Note: If you are only interested by the solution of the challenge, go directly to Solution below.
This Friday, I participated to Ph0wn, my first IoT CTF, in Sophia Antipolis near Nice in France. I was with my colleague F. My friend N was supposed to be with us, but at the last minute, she had an unexpected problem with her job and was not able to take the plane. Too bad! I really appreciated this CTF. In most CTF, you have to fight to find some space, you are lost looking for passwords and IP addresses to start, there is not enough room, it is very noisy, etc. Not with Ph0wn thanks to their choice of organizing the CTF in the Learning Center of Campus SophiaTech. A really great place with tables of various sizes and plenty of room.
The organization was (almost) perfect (for the almost, see the Conclusion below): when we arrive, someone guides us to a "spot" and gives us the required information (SSID for the Wi-Fi, password, IP address of the score board). The buffet was also incredible with plenty of food, drinks, ... all payed by a sponsor (Fortinet if I remember well).
For the challenges, there were of two types: those with equipment (i.e. with some hardware device) and some without. They were classified depending of their difficulty. But I found this classification not always reliable (regarding the time spend on challenges). There were also a big gap between the easy challenges (done in seconds or a few minutes) and the other ones. As advertised by Ph0wn, it is a really difficult CTF. Hardware is hard. But it was also so interesting. I am also thinking of all the time spend by authors of challenges. Thank you a lot to all of you.
Now the frustration: I was not well prepared, we were a team of only two with few knowledge about this kind of challenges. But more than that, we spend a lot of time on dead ends. Just because we were not well organized and we gave up too soon. We were not confident enough about ourself. We were not the last in the ranking, but not far. So, this Sunday I decided to spend some time on one of the "easy" challenge we were not able to solve.
We get a zip file puckmanb.zip and a few indications: we can play the original game on a Recalbox installed in the Learning Center.
Of course, we have no idea what Recalbox is, but after a few clicks we find it runs old games (mostly from the '80s) and is available on Raspberry Pi and a few other hardware. Great, I have taken lots of hardware and a Raspberry Pi of course. I forget it at home! Holly Britney!! Why not emulating a Raspberry Pi? Yes, sure. After lots of tries, it runs! I mean, Recalbox was running inside our emulated Raspberry Pi. What it was sooooo slow. Dead end! Let's find something else. Why not emulate Pac-Man directly. We found Pac-Man Emulator from Simon Owen and his pacemu_14 release. After some difficulties to construct the disk image (missing dependencies, ...)., we finally get a disk image. And now what? Yes what? F, do you remember exactly what we try to do? We get a disk image for a..."SAM Coupé", a British computer from the '80s (never heard about it). What we do now? Emulate the computer to emulate Pac Man and run it? It is late (midnight), we give up! Big FAIL.
So this Sunday, I try again this challenge. I also got some hints on Saturday from some of my former colleagues that solved the challenge. So let's find an emulator running on Windows or macOS. And, this time, not a emulator running on some odd hardware. I quickly find MAME. It runs on macOS but you need to install manually SDL2. I lost some time understanding how it works (the UI is not so obvious) and how to add a game. Simple: just put the puckmanb.zip file into the roms folder. Now let's run it:
Then I get a message saying:
There is probably a checksum somewhere and since the ROM files have been modified (to hide the flags), the checksums do not match. But it is possible to continue despite the message.
So it runs. But how to play? I spend some time finding that you have to press 5 and then 1 (for player one). Otherwise, it runs in "demo" mode. After playing a while, it is clear that some messages are hidden under the dots you have to eat:
It is also clear that to get the flag, you have to win one or more levels. And I am very bad at this game. There is probably a way to cheat, isn't it? Searching MAME and cheat gives several results. In particular the Pugsy's Cheats website with collections of cheats files under MAME Cheat File. The exact version of MAME I am running is not listed, so I choose the most recent one: XML Cheat Collection for MAME 0.200 (Release Date: 12th August 2018). I read some documentation to know how to install this cheats. It is simple: first unzip the file and copy the file cheat.7z in the same folder than MAME. Then run again MAME. When the game starts, I press Tab to get a menu:
From there, I choose Cheat and... got this message:
No! And they classify this challenge as "easy"? Mmm. This time, no question to give up until I found the solution. So we have a file cheat.7z. Let's try to understand what's in it. I decompress it and it gives 136'443 files (!) Searching puckman* give a few results and in particular puckmanb.xml. This file contains:
<mamecheat version="1"> <cheat desc=" "/> <cheat desc="This game hasn't got any cheats, however there is a"/> <cheat desc="clone/parent/sibling of this game which has cheats."/> </mamecheat> <!-- Cheat file downloaded from http://www.mamecheat.co.uk, see cheat.txt for list of contributors. -->
This is the message displayed. It says "however there is a clone/parent/sibling of this game which has cheats". I am not sure it will work (maybe addresses or offsets are not the same), but why not trying to use these "clone/parent/sibling" cheats? So I copy puckman.xml and rename it as puckmanb.xml (overriding the existing one). Then I recompress the files using:
7z a cheat.7z cheat
I replace cheat.7z in the folder of MAME by this one. Starting again MAME, then Puck Man, it works!
So many cheats! Let's activate Invicibility and Enable Speed Hack (just select the item and press the Right key). This time, it is very easy to play the game and discover all the messages:
At level 4, you find the 1st flag:
Yes, it was easy from a technical perspective. No reverse, no hardware to plug, etc. But it take some time to get the result. It shows also that a key to success in CTF is to never give up and also sometimes stop and think: what are we doing, why and for what?
I also learn something about Pac-Man: it was called Puck Man when it was released in 1980 and later renamed Pac-Man.
Level 2 involves probably some Z80 reverse engineering. Z80 was the first processor I worked with (in 1982). So I will try to solve Level 2 and write a post about it. I got also one of the hardware challenges thanks to Baldanos. It is also an "easy" one but nobody was able to solve it. So I will try it and write some post.
I have only one negative remark about the organization of Ph0wn: the music. Or more accurately, these aggressive noises called music by young people. Next year, choose good music like Britney Spears, Katy Perry and Miley Cyrus.
And to conclude my conclusion: Thanks a lot to the organizers of this event. Special thanks to Axelle Apvrille and to my former colleagues. It was great to see them again and discuss. Thanks also to all the authors of the challenges. See you there next year.
English US