mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2024-11-23 00:55:58 +00:00
753 lines
15 KiB
NASM
753 lines
15 KiB
NASM
|
.msp430
|
||
|
0010 <__trap_interrupt>
|
||
|
0010: 3041 ret
|
||
|
|
||
|
; Only runs once
|
||
|
4400 <__init_stack>
|
||
|
4400: 3140 0044 mov #0x4400, sp
|
||
|
4404 <__low_level_init>
|
||
|
4404: 1542 5c01 mov &0x015c, r5
|
||
|
4408: 75f3 and.b #-0x1, r5
|
||
|
440a: 35d0 085a bis #0x5a08, r5
|
||
|
440e <__do_copy_data>
|
||
|
440e: 3f40 0000 clr r15
|
||
|
4412: 0f93 tst r15
|
||
|
4414: 0724 jz $+0x10 <__do_clear_bss+0x0>
|
||
|
4416: 8245 5c01 mov r5, &0x015c
|
||
|
441a: 2f83 decd r15
|
||
|
; 4170 contains only zeroes
|
||
|
441c: 9f4f 704a 0024 mov 0x4a70(r15), 0x2400(r15)
|
||
|
4422: f923 jnz $-0xc <__do_copy_data+0x8>
|
||
|
4424 <__do_clear_bss>
|
||
|
4424: 3f40 3200 mov #0x32, r15
|
||
|
4428: 0f93 tst r15
|
||
|
442a: 0624 jz $+0xe <main+0x0>
|
||
|
442c: 8245 5c01 mov r5, &0x015c
|
||
|
4430: 1f83 dec r15
|
||
|
4432: cf43 0024 mov.b #0x0, 0x2400(r15)
|
||
|
4436: fa23 jnz $-0xa <__do_clear_bss+0x8>
|
||
|
|
||
|
rand_base_0x038: <main>
|
||
|
main:
|
||
|
4438: b012 1c4a call #0x4a1c <rand> ; get rand_base
|
||
|
443c: 0b4f mov r15, r11
|
||
|
443e: 3bf0 fe7f and #0x7ffe, r11
|
||
|
4442: 3b50 0060 add #0x6000, r11
|
||
|
4446: b012 1c4a call #0x4a1c <rand>
|
||
|
444a: 0a4f mov r15, r10
|
||
|
; Copy 0x1000 bytes from 0x4400 to rand_base
|
||
|
444c: 3012 0010 push #0x1000
|
||
|
4450: 3012 0044 push #0x4400
|
||
|
4454: 0b12 push r11
|
||
|
4456: b012 e849 call #0x49e8 <_memcpy>
|
||
|
445a: 3150 0600 add #0x6, sp
|
||
|
|
||
|
445e: 0f4a mov r10, r15
|
||
|
4460: 3ff0 fe0f and #0xffe, r15
|
||
|
4464: 0e4b mov r11, r14
|
||
|
4466: 0e8f sub r15, r14
|
||
|
4468: 3e50 00ff add #0xff00, r14
|
||
|
446c: 0d4b mov r11, r13
|
||
|
446e: 3d50 5c03 add #0x35c, r13
|
||
|
4472: 014e mov r14, sp
|
||
|
4474: 0f4b mov r11, r15
|
||
|
4476: 8d12 call r13
|
||
|
|
||
|
rand_base_0x078: <__stop_progExec__>
|
||
|
4478: 32d0 f000 bis #0xf0, sr
|
||
|
447c: fd3f jmp $-0x4 <__stop_progExec__+0x0>
|
||
|
|
||
|
rand_base_0x07e: <__ctors_end>
|
||
|
447e: 3040 6e4a br #0x4a6e <_unexpected_>
|
||
|
|
||
|
rand_base_0x082: <_aslr_main>
|
||
|
_aslr_main: ;! args: r15
|
||
|
push r11
|
||
|
push r10
|
||
|
; Eight more bytes on stack
|
||
|
sub #0x8, sp
|
||
|
mov r15, r12
|
||
|
add #0x36a, r12
|
||
|
mov r12, 0x2(sp)
|
||
|
|
||
|
clr r14
|
||
|
__delete_code_loop:
|
||
|
mov.b #0x0, 0x4400(r14)
|
||
|
inc r14
|
||
|
cmp #0x1000, r14
|
||
|
jnz $-0xa <__delete_code_loop>
|
||
|
|
||
|
; "Username (8 char max):" -> 0x2402
|
||
|
mov.b #0x55, &0x2402
|
||
|
mov.b #0x73, &0x2403
|
||
|
mov.b #0x65, &0x2404
|
||
|
mov.b #0x72, &0x2405
|
||
|
mov.b #0x6e, &0x2406
|
||
|
mov.b #0x61, &0x2407
|
||
|
mov.b #0x6d, &0x2408
|
||
|
mov.b #0x65, &0x2409
|
||
|
mov.b #0x20, &0x240a
|
||
|
mov.b #0x28, &0x240b
|
||
|
mov.b #0x38, &0x240c
|
||
|
mov.b #0x20, &0x240d
|
||
|
mov.b #0x63, &0x240e
|
||
|
mov.b #0x68, &0x240f
|
||
|
mov.b #0x61, &0x2410
|
||
|
mov.b #0x72, &0x2411
|
||
|
mov.b #0x20, &0x2412
|
||
|
mov.b #0x6d, &0x2413
|
||
|
