add wp for rev-chase

Author: yasarjames

rev-chase/README.md

@@ -0,0 +1,52 @@
+# chase (47 solves)
+
+The players receive a nes rom file. This game is modified from the original game "chase" made by [Shiru](https://shiru.untergrund.net/software.shtml#nes).
+
+You can download the source code and the original version, which is very helpful for solving this challenge.
+
+## Modifications
+
+- Hide the flag pt.1 in the winning screen.
+- Extend the game to hidden level 6, which contains the flag pt.2.
+- Adding some new tiles in CHR-ROM, which represent the flag pt.3.
+
+Additionally, I add some constraints to make it more challenging.
+
+But in general, this challenge is very easy.
+
+## A Easy Way to Solve
+
+Using the emulator like [FCEUX](https://fceux.com/web/home.html) is very easy to run the game rom.
+
+## Flag pt.1
+
+The game is not difficult, and you can easily play to win. ~~But as a CTFer, you must use another way to solve it.~~
+
+FCEUX provides debugger, memory viewer, cheats and other useful tools. You can just modify the score to easily win the game.
+
+## Flag pt.3
+
+The flag pt.3 is hidden in the CHR-ROM. You can use the PPU viewer in FCEUX to view the CHR-ROM.
+
+## Flag pt.2
+
+### Intended
+
+To get into the hidden level 6, you need to modify the game's code to bypass the check. There are many ways to do this.
+
+1. Use the debugger to step through the program.
+2. Use the IDA Pro to disassemble the code. (The IDA Pro can't load the nes rom directly, you need to use the loader from [https://github.com/Jinmo/nesldr-py](https://github.com/Jinmo/nesldr-py).)
+
+Change the jump condition and you can easily enter the hidden level 6.
+
+~~It is my fault not to add any hint for hidden level.~~
+
+### Unintended
+
+Some players use the hex editor to find the corresponding code of flag pt.1 in the winning screen, and find the flag pt.2 in the game rom.
+
+Just replace the flag pt.1 with the pt.2 and win the game again to get the flag pt.2.
+
+This is not the intended way, but it is also a valid way to solve this challenge.
+
+~~I will obfuscate the flag next time.~~

rev-chase/src/compile.bat

@@ -0,0 +1,17 @@
+@echo off
+
+set name="chase.nes"
+
+set path=%path%;D:\CTF\Tools\famicom\cc65-snapshot-win64\bin
+
+cc65 -Oi game.c --add-source
+ca65 crt0.s
+ca65 game.s
+
+ld65 -C nrom_128_horz.cfg -o %name% crt0.o game.o nes.lib
+
+pause
+
+del *.o
+@REM del game.s
+

