Game Cartridges: Vol 2⚓︎
Difficulty:
Direct link: https://gamegosling.com/vol2-akHB27gg6pN0/index.html?&challenge=gameboy2
Objective⚓︎
Request
Find the second Gamegosling cartridge and beat the game
Hints⚓︎
Gameboy 2
From: Tinsel Upatree
1) This feels the same, but different! 2) If it feels like you are going crazy, you probably are! Or maybe, just maybe, you've not yet figured out where the hidden ROM is hiding. 3) I think I may need to get a DIFFerent perspective. 4) I wonder if someone can give me a few pointers to swap.
Gameboy 2
From: Tinsel Upatree
Try poking around Pixel Island. There really aren't many places you can go here, so try stepping everywhere and see what you get!
Finding the Gameboy Cartridge⚓︎
Our quest for the second Gameboy cartridge brings us to the icy and treacherous caverns of Driftbit Grotto. Pixelated columns support various unreachable levels, while the websocket message "AAANNNDD_SCENE" gently whispers:
"item": [
{
"id": "gameboy2",
"x": 3,
"y": 20,
"z": 1,
"hash": "2401f65dc8222fc67aa20311f1b98c40"
}
],
On the map, this is the left end of the level we start. We walk there and - lo and behold - obtain this treasure.
We find the URL for downloading the cartridge watching the developer console when starting the built-in game boy simulator: game0.gb
But where is the mysterious hidden ROM?
After long travels all over Geese Islands, we come to the conclusion that it is not here. But might it be in the Internet? And why is this gb-file called game0.gb? Could there be a game1.gb?
wget https://gamegosling.com/vol2-akHB27gg6pN0/rom/game1.gb
--2024-01-02 21:25:29-- https://gamegosling.com/vol2-akHB27gg6pN0/rom/game1.gb
Resolving gamegosling.com (gamegosling.com)... 34.111.189.107
Connecting to gamegosling.com (gamegosling.com)|34.111.189.107|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/octet-stream]
Saving to: ‘game1.gb’
game1.gb [ <=> ] 128,00K 222KB/s in 0,6s
2024-01-02 21:25:35 (222 KB/s) - ‘game1.gb’ saved [131072]
And indeed - we can download the hidden cartridge from the same path as game0.gb!
Playing the Game(s)⚓︎
Playing both cartridges in the BGB emulator, we find that in both, our elfin character is stopped by T-wiz, speaking Gandalf's famous words "You shall not pass".
As if we were a Balrog...
The difference between the games is that in "game0.gb", we start below a tree line, but cannot reach the upper part, while in "game1.gb", we start out at the top and are prevented from going down.
From the point of view of the bytes of the cartridges, the differences are small. We use wxHexEditor to find all 7:
- One byte at offset 335 - this appears to be in the checksum. A difference here is to be expected.
- 4 Bytes at offset 1427. This is machine code in the ROM. However, the profiler of the BGB debugger insists that this part of the ROM has not been executed until we are stopped by T-wiz.
- One byte at offset 92804
- One byte at Offset 92856
- One byte at Offset 97408
- Two bytes at offset 99598
- Two bytes at offset 99603
We ignore the 1-byte differences (the hint says "pointers", and those should be 16 bit) and copy both the last two 2-byte differences from game1.gb to game0.gb. For this we use the "bless" hex editor; wxHexEditor seems to have issues editing large files.
We start the modified game0 cartridge - and appear right in the formerly unreachable top part!
Why does this work?
I can only guess. The changed bytes must encode the starting position. if changing only one of the two-byte values would have been enough - I have not tested.
A teleporter delivers us in a room with a radio transmitter.
This transmitter is repeatedly playing a sequence of morse beeps spelling
g - l - 0 - r - y
(center character is a zero)
And "gl0ry" is the answer to this challenge!
Answer
gl0ry