Monday, 23 September 2013

CSAW CTF Quals 2013 - Reverse 500 - Impossible

Task:

Impossible - 500 Points

Solved by 82 teams.

WTF, his hp is over 9000! Beat the game to get your key.
impossible.nds
In this task we are provided with an image of the Nintendo DS cartridge with a game. The task clearly says we have to win probably cheating. Firstly I installed IDA loader for .nds files (You can find it in the net) but this haven't helped me a lot: there were a lot of ARM code and no clues how to get to the flag.

 Then I searched for emulator and debuggers. Nice one was DeSmuME which allows to watch for changed values and filter them that is probably what is needed. However it is quite laggy and I haven't seen a boss on the screen while playing this game (you can deduce its position by looking at the place where projectiles come from). There is also no$gba emulator that perfectly renders game but doesn't have free debugging features. However let's open "RAM Search" option in desmume. It took some time for me to get how to use this powerful thing. To start with you should start a game and reset counters, set 4-byte data size and filter values that are greater than 9000 (I took information from task literally, however over 9000 is like a meme). Then shoot couple of times to hit the boss, pause the game and filter for values that were changed greater than e.g. 10 times (the number of assumed times to hit the boss). After you filter quite good you may see that the value that is located at the 0x02032184 is a quite good candidate to be the boss health. Let's watch for it more closely.


Select it and press "Watch" button, enter a comment for this value and hit boss another time to see whether this value changes. And it comes out that it is really boss health as this values decreases.
So we should make a cheat. Let's return to RAM search window and with this value being selected press Add cheat button. Let's set this value to 1 and let's hit a boss another time. After that in my case game screen became black, but in no$gba you may see a key. But this is not a real key.

 Let's dump memory (this can be done via View Memory -> Dump all) and look for a key in a hex editor. And there it is (ou6UbzM8fgEjZQcRrcXKVN).







No comments:

Post a Comment