I found an old blu-ray disc with a game on it so I decided to dump it, can you find anything
interesting inside of it?
We are given a game.pkg file containing what is presumably a game. A quick google search of PPU yields some results for PS3 architecture.
I wasn't the first on my team to work on this challenge. Those that started before me determined that the game could be run using the RPCS3 PS3 emulator. After booting the game in RPCS3, it turned out to be a Celeste clone:
My team then spent a lot of time trying to play the game and beat it, thinking that maybe the flag would be at the end of the game. This effort was honestly very impressive because I tried playing the game and it was practically impossible.
They also spent some time trying to use Cheat Engine to help them beat the game. All of these efforts were to no avail, as eventually they beat the game and no flag was present.
Eventually, I started working on the challenge and after getting familiarized and trying various ideas, we found something promising: https://github.com/jjant/runty8#examples. It was a repository containing what seemed like the exact same game. This must be what the challenge authors used.
We then noticed that after searching for the contents of map.txt from the Celeste example, it was present in the game package, but modified with seemingly more data. Perhaps they added a hidden level?
At this point we set out to find a way to get arbitrary level write. Reading the main.rs source, we find the following snippet:
fn title_screen(game_state: &mut GameState, pico8: &Pico8) {
game_state.got_fruit = vec![false; 30];
game_state.frames = 0;
game_state.deaths = 0;
game_state.max_djump = 1;
game_state.start_game = false;
game_state.start_game_flash = 0;
// music(40,0,7)
load_room(game_state, pico8, 7, 3)
}
If we could patch the game package to modify the load_room() call, we could obtain arbitrary level write. After some searching, I found the following function in Ghidra:
It seems they also modified the coordinates for the title screen. In any case though, by tweaking the parameters at 00011b44 and 00011b48, we would be able to load any level we wanted.
It took some time to get a patch working. RPCS3 claimed to have patch functionality built in, but attempts at this didn't work for whatever reason.
Eventually, I was able to extract EBOOT.bin file from game.pkg, extract EBOOT.elf from EBOOT.bin, patch EBOOT.elf, and run it in RPCS3 and this method was ultimately successful, allowing me to load an arbitrary level instead of the title screen.
At this point, I just had to bruteforce level indices until I found the right one. The correct answer was (6, 4), which yielded the flag:
This challenge ultimately got 4 solves, which isn't surprising given there wasn't much direction provided by the description. I had a good time learning about PS3 architecture, though frankly I don't want to touch it again for a very long time.
There was also a companion challenge to this called Jumping on the SPU, which I spent some time on, but I had already pulled an all nighter and I just didn't have the energy to finish it.