Welcome to the Debugmen blog. We use this site to post tools, security findings, CTF writeups and anything else we find worthy of release to the public.
Tenable CTF: Play Me
Play Me
Technically, the category was vidya on the CTF, but this is a RE problem
Overview
This challenge gives you a Gameboy ROM and the description tells you that you need to beat the level in order to get the flag.
Ok. Lets just play the game on the Virtual Boy Advance (VBA) emulator.
Pro Gamer Moves 🎮
So I get to the end of the level and the evil challenge writer thinks its funny to make the last platform non solid.
Finding the Player State
How do we win? We cheat. 😎
Based on the challenge description, it looks like I just need to move my character to the end of the level, so I started looking for the character’s X coordinate in the game.
VBA is really awesome. It lets you look right into memory of the game and automatically update it as the game runs. I was able to find the where the I/O states are stored and watch the player’s coordinates change as I moved around. Unfortunately, when I tried to set the values to something else, they snapped back to their original values. This is probably because the memory here is constantly being updated from the emulated hardware’s I/O. What I really need to find is the location in memory the player’s state is being saved so I can change it directly.
In order to find where my player state is, I dumped memory in each state seen above with VBA. I should expect to find that the memory storing the player’s state, more specifically the player’s X value is going to be different between the two memory dumps and most other things should be the same.
The first two differences I saw where at the start of where RAM is mapped to (0xC0000). The first change, circled in red, is the same values I saw in the I/O section; I tried to change them and the same behavior happened. The next difference, circled in green is what I found to be the player’s X and Y coordinate as 16bit integers.
More specifically
.__________________________________.
| Address | Value Name | Data Type |
|---------|------------|-----------|
| 0xC0AC | X Position | uint16 |
| 0xC0AE | Y Position | uint16 |
`----------------------------------'
Cheating
We know where the player’s state is located, so lets just change it!
It took me a little playing around to realize those are 16 bit values. Had to move the character closer to the end of the level to see the higher bits update, but with some hand fuzzing I was able to teleport (i.e. set the position of) the player to the end of the level by changing the coordinates to these values (little endian btw).
X = 1023 (0xff03)
Y = 0 (0x0000)