rev-chase/src/crt0.s

@@ -0,0 +1,266 @@
+; startup code for cc65 and neslib
+; based on code by Groepaz/Hitmen <[email protected]>, Ullrich von Bassewitz <[email protected]>
+
+;v050517
+
+
+
+FT_DPCM_OFF = __DMC_START__			;set in the linker CFG file via MEMORY/DMC section
+									;'start' there should be $c000..$ffc0, in 64-byte steps
+FT_SFX_STREAMS = 4			        ;number of sound effects played at once, 1..4
+
+.define FT_DPCM_ENABLE  0			;undefine to exclude all DMC code
+.define FT_SFX_ENABLE   1			;undefine to exclude all sound effects code
+
+
+
+    .export _exit,__STARTUP__:absolute=1
+	.import initlib,push0,popa,popax,_main,zerobss,copydata
+
+; Linker generated symbols
+	.import __RAM_START__   ,__RAM_SIZE__
+	.import __ROM0_START__  ,__ROM0_SIZE__
+	.import __STARTUP_LOAD__,__STARTUP_RUN__,__STARTUP_SIZE__
+	.import	__CODE_LOAD__   ,__CODE_RUN__   ,__CODE_SIZE__
+	.import	__RODATA_LOAD__ ,__RODATA_RUN__ ,__RODATA_SIZE__
+	.import __DMC_START__
+	.import NES_MAPPER,NES_PRG_BANKS,NES_CHR_BANKS,NES_MIRRORING
+    .include "zeropage.inc"
+
+
+
+FT_BASE_ADR		=$0100	;page in RAM, should be $xx00
+
+.define FT_THREAD       1	;undefine if you call sound effects in the same thread as sound update
+.define FT_PAL_SUPPORT	1   ;undefine to exclude PAL support
+.define FT_NTSC_SUPPORT	1   ;undefine to exclude NTSC support
+
+
+PPU_CTRL			=$2000
+PPU_MASK			=$2001
+PPU_STATUS			=$2002
+PPU_OAM_ADDR		=$2003
+PPU_OAM_DATA		=$2004
+PPU_SCROLL			=$2005
+PPU_ADDR			=$2006
+PPU_DATA			=$2007
+PPU_OAM_DMA			=$4014
+DMC_FREQ			=$4010
+CTRL_PORT1			=$4016
+CTRL_PORT2			=$4017
+
+OAM_BUF				=$0200
+PAL_BUF				=$01c0
+
+
+
+.segment "ZEROPAGE"
+
+NTSC_MODE: 			.res 1
+FRAME_CNT1: 		.res 1
+FRAME_CNT2: 		.res 1
+VRAM_UPDATE: 		.res 1
+NAME_UPD_ADR: 		.res 2
+NAME_UPD_ENABLE: 	.res 1
+PAL_UPDATE: 		.res 1
+PAL_BG_PTR: 		.res 2
+PAL_SPR_PTR: 		.res 2
+SCROLL_X: 			.res 1
+SCROLL_Y: 			.res 1
+SCROLL_X1: 			.res 1
+SCROLL_Y1: 			.res 1
+PAD_STATE: 			.res 2		;one byte per controller
+PAD_STATEP: 		.res 2
+PAD_STATET: 		.res 2
+PPU_CTRL_VAR: 		.res 1
+PPU_CTRL_VAR1: 		.res 1
+PPU_MASK_VAR: 		.res 1
+RAND_SEED: 			.res 2
+FT_TEMP: 			.res 3
+
+TEMP: 				.res 11
+
+PAD_BUF				=TEMP+1
+
+PTR					=TEMP	;word
+LEN					=TEMP+2	;word
+NEXTSPR				=TEMP+4
+SCRX				=TEMP+5
+SCRY				=TEMP+6
+SRC					=TEMP+7	;word
+DST					=TEMP+9	;word
+
+RLE_LOW				=TEMP
+RLE_HIGH			=TEMP+1
+RLE_TAG				=TEMP+2
+RLE_BYTE			=TEMP+3
+
+
+
+.segment "HEADER"
+
+    .byte $4e,$45,$53,$1a
+	.byte <NES_PRG_BANKS
+	.byte <NES_CHR_BANKS
+	.byte <NES_MIRRORING|(<NES_MAPPER<<4)
+	.byte <NES_MAPPER&$f0
+	.res 8,0
+
+
+
+.segment "STARTUP"
+
+start:
+_exit:
+
+    sei
+    ldx #$ff
+    txs
+    inx
+    stx PPU_MASK
+    stx DMC_FREQ
+    stx PPU_CTRL		;no NMI
+
+initPPU:
+
+    bit PPU_STATUS
+@1:
+    bit PPU_STATUS
+    bpl @1
+@2:
+    bit PPU_STATUS
+    bpl @2
+
+clearPalette:
+
+	lda #$3f
+	sta PPU_ADDR
+	stx PPU_ADDR
+	lda #$0f
+	ldx #$20
+@1:
+	sta PPU_DATA
+	dex
+	bne @1
+
+clearVRAM:
+
+	txa
+	ldy #$20
+	sty PPU_ADDR
+	sta PPU_ADDR
+	ldy #$10
+@1:
+	sta PPU_DATA
+	inx
+	bne @1
+	dey
+	bne @1
+
+clearRAM:
+
+    txa
+@1:
+    sta $000,x
+    sta $100,x
+    sta $200,x
+    sta $300,x
+    sta $400,x
+    sta $500,x
+    sta $600,x
+    sta $700,x
+    inx
+    bne @1
+
+	lda #4
+	jsr _pal_bright
+	jsr _pal_clear
+	jsr _oam_clear
+
+    jsr	zerobss
+	jsr	copydata
+
+    lda #<(__RAM_START__+__RAM_SIZE__)
+    sta	sp
+    lda	#>(__RAM_START__+__RAM_SIZE__)
+    sta	sp+1            ; Set argument stack ptr
+
+	jsr	initlib
+
+	lda #%10000000
+	sta <PPU_CTRL_VAR
+	sta PPU_CTRL		;enable NMI
+	lda #%00000110
+	sta <PPU_MASK_VAR
+
+waitSync3:
+	lda <FRAME_CNT1
+@1:
+	cmp <FRAME_CNT1
+	beq @1
+
+detectNTSC:
+	ldx #52				;blargg's code
+	ldy #24
+@1:
+	dex
+	bne @1
+	dey
+	bne @1
+
+	lda PPU_STATUS
+	and #$80
+	sta <NTSC_MODE
+
+	jsr _ppu_off
+
+	ldx #<music_data
+	ldy #>music_data
+	lda <NTSC_MODE
+	jsr FamiToneInit
+
+.if(FT_SFX_ENABLE)
+	ldx #<sounds_data
+	ldy #>sounds_data
+	jsr FamiToneSfxInit
+.endif
+
+	lda #$fd
+	sta <RAND_SEED
+	sta <RAND_SEED+1
+
+	lda #0
+	sta PPU_SCROLL
+	sta PPU_SCROLL			
+	sta PPU_OAM_ADDR
+
+	jmp _main			;no parameters
+
+	.include "neslib.s"
+
+.segment "RODATA"
+
+music_data:
+	.include "music.s"
+
+.if(FT_SFX_ENABLE)
+sounds_data:
+	.include "sounds.s"
+.endif
+
+.segment "SAMPLES"
+
+.if(FT_DPCM_ENABLE)
+	.incbin "music.dmc"
+.endif
+
+.segment "VECTORS"
+
+    .word nmi	;$fffa vblank nmi
+    .word start	;$fffc reset
+   	.word irq	;$fffe irq / brk
+
+
+.segment "CHARS"
+
+	.incbin "tileset.chr"