Hack.lu CTF 2011 Write-up : Scotty's last signal

Tue 27 September 2011 by jj

Another writeup for the excellent Hack.lu 2011 Capture The Flag contest. This one was very unusual, based on a patched NES rom of Super Mario Bros 1.

Scotty's last signal

You might have heard about Montgomery Scott, the legendary chief
engineer of the U.S.S. Enterprise. What you probably did not know is
his passion for Video Games - especially really old classics. We
recently lost contact with his transport shuttle and we think you
should examine this old game file we recently recieved because he
might have just put a message into there. This would make sense if
he could not send a fully blown Space-Unicode message signal to
avoid attracting any Borg ships in the sector... (Borg usually are
very bad at video games)
 His passion for Beaming and Warping might be of interest for
your analysis.

The linked file is a NES rom image, based on the Mario 1 all-time classic game from Nintendo.

The first two levels have been heavily edited, adding numerous foes and traps.

The game features a secret passage in world 1-2, but the way to reach the warp zone seems to have vanished. So the first idea that comes to mind is that we have to finish the game the long way, and when done we should be rewarded with the secret passphrase.

However when we finish the game, the end is the classic one.

On a second try, and using the hint given in the challenge introduction, we see that the elevator to get to the warp zone is simply delayed, and that we can indeed reach this area with the right timing. There, the secret passphrase is displayed on the wall.

Here is the short version showing the challenge solution :

Please note that for more hex-oriented people, other solutions exists: [blog.bedford.org]

The video was done using fceux/tasedit

Download the rom https://ctf.hack.lu/files/mario