👾
Elijah's CTF Blog
  • 👋Home
  • 🇲🇾Wargames.MY CTF 2024
    • Credentials (crypto)
    • Stones (rev)
    • Rick'S Algorithm (crypto)
    • Rick'S Algorithm 2 (crypto)
    • Hohoho 3 continue (crypto)
  • 🎄Advent of CTF 2024
    • Jingle Bell ROP (pwn)
    • help (pwn)
  • Backdoor CTF 24
    • [rev] Ratatouille
  • 🇭🇰HKCERT CTF 24
    • Shellcode Runner 3 + Revenge (pwn)
    • ISH (1) (pwn)
    • Cyp.ress (rev)
    • Void (rev)
  • 🇮🇹ECSC 2024
    • ➕OffTopic (crypto)
  • 🎩Greyhats WelcomeCTF 24
    • EE2026 (misc)
  • 🚆UIUCTF 24
    • Syscalls (pwn)
    • Summarize (rev)
    • X Marked the Spot (crypto)
    • Without a Trace (crypto)
    • Determined (crypto)
    • Naptime (crypto)
    • Snore Signatures (crypto)
  • 🪼Jelly CTF 24
    • Cherry (crypto)
    • the_brewing_secrets (crypto)
  • 👨‍🦯vsCTF 24
    • Dream (crypto)
    • Cosmic Ray V3 (pwn)
  • 😎AKASEC CTF 24
    • Warmup (pwn)
    • Good_trip (pwn)
    • Sperm Rev (rev)
    • Paranoia (rev)
    • Grip (rev)
    • Risks (rev)
    • Lost (crypto)
  • 😁L3AK CTF 24
    • oorrww (pwn)
    • angry (rev)
    • Related (crypto)
    • BatBot (web-misc)
    • Matrix Magic (crypto)
  • 🥹CDDC Qualifiers 2024
    • WASM (rev)
    • crashMe (pwn)
Powered by GitBook
On this page
  1. Backdoor CTF 24

[rev] Ratatouille

Gameboy binary reversing

Last updated 5 months ago

We are given a .gbgameboy file to reverse. On playing the game, there are ingredients on the ground we can pick up, and also an NPC we can interact with. We can check our inventory by hitting SELECT.

On talking to the NPC, he tells us to get a peach before talking to him.

After getting a peach (and an apple along the way), he tells us he needs a mushroom.

At this point I decided to start reversing since I couldn't find a mushroom.

To start, I used the BGB debugger's cheat finder to find possible memory addresses where the amount of broccoli I had was being stored. This turns out to be $C86B.

Looking at the surrounding memory, it soon becomes clear that $C868 - $C86F stores the amount of each ingredient we have. (in the screenshot below I have 1 apple and 2 broccoli and 0 of the other 6 ingredients).

Then I set a read watchpoint to $C868 to see which function is reading the amount of apples I have. I do this using the sameboy debugger.

Decompiling the binary using Ghidra with the Ghidraboy plugin, I realise that 69fe actually does a check on the amount of every single ingredient we have. A small excerpt is shown below:

In this case it checks that we have 0x8 apples and 0x10 bananas. Similar SUB then JP instructions are used to check for the remaining ingredients.

After looking through the assembly I realise that the following constraints are imposed:

-> first item needs to be 0x08
-> second item needs to be 0x10
-> third item needs to be 0x42
-> fourth item needs to be 0x2f
-> fifth item needs to be 0x2d
-> sixth item needs to be 0x0a (but this is after decrementing so it needs to be 0x0b)
-> seventh item needs to be 0x3c
-> eighth item needs to be 0x46

Using the bgb debugger I manually change the values at the corresponding memory addresses and talk to the NPC again. This gives me the flag:

Final flag: flag{P1ZZ4S-4R3-0V3RRAT3D}