This challenge gave us a NES ROM. After we launch it with NES debugger FCEUX, we found out that it eventually want us to input a password with 24 characters in length .
We can found that our input was stored at memory address 0x05 ~ 0x1D. At first I think that the program will just simply take our input and do some CMP operation, in order to check the password's correctness. But after doing some runtime analysis, I realize that there's no such operation, which means that the program might use some speical operations to check the password.
So I decide to set a hardware breakpoint. By using the method which mentioned in this artical, we can set a read breakpoint at address 0x05, which tells FCEUX to pause the program whenever there's a memory read operation at 0x05. Once it hit the breakpoint, we can start checking the assembly line by line and try to figure out what operation has been done for the password checking.
After some reversing and dynamic analysis, I finally figure out the password checking logic and implement it with the following python code:
Now we have the constraint system, time to summon the powerful Z3:
Finally, we get the password ( which is also the flag ): NOHACK4UXWRATHOFKFUHRERX