# \[rev] Ratatouille

We are given a `.gb`gameboy file to reverse. On playing the game, there are ingredients on the ground we can pick up, and also an NPC we can interact with. We can check our inventory by hitting SELECT.

On talking to the NPC, he tells us to get a peach before talking to him.

<figure><img src="/files/E9aoJFVtK0lltmpO3C91" alt="" width="322"><figcaption></figcaption></figure>

After getting a peach (and an apple along the way), he tells us he needs a mushroom.

<figure><img src="/files/XCNbkdXEfcEdvklCB4kN" alt="" width="326"><figcaption></figcaption></figure>

At this point I decided to start reversing since I couldn't find a mushroom.

To start, I used the BGB debugger's cheat finder to find possible memory addresses where the amount of broccoli I had was being stored. This turns out to be $C86B.

<figure><img src="/files/Tor8M6Gf5E6TLeWaMHLB" alt="" width="362"><figcaption></figcaption></figure>

Looking at the surrounding memory, it soon becomes clear that $C868 - $C86F stores the amount of each ingredient we have. (in the screenshot below I have 1 apple and 2 broccoli and 0 of the other 6 ingredients).

<figure><img src="/files/0HKai2BjPW7tsNUR28jm" alt=""><figcaption></figcaption></figure>

Then I set a read watchpoint to $C868 to see which function is reading the amount of apples I have. I do this using the sameboy debugger.&#x20;

<figure><img src="/files/SRboEIjWIHmriQjlKNpq" alt="" width="303"><figcaption></figcaption></figure>

Decompiling the binary using Ghidra with the Ghidraboy plugin, I realise that 69fe actually does a check on the amount of every single ingredient we have. A small excerpt is shown below:

<figure><img src="/files/x0cPD2n8HUsclAgEw5em" alt="" width="500"><figcaption></figcaption></figure>

In this case it checks that we have 0x8 apples and 0x10 bananas. Similar SUB then JP instructions are used to check for the remaining ingredients.&#x20;

After looking through the assembly I realise that the following constraints are imposed:

```
-> first item needs to be 0x08
-> second item needs to be 0x10
-> third item needs to be 0x42
-> fourth item needs to be 0x2f
-> fifth item needs to be 0x2d
-> sixth item needs to be 0x0a (but this is after decrementing so it needs to be 0x0b)
-> seventh item needs to be 0x3c
-> eighth item needs to be 0x46
```

Using the bgb debugger I manually change the values at the corresponding memory addresses and talk to the NPC again. This gives me the flag:

<figure><img src="/files/2tgQ8qGsskNPkvWuPD6S" alt="" width="338"><figcaption></figcaption></figure>

Final flag: `flag{P1ZZ4S-4R3-0V3RRAT3D}`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://elijahchia.gitbook.io/ctf-blog/backdoor-ctf-24/rev-ratatouille.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.