BkP CTF 2013 – Space Game

For this challenge we’re given space_game.nds. A cursory Google search shows that it’s a Nintendo DS ROM, and a strings dump gives us a few interesting values like “keyishere!”. Looking around we found a debugger called No$GBA, and grabbed the shareware version of it. Opening up the debugger, we’re presented with

Initial State

Looking through the memory view, we can find our interesting block of strings fairly quickly.

Memory View

We also find a second copy of “keyishere!” at 0×2024000 – this is important later. We looked for all references to key{s} by hand, and placed a breakpoint on the one we found. A little ways above, we saw some logic that was referencing the “bad-boy” message that displayed when you entered the wrong button pattern. We nop’d the jmpso that it would display the key{s} message either way. This would leave the ROM outputting 6 garbage characters and then “mesux” regardless of whatever button sequence we’d input. Immediately I figured it might be “ourgamesux” or something “gamesux,” as that was the only thing that really fit there.

When we broke on the reference to key{s}, we noticed that the “keyishere!” copy transformed into what appeared to be base64, where the last part would never change. When we’d change the first few characters of the base64 representation, we’d sometimes get ASCII characters, and keep those. Eventually we got t _ _ gamesux, and it’s trivial to guess the key, thegamesux, from there. It’s a lame solution, but it’s a solution.

Key decrypted