mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2024-11-23 01:15:59 +00:00
130 lines
2.3 KiB
Markdown
130 lines
2.3 KiB
Markdown
|
`Taken from my notebook, verbatim`
|
||
|
|
||
|
|
||
|
### Page 5
|
||
|
```
|
||
|
LAGOS
|
||
|
45a0: 0b41 -> 3041 "ret"
|
||
|
|
||
|
WE CAN add #4130, sp
|
||
|
~ MOVE THE STACK ~
|
||
|
|
||
|
0: input [0x1bf]=
|
||
|
1: ret -> 4444 (sp+0x60)
|
||
|
2: Move stack to 2400+1c0
|
||
|
3: Ret -> arbitrary address (i.e. 2400+1c2)
|
||
|
4: Execute arbitrary code
|
||
|
```
|
||
|
|
||
|
### Page 1
|
||
|
```
|
||
|
Lagos Alphanumerics Only
|
||
|
`0x200 B -> #2400`
|
||
|
Password valid range: 8-16 c
|
||
|
Valid chars:
|
||
|
[0-9] [A-Z] [a-z]
|
||
|
30-39 41-5a 61-7a
|
||
|
|
||
|
We have enough chars
|
||
|
to overwrite current
|
||
|
function
|
||
|
|
||
|
1b5 bytes before hitting
|
||
|
current instruction
|
||
|
|
||
|
3041 = ret
|
||
|
45a0 = 0b41
|
||
|
at index 1b5
|
||
|
Control of return addr
|
||
|
-> we can ret to string buffer
|
||
|
bypassing sanitizer!
|
||
|
|
||
|
ret to 2400+1bb
|
||
|
25b5
|
||
|
run code from there!
|
||
|
ret at index 0x11
|
||
|
... we need a JMP to get there.
|
||
|
... all our jumps are positive
|
||
|
```
|
||
|
|
||
|
### Page 2
|
||
|
```
|
||
|
D p
|
||
|
4470 looks like a good place
|
||
|
D 0
|
||
|
for code, or 4430
|
||
|
|
||
|
5a37: jge $-14a ?
|
||
|
|
||
|
Arithmetic instructions
|
||
|
Form addresses with sub?
|
||
|
25 b6 bb25
|
||
|
^lsb
|
||
|
55-30 7a-30(ish)
|
||
|
547a + 3030 =
|
||
|
5630 - 307a = 25bb!
|
||
|
V 0 0 z
|
||
|
|
||
|
We can load from our string:
|
||
|
pop r4 = 3441
|
||
|
"4 A "
|
||
|
-> can be any reg from
|
||
|
0-9: 3r41
|
||
|
add.b = 7x5y
|
||
|
3451 = pop & add to r4
|
||
|
|
||
|
3441 3451
|
||
|
pop r4 add r4
|
||
|
```
|
||
|
|
||
|
### Page 3
|
||
|
```
|
||
|
Instructions in range
|
||
|
30: jn
|
||
|
34: jge
|
||
|
38: jl
|
||
|
3c: jmp
|
||
|
|
||
|
4#: mov
|
||
|
5#: add
|
||
|
6#: addc
|
||
|
7#: subc
|
||
|
|
||
|
Feasible addressing modes
|
||
|
10 @Rn Register indirect
|
||
|
11 @Rn+ RI w/ post-inc
|
||
|
|
||
|
Subtract the stack from pc?
|
||
|
3071 subc @sp+, pc
|
||
|
"Large relative jump"
|
||
|
|
||
|
Alignment in 2400 buffer
|
||
|
is not same as in PC
|
||
|
```
|
||
|
|
||
|
### Page 4
|
||
|
```
|
||
|
What is an alphanumeric character?
|
||
|
[0-9] [A-Z] [a-z]
|
||
|
30-39 41-5a 61-7a
|
||
|
|
||
|
Buffers: 43ed: stack buffer
|
||
|
2400: load buffer
|
||
|
|
||
|
43ed + 0x57: 4444
|
||
|
|
||
|
45a0: last byte copied (1b3 bytes)
|
||
|
&[43ed + 1b3] = 0x30, '0'
|
||
|
43ed + 1c0 = payload
|
||
|
|
||
|
Correction: sp at 43ec before
|
||
|
we gain exec
|
||
|
ret will tak sp to 43ee
|
||
|
... we need to create a fake stack
|
||
|
somewhere over in the controllable
|
||
|
zone
|
||
|
|
||
|
The loop only continues if the
|
||
|
FOLLOWING BYTE is valid.
|
||
|
```
|