Påkemån Blå

Published: 2025-04-12
Patchwork hot air balloon in space

Category

Misc Rev

Difficulty

Easy

Description

Katastrofen är nära! Astronauten Rakel Raket, som jobbar ombord på ISS, skulle som vanligt varva ned lite genom att tillbringa eftermiddagen med att gamea lite Pokémon (Blå så klart, för Pokémon är inte Pokémon utan Meowth) på sin GameBoy, när hon upptäcker att Kenneth har lyckats ta över enheten!

Hela eftermiddagen är i fara!

Hon lyckas få ut lite data ut enheten som kanske kan avslöja vad Kenneth haft för sig i systemet. Kan du hjälpa henne?

Notera att formatet på flaggan i den här utmaningen är lite annorlunda. När du submittar flaggan ska den bara innehålla följande tecknen: [A-Z0-9()-].

Provided files

chall.S

main:
  ld hl, .data
  jp $3C49

.data:
  db $00, $85, $8b, $80, $86, $86, $80, $8d, $7f, $80, $91, $9c, $7f, $94, $8d, $83, $94, $93, $51
  db $9a, $89, $80, $86, $e3, $80, $8b, $92, $8a, $80, $91, $e3, $86, $84, $8d, $f7, $9b, $57

Solution

Identifying the GameBoy assembly code

The challenge provides a small snippet of GameBoy Z80 assembly code. The main routine consists of only two instructions:

main:
  ld hl, .data
  jp $3C49

This code simply loads the address of the .data section into the hl register and then jumps to memory address $3C49. If we search online for “Pokémon Blue $3C49”, we find that this is the PrintText function in the Pokémon Red/Blue ROM, suggesting the data section contains an encoded text string that needs to be decoded.

Finding the character mapping

To decode the data, we need to understand how text is encoded in Pokémon Blue. By searching for “Pokémon Blue disassembly” online, we discover the pret/pokered repository, which contains a complete disassembly of the Pokémon Red/Blue ROMs.

Within this repository, the charmap.asm file in the constants/ directory provides the character mapping we need. Here are the relevant character mappings for the challenge:

$00 = "<NULL>"
$51 = "<PARA>" (paragraph break)
$57 = "<DONE>" (text terminator)
$7f = " " (space)
$80 = "A"
$83 = "D"
$84 = "E"
$85 = "F"
$86 = "G"
$89 = "J"
$8a = "K"
$8b = "L"
$8d = "N"
$91 = "R"
$92 = "S"
$93 = "T"
$94 = "U"
$9a = "("
$9b = ")"
$9c = ":"
$e3 = "-"
$f7 = "1"

Decoding the message

Using the character map from the disassembly, we can translate each byte in the .data section into its corresponding character. Going through each byte one by one:

First row:

$00 = "<NULL>"
$85 = "F"
$8b = "L"
$80 = "A"
$86 = "G"
$86 = "G"
$80 = "A"
$8d = "N"
$7f = " " (space)
$80 = "A"
$91 = "R"
$9c = ":"
$7f = " " (space)
$94 = "U"
$8d = "N"
$83 = "D"
$94 = "U"
$93 = "T"
$51 = "<PARA>" (paragraph break)

Second row:

$9a = "("
$89 = "J"
$80 = "A"
$86 = "G"
$e3 = "-"
$80 = "A"
$8b = "L"
$92 = "S"
$8a = "K"
$80 = "A"
$91 = "R"
$e3 = "-"
$86 = "G"
$84 = "E"
$8d = "N"
$f7 = "1"
$9b = ")"
$57 = "<DONE>" (text terminator)

This gives us the following decoded message:

<NULL>FLAGGAN AR: UNDUT<PARA>
(JAG-ALSKAR-GEN1)<DONE>

Formatting the flag

After cleaning up the control characters and following the challenge description that specifies the flag format should only contain [A-Z0-9()-] characters, we determine the flag is: UNDUT(JAG-ALSKAR-GEN1)

Conclusion

This challenge involved reverse engineering a simple GameBoy program containing an encoded message from Pokémon Blue. By identifying that the program used the game’s PrintText function and finding the character mapping from the Pokémon disassembly project, we were able to decode the bytes in the data section. Once properly decoded, the message revealed the flag in the specified format.