├── README.md
├── space-fights-episode-4.nes
└── src
    └── space-fights.c


/README.md:
--------------------------------------------------------------------------------
1 | # space-fights-ctf
2 | CTF Challenge problem made for NES hackers
3 | 
4 | Tip, you can break the encryption code if you want but that isn't the easiest method of finding the flag
5 | 


--------------------------------------------------------------------------------
/space-fights-episode-4.nes:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aedrax/space-fights-ctf/c119230692927e231d7ed49d62bcb60f6125310b/space-fights-episode-4.nes


--------------------------------------------------------------------------------
/src/space-fights.c:
--------------------------------------------------------------------------------
  1 | /*
  2 | Space Fights CTF problem
  3 | Scrolling on the screen does not scroll far enough
  4 | The RE must increase the distance of the scroll
  5 | in order to see the flag, looking at the nametables
  6 | will not be enough to see the flag in plain text.
  7 | */
  8 | 
  9 | #include "neslib.h"
 10 | #include <string.h>
 11 | #define SECRET 100
 12 | // thanks this guy:
 13 | // https://yurisk.info/2017/06/25/binary-obfuscation-string-obfuscating-in-C/index.html
 14 | #define HIDE_LETTER(a) (a) + SECRET
 15 | #define UNHIDE_STRING(str) \
 16 |   do                       \
 17 |   {                        \
 18 |     char *ptr = str;       \
 19 |     while (*ptr)           \
 20 |       *ptr++ -= SECRET;    \
 21 |   } while (0)
 22 | 
 23 | // link the pattern table into CHR ROM
 24 | //#link "chr_generic.s"
 25 | 
 26 | char flag[] = {
 27 |     HIDE_LETTER('f'), HIDE_LETTER('l'), HIDE_LETTER('a'), HIDE_LETTER('g'), HIDE_LETTER('{'),
 28 |     HIDE_LETTER('g'), HIDE_LETTER('r'), HIDE_LETTER('e'), HIDE_LETTER('e'), HIDE_LETTER('d'),
 29 |     HIDE_LETTER('o'), HIDE_LETTER('_'), HIDE_LETTER('s'), HIDE_LETTER('h'), HIDE_LETTER('o'),
 30 |     HIDE_LETTER('t'), HIDE_LETTER('_'), HIDE_LETTER('f'), HIDE_LETTER('i'), HIDE_LETTER('r'),
 31 |     HIDE_LETTER('s'), HIDE_LETTER('t'), HIDE_LETTER('!'), HIDE_LETTER('}'), '\0'};
 32 | int sneaky_variable = SECRET;
 33 | 
 34 | // function to write a string into the name table
 35 | //   adr = start address in name table
 36 | //   str = pointer to string
 37 | void put_str(unsigned int adr, const char *str)
 38 | {
 39 |   vram_adr(adr);                // set PPU read/write address
 40 |   vram_write(str, strlen(str)); // write bytes to PPU
 41 | }
 42 | 
 43 | // function to scroll window up and down until end
 44 | void scroll_demo()
 45 | {
 46 | 
 47 |   int x = 0;  // x scroll position
 48 |   int y = 0;  // y scroll position
 49 |   int dy = 1; // y scroll direction
 50 |   // infinite loop
 51 |   while (1)
 52 |   {
 53 |     // wait for next frame
 54 |     ppu_wait_frame();
 55 |     // update y variable
 56 |     y += dy;
 57 |     // stop scrolling after hitting edge limit
 58 |     if (y >= sneaky_variable)
 59 |       dy = 0;
 60 |     // set scroll register
 61 |     scroll(x, y);
 62 |   }
 63 | }
 64 | 
 65 | // main function, run after console reset
 66 | void main(void)
 67 | {
 68 |   // set palette colors
 69 |   pal_col(0, 0x0D); // black background
 70 |   pal_col(1, 0x00); // white boarder
 71 |   pal_col(2, 0x00); // white nothing
 72 |   pal_col(3, 0x39); // yellow text
 73 | 
 74 |   // write text to name table
 75 |   put_str(NTADR_A(2, 15), "A long time ago,");
 76 |   put_str(NTADR_A(2, 16), "In a NES far, far away...");
 77 |   put_str(NTADR_A(2, 24), "It is a period of civil ");
 78 |   put_str(NTADR_A(2, 25), "war. A seige of 100 Rebel");
 79 |   put_str(NTADR_A(2, 26), "spaceships, striking from a");
 80 |   put_str(NTADR_A(2, 27), "hidden base, have won their");
 81 |   put_str(NTADR_A(2, 28), "first victory against the");
 82 |   put_str(NTADR_A(2, 29), "evil Galactic Empire. But,");
 83 |   put_str(NTADR_C(2, 0), "that was only half of the");
 84 |   put_str(NTADR_C(2, 1), "original Rebel fighters...");
 85 |   put_str(NTADR_C(2, 6), "It would be really awkward");
 86 |   put_str(NTADR_C(2, 7), "if the movie didn't scroll");
 87 |   put_str(NTADR_C(2, 8), "far enough for you to read");
 88 |   put_str(NTADR_C(2, 9), "the entire story...");
 89 |   if (sneaky_variable > SECRET)
 90 |   {
 91 |     UNHIDE_STRING(flag);
 92 |   }
 93 |   
 94 |   // print the flag on the nametable
 95 |   put_str(NTADR_C(2, 19), flag);
 96 | 
 97 |   // enable PPU rendering (turn on screen)
 98 |   ppu_on_all();
 99 | 
100 |   // scroll window back and forth
101 |   scroll_demo();
102 | }
103 | 


--------------------------------------------------------------------------------