Nostalgia

Technical Walkthrough

Writeup

Challenge

• Name: Nostalgia
• Category: GamePwn
• Difficulty: Medium
• Mode: file

Summary

The ROM accepts a GBA-button cheatcode that is validated as a weighted sum. Static analysis found the submit check, a valid short input sequence, and the renderer call used on success. I decoded the success-screen image asset directly from the ROM and used OCR to place the flag candidate in loot/, then captured it through the harness.

Artifact Inventory

• files/a12c734f-8659-4963-893f-2ddff73eea4d.zip: original HTB archive.
• analysis/extracted/Nostalgia.gba: extracted GBA ROM.
• analysis/extracted/instructions.txt: states that Select clears input and Start submits the cheatcode.
• No remote service was involved.

Analysis

• RAG did not return useful Nostalgia-specific guidance, so the solve relied on local ROM analysis.
• The ROM polls the GBA keypad register at 0x04000130; the relevant disassembly is recorded in analysis/keyinput-function-disasm.txt.
• The Start submit path compares the accumulated score with 0xf3.
• The input handler allows up to eight normal button presses before submit.
• Recovered button weights include A=0x03, B=0x0e, Left=0x6e, Right=0x3a, Up=0x28, and Down=0x0c.
• A valid short cheatcode is A, B, Left, Right, Right, which sums to 0xf3.
• On success, the ROM calls the image renderer with source 0x02008aac, corresponding to ROM file offset 0x8aac.
• The success asset is a 240x160 indexed bitmap using per-row RLE and an embedded 256-color RGB palette. The rendered success screen contains the flag.

Solve

Run:

cd <local workspace>
python3 solve/decode_success_screen.py

The script decodes the success-screen asset and writes the rendered image to loot/success-screen.png. OCR of the rendered image produced an HTB-format candidate in loot/flag-candidate.txt; manual pixel-crop review was used to correct the ambiguous middle glyph before capture.

python3 <local workspace> capture-flag <local workspace> --from loot/flag-candidate.txt

Raw flag material is kept in loot/ only.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• For small GBA homebrew challenges, static Thumb disassembly around <secret redacted> can be faster than emulator-driven guessing.
• A submit check may validate a numeric accumulator rather than a single literal string.
• Rendered success assets can contain the flag even when no plaintext HTB{ string exists in the ROM.
• Keep rendered flag-bearing screenshots in loot/, not analysis/.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Nostalgia
• Category: GamePwn
• Difficulty: Medium
• Mode: file
• Remote instance: none
• Start time: 2026-06-15T04:10:00Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• The GBA ROM validates submitted input by comparing a weighted button-score accumulator against 0xf3.
• A valid short cheatcode is A, B, Left, Right, Right.
• The success path renders a 240x160 indexed bitmap asset from ROM file offset 0x8aac.
• solve/decode_success_screen.py decodes that row-RLE success asset and writes flag-bearing rendered images under loot/.
• Harness flag capture succeeded; raw flag value is stored only in loot/flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: GamePwn
• Challenge: Nostalgia
• Difficulty: Medium
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Extract the GBA ROM from the HTB archive and inspect the keypad handler around <secret redacted> (0x04000130).
2. Identify that Start submits the accumulated input score and compares it against 0xf3.
3. Recover the relevant button weights and produce a valid short cheatcode whose weights sum to 0xf3.
4. Follow the success branch to the image renderer source pointer 0x02008aac, mapping to ROM file offset 0x8aac.
5. Decode the 240x160 row-RLE indexed success bitmap and its embedded RGB palette.
6. Extract the flag visually/OCR from the decoded success screen and capture it through the harness.

Reusable Lessons

• For GBA ROM challenges, keypad register xrefs are a strong first anchor when the prompt mentions button input.
• If strings does not reveal a plaintext flag marker, trace the success branch; the flag may be rendered as an image asset.
• Row-RLE indexed image formats can be decoded directly from renderer logic, avoiding emulator setup.
• Flag-bearing screenshots should be stored in loot/, not analysis/.

Dead Ends

• Private CTF RAG had no useful Nostalgia-specific prior solve context.
• Plain string and XOR-prefix searches did not reveal a plaintext flag.

Tool Quirks

• tesseract worked after point-resizing the 240x160 success screen.
• The ImageMagick convert command is available but warns that magick is preferred in IMv7.

Evidence Paths

• analysis/keyinput-function-disasm.txt
• analysis/input-weight-model.txt
• analysis/static-validation.md
• solve/decode_success_screen.py
• loot/success-screen.png
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches