├── README.md ├── space-fights-episode-4.nes └── src └── space-fights.c /README.md: -------------------------------------------------------------------------------- 1 | # space-fights-ctf 2 | CTF Challenge problem made for NES hackers 3 | 4 | Tip, you can break the encryption code if you want but that isn't the easiest method of finding the flag 5 | -------------------------------------------------------------------------------- /space-fights-episode-4.nes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aedrax/space-fights-ctf/c119230692927e231d7ed49d62bcb60f6125310b/space-fights-episode-4.nes -------------------------------------------------------------------------------- /src/space-fights.c: -------------------------------------------------------------------------------- 1 | /* 2 | Space Fights CTF problem 3 | Scrolling on the screen does not scroll far enough 4 | The RE must increase the distance of the scroll 5 | in order to see the flag, looking at the nametables 6 | will not be enough to see the flag in plain text. 7 | */ 8 | 9 | #include "neslib.h" 10 | #include 11 | #define SECRET 100 12 | // thanks this guy: 13 | // https://yurisk.info/2017/06/25/binary-obfuscation-string-obfuscating-in-C/index.html 14 | #define HIDE_LETTER(a) (a) + SECRET 15 | #define UNHIDE_STRING(str) \ 16 | do \ 17 | { \ 18 | char *ptr = str; \ 19 | while (*ptr) \ 20 | *ptr++ -= SECRET; \ 21 | } while (0) 22 | 23 | // link the pattern table into CHR ROM 24 | //#link "chr_generic.s" 25 | 26 | char flag[] = { 27 | HIDE_LETTER('f'), HIDE_LETTER('l'), HIDE_LETTER('a'), HIDE_LETTER('g'), HIDE_LETTER('{'), 28 | HIDE_LETTER('g'), HIDE_LETTER('r'), HIDE_LETTER('e'), HIDE_LETTER('e'), HIDE_LETTER('d'), 29 | HIDE_LETTER('o'), HIDE_LETTER('_'), HIDE_LETTER('s'), HIDE_LETTER('h'), HIDE_LETTER('o'), 30 | HIDE_LETTER('t'), HIDE_LETTER('_'), HIDE_LETTER('f'), HIDE_LETTER('i'), HIDE_LETTER('r'), 31 | HIDE_LETTER('s'), HIDE_LETTER('t'), HIDE_LETTER('!'), HIDE_LETTER('}'), '\0'}; 32 | int sneaky_variable = SECRET; 33 | 34 | // function to write a string into the name table 35 | // adr = start address in name table 36 | // str = pointer to string 37 | void put_str(unsigned int adr, const char *str) 38 | { 39 | vram_adr(adr); // set PPU read/write address 40 | vram_write(str, strlen(str)); // write bytes to PPU 41 | } 42 | 43 | // function to scroll window up and down until end 44 | void scroll_demo() 45 | { 46 | 47 | int x = 0; // x scroll position 48 | int y = 0; // y scroll position 49 | int dy = 1; // y scroll direction 50 | // infinite loop 51 | while (1) 52 | { 53 | // wait for next frame 54 | ppu_wait_frame(); 55 | // update y variable 56 | y += dy; 57 | // stop scrolling after hitting edge limit 58 | if (y >= sneaky_variable) 59 | dy = 0; 60 | // set scroll register 61 | scroll(x, y); 62 | } 63 | } 64 | 65 | // main function, run after console reset 66 | void main(void) 67 | { 68 | // set palette colors 69 | pal_col(0, 0x0D); // black background 70 | pal_col(1, 0x00); // white boarder 71 | pal_col(2, 0x00); // white nothing 72 | pal_col(3, 0x39); // yellow text 73 | 74 | // write text to name table 75 | put_str(NTADR_A(2, 15), "A long time ago,"); 76 | put_str(NTADR_A(2, 16), "In a NES far, far away..."); 77 | put_str(NTADR_A(2, 24), "It is a period of civil "); 78 | put_str(NTADR_A(2, 25), "war. A seige of 100 Rebel"); 79 | put_str(NTADR_A(2, 26), "spaceships, striking from a"); 80 | put_str(NTADR_A(2, 27), "hidden base, have won their"); 81 | put_str(NTADR_A(2, 28), "first victory against the"); 82 | put_str(NTADR_A(2, 29), "evil Galactic Empire. But,"); 83 | put_str(NTADR_C(2, 0), "that was only half of the"); 84 | put_str(NTADR_C(2, 1), "original Rebel fighters..."); 85 | put_str(NTADR_C(2, 6), "It would be really awkward"); 86 | put_str(NTADR_C(2, 7), "if the movie didn't scroll"); 87 | put_str(NTADR_C(2, 8), "far enough for you to read"); 88 | put_str(NTADR_C(2, 9), "the entire story..."); 89 | if (sneaky_variable > SECRET) 90 | { 91 | UNHIDE_STRING(flag); 92 | } 93 | 94 | // print the flag on the nametable 95 | put_str(NTADR_C(2, 19), flag); 96 | 97 | // enable PPU rendering (turn on screen) 98 | ppu_on_all(); 99 | 100 | // scroll window back and forth 101 | scroll_demo(); 102 | } 103 | --------------------------------------------------------------------------------