Post

GameBoy (WHYCTF2025)

Posted Updated
By 0xSec
3 min read
GameBoy (WHYCTF2025)

Initial Analysis

We initially got a .rar archive file and extracting ti gave a file named chall.gb which has extension of .gb which means its a GameBoy rom file So we likely have to find the flag from this rom file. For that i googled and found some GBA emulators with debugger but the one which i found useful was mGBA as we can write into the memory using its debugger.I tried using strings but didn’t found anything useful.Then i imported that rom into gba emulator to find how the game works and found out that we can only press keys Right,Left,Up,Down,Multi(when multiple keys are pressed),A,B.

gameboy Figure 1: mGBA

I found that we can use a plugin GhidraBoy by Gekkio to disassemble the rom file in ghidra so I added that to ghidra.

Deep Dive

I opened the challenge rom file in ghidra and clicked on analyze after that i got this view these initial lines of code are for initilisation of rom into gba.

ghidra Figure 2: Rom in Ghidra

When you scroll down you will find a function call FUN_036b which is main function of the game

ghidra Figure 3: Main Game Function

In the main game function the first thing i noticed was strings Press START and NOW THE CHEAT PATTERN and in the function FUN_05e1 which they were used is most likely to the printFunction so rename it accordingly.

ghidra Figure 4: Main Game Function-1

There is another function in-between strings which is taking 0x80 as argument which is a loop for key inputs and also note the variable uStack_f which is storing 0xb<-->11 next things is analyze the do while loop there was a function FUN_057e which is KeyInputFunction and is stored in variable local_5 .It then checks your input with null if you pressed a key or not, again there’s a FUN_0247 which converts the raw input data of gamepad from p1 register to readable button name.

Then comes a nested if-statement which checks your InputKey/Button with the correct number of sequence local_4 which was stored in cStack_10 if its correct then it increments local_4 by 1. It then checks if the local_4 is equal to 0xb if it satisfies then it calls FUN_02c9 which is likely to be the flagFunction otherwise your correct_sequence revert back to zero and this loop continues.

Getting the flag

Till now we have understood the working of the game rom and concluded if have to get the flag we have to set the local_4 which no of correct sequence to 11 or 0xb.Now its time to do it

Open the mGBA emulator load the rom and open the debugger now we have to set the breakpoint where it increments the local_4 which is at address $03cc

debugger Figure 5: Setting Breakpoint

Now contniue the debugger and play the game untill you hit the breakpoint and do dis in order to confirm it.

debugger Figure 6: Hitting Breakpoint

Do next and go to next instruction which loads the incremented value into A register and then do its comparision with the 0xb. Now do status to check the current status of the registers and now we have to write 0xb to the HL register to do it w/1 hl 0x0b which writes the local_4 to 11 and continue.

YOU GOT THE FLAG!!!!

flag Figure 5: Flag

Thanks For Reading

Reversing
reversing gbarom reverse_engineering
This post is licensed under CC BY 4.0 by the author.