[Reverse] Square CTF - The Turing Agent

The Turing Agent

A Small Gameboy CTF
500 points
Reverse

The hamsters have triumphed! We found an open Github repository (https://github.com/Ahris/the_turing_agent)! It looks like some sort of game; perhaps they’re planning to trick our humans into playing it. We need to know if there’s any data hidden in the game that might harm our humans.

Note: You’ll need to prepend “flag-“ to the flag.

A game boy classic rom to analyse, at first I tried to search in the web for a nice debugger for this and most people online were recommending to use http://bgb.bircd.org/ classifying it as the best, well unfortunately I didn’t manage to understand this debugger very well so once again searching in the web I found a much more intuitive debugger named No$GMB (http://problemkaputt.de/gmb.htm) with this one it was much easier to solve the challenge.

Opening the rom with No$GMB we can see that the game starts we get some conversation until we reach a locked door which requires a code (combination of multiple gameboy keys), if we get the correct combination we can get the flag:

As you can see in the image above I put a break point at 0x337C which is a jump, I did a break point here because I noticed its some kind of a loop which will only end when all the keys are inserted to unlock the door so my plan was not to actually understand how the architecture of the gameboy works but to try to bypass the combination verification by changing the flags of jump instructions and try to find the winner function:

To avoid being stuck in the loop without pressing any keys we can just disable the carry flag and it will not jump as we can see in the image bellow the “[]” disappears:

This is how I manipulated the game, by changing the control flow of the program to try to jump into a winner function, after multiple steps I ended up in the final road to finish the challenge as you can see bellow:

By going to the next lines of the conversation we got the flag: