Reverse Engineering Game Boy

Study case NCW 2022 Final (80's).

Preface

During the competition, my team got 1st place and i got 1st blood in this challenge. It was my first time using bgb as debugger and doing debugging on game boy. In this case i do static and dynamic analysis to solve the challenge.

Static and Dynamic Analysis

Given a game.gb file, after searching around we found that there is an emulator with a debugger feature, namely bgb.

Load the ROM, then use the debugger feature

In this case, we also use Ghidra to decompile with the support of the GhidraBoy plugin.

In function 0_200 you can see there is a string here's your secret which seems to be related to the flag. Check the initial function when loading the game

There are several functions and after cross checking the function reference 0472 there is a call to 0200.

Because we don't know how to input or change the BC DE value through the game, we use the debugger to forcefully change the register value. There are several checks, namely

DE&0x1 != 0 
DE >= 0x20
B + 1 == 100 
C  == 100

And below are the appropriate values

DE = 0021
BC = 6463

Then just continue until 0200 is called and we will get the flag

Flag : NCW22{f33ls_0ld_y3t_with_g4me_b01z80?}

Last updated 10 months ago