there was a giant streak of vulnerabilities back then anyway.
On the other hand… Space Station 14 does exactly the same thing, and I wrote the damn code for that. I’m not going to pretend I’m any better than them. The reason why we’re both using C# is extremely simple: C# is hands down one of the best programming languages ever, full stop. I could do an entire blog post on just how good C# is, but I’ll spare you that here. In Space Station 14’s case, it’s no exaggeration to say that it’s a huge factor of why the project even succeeded in the first place.
But anyways, let’s check the sandbox whitelist, sha- spits out drink
// Compiler generates all this scary shit that the user shouldn't be using<br>// User code is checked in Sandbox.Compiling blacklist<br>"System.Private.CoreLib/System.Runtime.CompilerServices.Unsafe.Add*",<br>"System.Private.CoreLib/System.Runtime.CompilerServices.Unsafe.As*",<br>"System.Private.CoreLib/System.Runtime.CompilerServices.Unsafe.AsRef*",
What are they thinking? It can’t be that easy can it???
Can we smash the stack?
Alright. Let’s just try this. There’s no way this works.
Let’s install the damn game, open the edit- the editor crashes on load. God damnit. And so does the game? What is going on? Half an hour of fudging around later I bother to attach WinDBG to the editor and…
Of course I don’t regret buying an AMD GPU, why do you ask?
Yes, AMD’s GPU driver has a bug where it will cause an app crash if an app checks for VR without SteamVR running but with a Valve Index plugged in. Unplugs DisplayPort cable.
I open the a new project in the editor, open the C# example component it generated, paste in the following code:
var i = 5;<br>ref var r = ref i;<br>while (true)<br>r = 0;<br>r = ref Unsafe.Add(ref r, 1);
…and the editor refuses to compile it. Okay, whatever, we saw that coming. Thankfully I don’t even need dnSpy for this, we can just compile it ourselves!. I removed the compile blacklist with a simple && false in the right spot, and opened it again. It compiles the code without a hitch. I make a scene, add the component to an empty object, press run… and the editor crashes! As expected.
But will it work in-game? I find the publish button, create an organization first (I claimed slugcat), publish it, check the game settings to make sure it’s unlisted (I am somewhat responsible), and… I can’t find my game in the UI anywhere. It says that unlisted games can be found “by URL” or “by people in the organization” but I sure didn’t find shit like that in the game’s game browser. After 20 minutes of flipping through UIs, going insane, and even asking a friend, I realized I could run game slugcat.calc in the console to load the game.
Aaand… it didn’t crash, because I made a new scene instead of modifying the default example scene that actually got loaded. One publish later (thankfully, publishing is quite fast) and…
Game crash.
Oh my gooood
Allowing unsafe code
Okay, so, since they’re clearly not checking shit when you load the game, and they sure as hell don’t have an ILVerify step like we do in SS14, we should just be able to compile full unsafe code and get away with it. So just modify the editor again.
I want to say this was “pretty easy” but admittedly it took quite a bit of trial and effort. Editing & restarting the editor took a good while. I couldn’t just tell it to allow unsafe code, because that makes the compiler put [UnverifiableCode] on the module and that trips their loader sandbox. So I had to whip out Mono.Cecil and strip that shit. It wasn’t hard. It was just painful iteration, me not reading error messages correctly, and being a bit of a clown.
Also, extremely annoyingly, if you restart the editor while your code is failing to load due to a sandbox error, it will never load it again. This is, of course,...