Task: At Gunpoint (Reversing – 200)
Download provided: gunpoint_2daf5fe3fb236b398ff9e5705a058a7f.dat
File utility showed us that it was a GameBoy ROM. Having former Console Hackers on the team came handy during this challenge as we already knew in advance which tools to use and what to look for.
We were about to create a character table when, after switching the Codec to 2bpp planar (GameBoy’s native Codec), we found something interesting:
After some offset adjustment (using +, -, Shift + left and Shift + right) we got this image:
We submitted the key “tkCXDtheQDNRN”, but it wasn’t accepted. I wanted to confirm that those tiles were disposed in a linear way, so I kept analyzing the ROM.
The GameBoy’s screen has a resolution of 20×18 tiles. In order to check if the order of the tiles (and the flag) was correct, I performed a relative search using Darkl0rd’s Monkey-Moore:
Let’s imagine a grid containing the tiles for the key “tkCXDtheQDNRN” sequentially. Considering the first tile as an A, the second one would be B, the third one C and so on. After 20 bytes (the screen width) there should be something like a line break: that’s why I performed a relative search for ABCDEFGHIJKLMNOPQRST*UVWXYZ.
If we go to the ROM’s offset 0x0965 using an Hex Editor, we find out that this is indeed the section responsible for displaying the tiles:
Let’s compare it with the emulator’s BGMAP when displaying the key:
I’m not sure if this was intentional, but there’s something strange on this key display screen. The first tile for the char “t” (0x15) is followed by the first tile from “k” (0x16), which is followed by the first tile from “C” (0x17) until we reach the “N” (0x28). There’s a break at offset 0x0979 (0x00) and the second half for these tiles (0x29 0x30 0x31 … 0x3C) ends with a 0x3D instead of the usual 0x00. We can see this clearly on the screenshot above, as the tile highlighted by the mouse pointer (0x3D) is off the limits.
Anyway, we apparently had the correct flag but we took some time to figure out that the 6th letter was a “J” and not a “t”. One member from our team figured that out and submitted the correct key “tkCXDJheQDNRN”.
There are other solutions to this challenge, like this one from Tastless. I’m still waiting for a write up from someone who actually reversed and inputted the secret combination. Anyway, none of them are going to be as elegant as the one from @angealbertini: