So let’s get their secret!

$ file gunpoint_2daf5fe3fb236b398ff9e5705a058a7f.dat
gunpoint_2daf5fe3fb236b398ff9e5705a058a7f.dat: Gameboy ROM: "FLUX", [ROM ONLY], ROM: 256Kbit

WTF?! A GameBoy ROM! After some searching I found an explanation of the opcodes and a quite nice emulator with debugger called NO$GMB.

The game starts by showing a cowboy, however after some time it shows another screen that requests to type the secret password.

gameboy1

gameboy2

This was a nice point to break the execution and step instruction by instruction (note that CP instructions are particularly interesting as they are comparisons).

Walkthrough:

  • At 0x0D7E there’s a jr nz, 0x0D83. If we press any button we jump, otherwise we don’t. This checks if we pressed a button or not, so we always need to jump. We can change the zero flag using the checkbox next to “z”.
  • At 0x0D89 there’s another jump. The condition probably checks if we already pressed correctly the whole sequence (0x0D long). We can just bypass the check and pretend we already inserted all the sequence by setting the zero flag to 1.
  • At this point I noticed that there was a call 0x0200 that could be interesting and was not reached without tweaking the flags. To reach it at 0x0EC1 the zero flag needs to be set to 0.
  • At 0x0ECC we don’t need to jump in order to reach the following jr 0x0ED4 that ends up calling 0x0200, so set the zero flag to 1.

And ta-daahh! Here’s the flag :)

gameboy3

fox