Categories
hexionCTF 2020 Reverse Engineering

“Serial Killer”

In the Serial Killer challenge, you are given a GameBoy ROM and need to extract the flag from it. To make debugging this ROM easier, we will use the gameboy emulator BGB which has great debugging abilities and runs well under wine. Here’s what we’re greeted with upon starting the ROM:

On boot
Upon pressing start

If you’re familiar with the Pokemon series of gameboy games, you’ll probably know what this “transferring” message is referring to: the link port! The link port physically connects two gameboys together using a serial link to trade pokemon, or in this case, a flag.

The gameboy code needed to use this link feature is well-documented over at gbdev.gg8.se: https://gbdev.gg8.se/wiki/articles/Serial_Communication_(Link_Cable)_Tutorial. The important part here is the serial data register at memory address 0xFF01. If we knew what was being written to that address, we would know the characters of the flag that the gameboy is trying to send via the link cable.

In order to read what’s being written out to that address, we’ll open up BGB’s debugger. From there, we can scroll to 0xFF01 in its memory view and set an access breakpoint, which will stop the ROM’s execution whenever it sends a byte of the flag out. This process is shown in the images below:

The instruction we stop on is ld (ff00+01),a, so we know that what’s being put on the link port is the byte in the 8bit register a. The af register is shown in the top right of the debugger as having a value of 0x6800, so therefore, the a register holds 0x68, or the letter h. We keep hitting F9 and recording each new byte to form the entire flag.

Eventually, after recording the value of each byte sent, we can read the entire flag.

hexCTF{3ven_5er1al_k1ll3rs_pl4y_g4m3s}

Leave a Reply

Your email address will not be published. Required fields are marked *