Posted on by and filed under CSAW Finals 2015.


This year at CSAW Finals, Vector35 contributed an entire NES/Famicom RPG as a challenge category. One challenge was solving the puzzle of the mysterious “Blox Cave” – a room of 24 urns that need to be activated in a certain combination in order to open the door to the flag.

All of the teams were given a ROM of the game with flags stripped out and debug symbols included, along with a custom version of Binary Ninja and instructions to use FCEUX as the emulator. After following the challenge category instructions for finding the Blox Cave somewhere in the top left corner of the map, we find the Blox Cave full of urns.

In total, there are 24 urns that can be activated or deactivated – 2^24 possibilities, so guessing is out of the question. Brute forcing, however, should be fine – let’s find out where the code to check urn answers is.

Searching for the code that runs when we try to open the top door brings us to the bigdoor_interact subroutine:


So when check_blocky_state returns 0, it spawns a horde of fat zombies. If not, the door opens – patching the cmp statement confirms. So what does check_blocky_state look like, exactly?


1005 lines of bitwise fun stuff! Essentially, each of the columns are bits of a nibble, which means there are three bytes of input. and a whole bunch of operations are then run against the user’s input. Totally brute forcible.

After pasting the hex of the subroutine into an online 6502 disassembler and translating each of the x_bit subroutines to D functions, I made a Python script to translate the whole subroutine to D. Here’s the gist with both the Python script and the Dlang code to brute force for the solution:

After running it for a couple of seconds, we have the solution!

[email protected] ~/pwn/csaw $ ./pwn_brute
Solvin' time!
Done with 0:ff:ff
Done with 1:ff:ff
Done with 2:ff:ff
Done with 3:ff:ff
Done with 4:ff:ff
Done with 5:ff:ff
Done with 6:ff:ff
Done with 7:ff:ff
Done with 8:ff:ff
Done with 9:ff:ff
Done with a:ff:ff
Done with b:ff:ff
Done with c:ff:ff
Done with d:ff:ff
Done with e:ff:ff
Done with f:ff:ff
Done with 10:ff:ff
Done with 11:ff:ff
Done with 12:ff:ff
Done with 13:ff:ff
Done with 14:ff:ff
Done with 15:ff:ff
Done with 16:ff:ff
Done with 17:ff:ff
Done with 18:ff:ff
Done with 19:ff:ff
Done with 1a:ff:ff
Done with 1b:ff:ff
Done with 1c:ff:ff
Done with 1d:ff:ff
Done with 1e:ff:ff
Done with 1f:ff:ff
Done with 20:ff:ff
Done with 21:ff:ff
Done with 22:ff:ff
Done with 23:ff:ff
SOLUTION 24:c8:78

Inputting said solution into the emulator, we get a combination of urns:

After walking over to the NES, inserting Knightsec’s cartridge, and putting in the solution, we saw a flag to submit on the CRT screen. (Bonus: my tired face)