Friday, October 24, 2014

Hack.lu 2014 CTF Write Up: At Gunpoint

Hack.lu's 2014 CTF took place on October 21-23. The event was organized by fluxfingers, and this year's challenges were really enjoyable, huge props to them. I played with my friends from TheGoonies - after winning the Brazilian CTF Pwn2Win we are now getting better organized to become more competitive. There are quite a few write ups around and I decided to post about a few tasks which we had a different solution from other teams.

Task: At Gunpoint (Reversing - 200)

You're the sheriff of a small town, investigating news about a gangster squad passing by. Rumor has it they're easy to outsmart, so you have just followed one to their encampment by the river. You know you can easily take them out one by one, if you would just know their secret handshake.

Download provided: gunpoint_2daf5fe3fb236b398ff9e5705a058a7f.dat

File utility showed us that it was a GameBoy ROM. Having former Console Hackers on the team came handy during this challenge as we already knew in advance which tools to use and what to look for.


We used TLayer TileMolester from the legendary SnowBro to gather information about the graphics and the font data. Firstly, we switched the Codec to 1bpp and found the font used by the game.


We were about to create a character table when, after switching the Codec to 2bpp planar (GameBoy's native Codec), we found something interesting:


After some offset adjustment (using +, -, Shift + left and Shift + right) we got this image:


We submitted the key "tkCXDtheQDNRN", but it wasn't accepted. I wanted to confirm that those tiles were disposed in a linear way, so I kept analyzing the ROM.

The GameBoy's screen has a resolution of 20x18 tiles. In order to check if the order of the tiles (and the flag) was correct, I performed a relative search using Darkl0rd's Monkey-Moore:


Let's imagine a grid containing the tiles for the key "tkCXDtheQDNRN" sequentially. Considering the first tile as an A, the second one would be B, the third one C and so on. After 20 bytes (the screen width) there should be something like a line break: that's why I performed a relative search for ABCDEFGHIJKLMNOPQRST*UVWXYZ.

If we go to the ROM's offset 0x0965 using an Hex Editor, we find out that this is indeed the section responsible for displaying the tiles:


Let's compare it with the emulator's BGMAP when displaying the key:



I'm not sure if this was intentional, but there's something strange on this key display screen. The first tile for the char "t" (0x15) is followed by the first tile from "k" (0x16), which is followed by the first tile from "C" (0x17) until we reach the "N" (0x28). There's a break at offset 0x0979 (0x00) and the second half for these tiles (0x29 0x30 0x31 ... 0x3C) ends with a 0x3D instead of the usual 0x00. We can see this clearly on the screenshot above, as the tile highlighted by the mouse pointer (0x3D) is off the limits.

Anyway, we apparently had the correct flag but we took some time to figure out that the 6th letter was a "J" and not a "t". One member from our team figured that out and submitted the correct key "tkCXDJheQDNRN".


There are other solutions to this challenge, like this one from Tastless. I'm still waiting for a write up from someone who actually reversed and inputted the secret combination. Anyway, none of them are going to be as elegant as the one from @angealbertini: