Task: At Gunpoint (Reversing - 200)
You're the sheriff of a small town, investigating news about a gangster squad passing by. Rumor has it they're easy to outsmart, so you have just followed one to their encampment by the river. You know you can easily take them out one by one, if you would just know their secret handshake.
Download provided: gunpoint_2daf5fe3fb236b398ff9e5705a058a7f.dat
File utility showed us that it was a GameBoy ROM. Having former Console Hackers on the team came handy during this challenge as we already knew in advance which tools to use and what to look for.
We used
We were about to create a character table when, after switching the Codec to 2bpp planar (GameBoy's native Codec), we found something interesting:
After some offset adjustment (using +, -, Shift + left and Shift + right) we got this image:
We submitted the key "tkCXDtheQDNRN", but it wasn't accepted. I wanted to confirm that those tiles were disposed in a linear way, so I kept analyzing the ROM.
The GameBoy's screen has a resolution of 20x18 tiles. In order to check if the order of the tiles (and the flag) was correct, I performed a relative search using Darkl0rd's Monkey-Moore:
If we go to the ROM's offset 0x0965 using an Hex Editor, we find out that this is indeed the section responsible for displaying the tiles:
Let's compare it with the emulator's BGMAP when displaying the key:
I'm not sure if this was intentional, but there's something strange on this key display screen. The first tile for the char "t" (0x15) is followed by the first tile from "k" (0x16), which is followed by the first tile from "C" (0x17) until we reach the "N" (0x28). There's a break at offset 0x0979 (0x00) and the second half for these tiles (0x29 0x30 0x31 ... 0x3C) ends with a 0x3D instead of the usual 0x00. We can see this clearly on the screenshot above, as the tile highlighted by the mouse pointer (0x3D) is off the limits.
Anyway, we apparently had the correct flag but we took some time to figure out that the 6th letter was a "J" and not a "t". One member from our team figured that out and submitted the correct key "tkCXDJheQDNRN".