Posted on by and filed under CSAW Finals 2015.

PwnAdventureZ-0

This year at CSAW Finals, Vector35 contributed an entire NES/Famicom RPG as a challenge category. One challenge was solving the puzzle of the mysterious “Blox Cave” – a room of 24 urns that need to be activated in a certain combination in order to open the door to the flag.

All of the teams were given a ROM of the game with flags stripped out and debug symbols included, along with a custom version of Binary Ninja and instructions to use FCEUX as the emulator. After following the challenge category instructions for finding the Blox Cave somewhere in the top left corner of the map, we find the Blox Cave full of urns.

In total, there are 24 urns that can be activated or deactivated – 2^24 possibilities, so guessing is out of the question. Brute forcing, however, should be fine – let’s find out where the code to check urn answers is.

Searching for the code that runs when we try to open the top door brings us to the bigdoor_interact subroutine:

pwnadventurez-bigdoor_interact

So when check_blocky_state returns 0, it spawns a horde of fat zombies. If not, the door opens – patching the cmp statement confirms. So what does check_blocky_state look like, exactly?

pwnadventurez-check_blocky_state_scrollbar

1005 lines of bitwise fun stuff! Essentially, each of the columns are bits of a nibble, which means there are three bytes of input. and a whole bunch of operations are then run against the user’s input. Totally brute forcible.

After pasting the hex of the subroutine into an online 6502 disassembler and translating each of the x_bit subroutines to D functions, I made a Python script to translate the whole subroutine to D. Here’s the gist with both the Python script and the Dlang code to brute force for the solution:

https://gist.github.com/mark-ignacio/09c620562dc53b6971d5

After running it for a couple of seconds, we have the solution!

Inputting said solution into the emulator, we get a combination of urns:

After walking over to the NES, inserting Knightsec’s cartridge, and putting in the solution, we saw a flag to submit on the CRT screen. (Bonus: my tired face)

IMG_20151114_010748