Project Sekai - ✅-rev-playtime

playtime - 500 points

Category: Rev Description: You get to play Pokémon Red! How fun. The flag is somewhere in there :) Author: Segal Files:

https://umdctf.io/files/e6e83e1e7e84787528cfa8d6bffc9ede/pokered.gbc?token=eyJ1c2VyX2lkIjoxNDcsInRlYW1faWQiOjY4LCJmaWxlX2lkIjo2OH0.ZEyIAw.-FR0AQ5EASwUxmyxSgw5QbmYlCo

Tags: No tags.

Sutx pinned a message to this channel. 04/28/2023 7:59 PM

@fleming wants to collaborate

@TheBadGod wants to collaborate

There are patched bytes at offsets

[0x14e, 0x280, 0x3f68, 0x3f76, 0x17edd, 0x46d82, 0x46d88, 0x46d8e, 0x46d94, 0x46d9a, 0x46da0, 0x46da6, 0x46dac, 0x46db2, 0x46db8, 0x46dbe, 0x46dc4, 0x46e4b, 0x46e51, 0x46e58, 0x46e5e, 0x46e72, 0x46e78, 0x46e7f, 0x46e92, 0x46e99, 0x46ea0, 0x46ea6, 0x46ead, 0x46eb4, 0x46ebb, 0x46ecf, 0x46ed6, 0x46edc, 0x46ee3, 0x46eea, 0x46ef1, 0x46ef8, 0x46eff, 0x46f06, 0x46f0d, 0x46f14, 0x46f1a, 0x46f21, 0x46f28, 0x46f2f, 0x46f43, 0x46f50, 0x46f63, 0x46f69, 0x46f6f, 0x46f76, 0x46f7c, 0x46f83, 0x46f91, 0x4703e, 0x47045, 0x47053, 0x47059, 0x4705f, 0x47065, 0x4706b, 0x47072, 0x47078, 0x4707f, 0x47085, 0x4708c, 0x47093, 0x4709a, 0x470a1, 0x470a8, 0x64a20, 0x64a23, 0x64a27, 0x64a2b, 0x64a2f, 0x64a33, 0x64a37, 0x64a3b, 0x64a3f, 0x74820, 0x7657e, 0x7665b, 0x766ad, 0x7676e, 0x767ac, 0x767e2, 0x76860, 0x76864, 0x76924]

the two bytes at offset 14e are the games checksum, the two bytes at 0x280 i do not know, the 0x46... ones are in rom bank $11, which contains maps as well as pokedex rating and hidden objects core. The ones at 0x76... are in rom bank $1d, which contains more maps, itemfinder stuff and the vending machine. at locations 0x3f68 and 0x3f76 ther are 4 patched bytes each, which are towards the end in rom bank 0; which probably contains pointers to special functions, https://github.com/pret/pokered/blob/master/data/text_predef_pointers.asm

yes, it overwrites indices 0x23, 0x24, 0x2a, 0x2b in that table, which corresponds to OpenBillsPCText 23 FoundHiddenItemText 24 GameCornerSomeonesKeysText 2a FoundHiddenCoinsText 2b from what i can tell

21:55

and these are the pointers: ['0x685a', '0x6893', '0x6946', '0x694c']

probably need to disassemble the pokemon text scripts

yes, ok, so it seems that the function which normally is at location 7657E was moved to location 7667D to have additional data before the function

22:51

the first changed byte being 0, which is the start of a text script

btw the symbol map if you need it

pokered.sym

602.9 KB

@Violin wants to collaborate

afaict it's something about the hidden coins in the game corner

23:58

will be back shortly

if you get time later also check out misc/Machoke's Flex, we've been trying a bit and it seems more rev than misc (?) but admin said its misc so we arent too sure

00:01

oh lol this chal is the pokemon one. i thought its that macho

ok back

sahuang

if you get time later also check out misc/Machoke's Flex, we've been trying a bit and it seems more rev than misc (?) but admin said its misc so we arent too sure

will do, am close on this one though (I think)

01:35

the 0x280 is actually a map pointer, so in theory i can just tp there

so the index is 0x69

03:13

map data is at offset 0x7657E

first byte there is tileset == 0 second byte is height == 5 third byte is width == 47 pointer to blocks == offset 0x76592 => map data pointer to text pointers == offset 0x658d (Contains a single P => end of text script) pointer to script == offset 0x7658a (Contains a "jp EnableAutoTextBoxDrawing") blocks seems to be an array of size 0x2f*5==235

map data looks like this if i just write the hex values

03:44

and like this if i draw all values < 0x40 as " " and the ones >= 0x40 as #

TheBadGod

used /ctf submit

✅ Well done, challenge solved!