Tuesday, September 24, 2013

CSAW CTF Quals: Reversing 500 Impossible.nds

Impossible - 500 Points
WTF, his hp is over 9000! Beat the game to get your key.

Reversing an nintendo ds rom was right up my alley and I was very excited to begin. I immediately threw it in to the emulator of my choice, NO$GBA. Upon loading it, I realized this was not going to be nearly as fun as a classic legend of zelda game as the start screen itself was inverted. After clicking on the screen you are able to move and fire from your poor little defenseless green triangle against “WTF” who is spewing a million red triangles that kill you instantly. Oh on top of that “WTF’s” HP is over 9000! To be more specific it’s 1,000,000 (but we don't know that at first).

So like any good gamer faced with an OP boss, it's time to bust out those cheat codes! Since this is a Indie game, there are no pre-made cheats so we will just have to make our own. To do this I used a program called Cheat Engine. Cheat Engine has a built tutorial of what I am about to describe to you that is very helpful. The information we are given about the boss's health is that it's over 9000 (gotta love the classic Dragon Ball Z reference). So, we can just scan the memory of the gain for the WTF's health. However, if we did not know this or trust the developers of the competition, we would be completely in the dark. Luckily for us, Cheat Engine has an unknown initial value scan. After starting up the game and clicking start, I quickly pause the emulation and perform the scan. I then fire off a couple of shots at the boss and pause the game to do a decreased value scan. I kept repeating this cycle of shooting, pausing, and scanning for decreased values until I was left with one value. Cheat Engine informed me that it's initial value at the unknown scan was 1,000,000. So, if I need to restart the game I can just scan for exact values of 1,000,000 after I click the start screen and pause the emulation.This scan yields four results. After firing and pausing, you can easily see that the Boss's health is the only one to decrease. 

Cheat Engine allows you to change this value to whatever your little gaming heart desires. I changed this value to 1, to make sure it performed the win comparison conditions, and fired off a couple shots. Success! WTF is toast, w00t! And then after we invert the screen and re presented with the "KEY IS DUBZFGJCRC." Sweet we so now we just submit the key and are done right? Wrong! I noticed the value that the previous memory location for health was immediately changed after killing WTF. I also noticed, after quite some time, that this value along with the surrounding addresses directly affected the key. So, I then checked the the memory of these addresses.The designers of the game performed a function to make the key appear on the screen different than it is in memory. In memory the key was plainly visible. Challenge solved.

key: ou6UbzM8fgEjZQcRrcXKVN

- m4d_D0g

