Because I feel that the relevant information sorted out online is less to share with you here.
Basic introduction
NDS: The Nintendo DS is the third generation portable game console released by nintendo in 2004. Key features include a dual-screen display, with a touch screen at the bottom; It is equipped with microphone voice input device and Wi-Fi wireless network function. NDS file, an NDS ROM file, which can be loaded and run on a PC using the emulator. In this case, I used the DeSmuME emulator.
The problem solving
Observe the general function of the question
First of all, we used the simulator to load the topic, and we could see that it was a game that needed to pass three levels to get the flag. As shown in the figure below
Press Enter to enter the first level
You can see that you need to enter data to pass the next level. Since DeSmuME cannot be disabled for debugging, only disassembly and register values can be looked at here we continue to consider static analysis.
Static analysis preparation
NDS IDA Loader plugin (github.com/EliseZeroTw) is available on github. Once the plug-in is installed, the code is recognized. Note that there is ARM7 and ARM9 code in the program. If you only recognize ARM7, you will not see all the functions in IDA. The plugin will pop up and tell you. The recognition results are shown below.
You can see that a lot of functions have been identified, so the next step is to figure out where the code is. Here we can determine where the code is to process the data by statically analyzing or observing the value of the PC register when DeSmuME is running.
Locate the processing code location
After entering the first level and waiting for input, the value of PC is 2005B24. We found this position in IDA, in the function 2005AD0. I guess the function of this function is to get the input, here check its reference and find that there is only one upper function, then check the upper reference as shown below (note: stage1 stage2 stage3 is my later changed function name, the original program is not symbol table).
Let’s go through the functions one by one to see what they do. Such a code was found in my tagged Stage1 (0x2000D4C).
Guess this is a validation of our input. That’s the code for stage1. Find the reference to stage1 and locate the function 0x2002e18 as shown below
Guess that the next function is stage2 and verify later on stage3
stage1
Observe the flow of function execution and determine the comparison position here
Get the correct input cuteblueicecube input after entering stage2
stage2
The second stage is shown below
Guess is to click the word on the picture to pass. Continue analyzing the stage2 code and find such a code
You can see the function that took the input that appeared earlier in stage1
Make sure the input is 8 digits which means you should click the box with the number on it eight times.
Moving on below you can see that there is a piece of code that validates this
Code to achieve a number of equations, the input to verify, which uses 2014DB8 for division. Here, Z3 is used to solve the equation. After solving the equation, the value obtained can be clicked on the screen to enter the next level. Because the problem maker is not rigorous enough, the equation has multiple solutions. After passing, enter the third level
stage3
The third stage of the maze requires moving the bird to the lower left corner
But in practice, we found a wall halfway down and could not move. At this time, we thought that there was a cheat code when we played games like Contra when we were young, so the author probably set up such a code. At this point we need to look at IDA’s code. The suspicious part was found, as shown below.
Guess this is the cheat code, and then see how the code meets the criteria to get in here.
Here we find that v76 needs to perform these assignments in a certain order to pass the detection. By looking at the code, we know that V76 is the R4 register, and then observe the simulator key Settings
Press the key corresponding to QWASZX to generate the values we need in register R4. The next step is to determine its order.
v121 == 50 && v117 == 30 && v122 == 60 && v118 == 70 && v120 == 40 && v119==80
Copy the code
Finally, the key sequence is xsazwq and the middle wall disappears. The bird made it to the bottom right corner.
final
After three stages, the interface is shown below
Here we can spliced our input into flags. It should be noted that in the third stage, we need to submit the real keys of Nintendo game machine. Here we get the real keys of nintendo game machine according to the simulator keys. The final flag is Flag {CuteBlueicecube_1-16-20-6-21-4-16-18_A -X-Y-B-R-L} Because the second phase is multi-solution, the input of the second phase is 1-16-20-6-21-4-16-18
summary
The difficulty of the topic mainly lies in the strange architecture, and the simulator can not debug down. If you know, you can mention it.)
Want to learn network security CTF friend welfare came!
Free safe learning kit worth 11980