mov.b #0x61, &0x2414
|
||
|
mov.b #0x78, &0x2415
|
||
|
mov.b #0x29, &0x2416
|
||
|
mov.b #0x3a, &0x2417
|
||
|
mov.b #0x0, &0x2418
|
||
|
mov #0x17, &0x2400
|
||
|
mov #0x2402, r14
|
||
|
clr r11
|
||
|
jmp $+0x22 <print_uname_string>
|
||
|
; Print the uname string bytewise
|
||
|
__print_uname_string_l:
|
||
|
inc r14
|
||
|
sxt r13
|
||
|
push r11
|
||
|
push r13
|
||
|
push r11
|
||
|
push pc
|
||
|
push sr
|
||
|
mov r11, r15
|
||
|
swpb r15
|
||
|
mov r15, sr
|
||
|
bis #0x8000, sr
|
||
|
call #0x10
|
||
|
pop sr
|
||
|
add #0x8, sp
|
||
|
print_uname_string:
|
||
|
mov.b @r14, r13
|
||
|
tst.b r13
|
||
|
jnz $-0x24 <__print_uname_string_l>
|
||
|
|
||
|
; Print newline
|
||
|
__print_line_feed__1: ; putchar
|
||
|
clr r14
|
||
|
mov #0xa, r13
|
||
|
push r14
|
||
|
push r13
|
||
|
push r14
|
||
|
push pc
|
||
|
push sr
|
||
|
mov r14, r15
|
||
|
swpb r15
|
||
|
mov r15, sr
|
||
|
bis #0x8000, sr
|
||
|
call #0x10
|
||
|
pop sr
|
||
|
add #0x8, sp
|
||
|
|
||
|
;* Print ">>"
|
||
|
__print_less_than__1: ; putchar
|
||
|
add #0x34, r13
|
||
|
push r14
|
||
|
push r13
|
||
|
push r14
|
||
|
push pc
|
||
|
push sr
|
||
|
mov r14, r15
|
||
|
swpb r15
|
||
|
mov r15, sr
|
||
|
bis #0x8000, sr
|
||
|
call #0x10
|
||
|
pop sr
|
||
|
add #0x8, sp
|
||
|
__print_less_than__2: ; putchar
|
||
|
push r14
|
||
|
push r13
|
||
|
push r14
|
||
|
push pc
|
||
|
push sr
|
||
|
mov r14, r15
|
||
|
swpb r15
|
||
|
mov r15, sr
|
||
|
bis #0x8000, sr
|
||
|
call #0x10
|
||
|
pop sr
|
||
|
add #0x8, sp
|
||
|
|
||
|
;! Gets 8 bytes of user input -> &0x2426
|
||
|
__get_uname_string: ; getsn
|
||
|
mov #0x8, r10
|
||
|
mov #0x2426, r11
|
||
|
mov #0x2, r13
|
||
|
push r10
|
||
|
push r11
|
||
|
push r13
|
||
|
push pc
|
||
|
push sr
|
||
|
mov r13, r15
|
||
|
swpb r15
|
||
|
mov r15, sr
|
||
|
bis #0x8000, sr
|
||
|
call #0x10 ; INT (2, 0x2426, 0x8)
|
||
|
pop sr
|
||
|
add #0x8, sp
|
||
|
|
||
|
|
||
|
; Calls r15+0x36a
|
||
|
mov.b r14, &0x242e
|
||
|
push r11
|
||
|
call r12 ;! PRINTF???
|
||
|
incd sp
|
||
|
mov r11, r15
|
||
|
|
||
|
jmp $+0x8 <clsb_a>
|
||
|
__clsb_a_loop:
|
||
|
mov.b #0x0, 0x0(r15)
|
||
|
inc r15
|
||
|
clsb_a:
|
||
|
cmp #0x2432, r15
|
||
|
jnz $-0xa <__clsb_a_loop>
|
||
|
|
||
|
;! "Password:" -> 0x2403
|
||
|
mov.b #0xa, &0x2402 ; length 10
|
||
|
mov.b #0x50, &0x2403
|
||
|
mov.b #0x61, &0x2404
|
||
|
mov.b #0x73, &0x2405
|
||
|
mov.b #0x73, &0x2406
|
||
|
mov.b #0x77, &0x2407
|
||
|
mov.b #0x6f, &0x2408
|
||
|
mov.b #0x72, &0x2409
|
||
|
mov.b #0x64, &0x240a
|
||
|
mov.b #0x3a, &0x240b
|
||
|
mov.b #0x0, &0x240c
|
||
|
mov #0x2402, r14 ; r14 = &length
|
||
|
|
||
|
; puts ("Password:")
|
||
|
clr r12
|
||
|
jmp $+0x22 <print_passwd_string>
|
||
|
__print_passwd_string:
|
||
|
inc r14
|
||
|
sxt r13
|
||
|
push r12
|
||
|
push r13
|
||
|
push r12
|
||
|
push pc
|
||
|
push sr
|
||
|
mov r12, r15
|
||
|
swpb r15
|
||
|
mov r15, sr
|
||
|
bis #0x8000, sr
|
||
|
call #0x10 ; INT (0, r13)
|
||
|
pop sr
|
||
|
add #0x8, sp
|
||
|
print_passwd_string:
|
||
|
mov.b @r14, r13
|
||
|
tst.b r13
|
||
|
jnz $-0x24 <__print_passwd_string>
|
||
|
clr r14
|
||
|
mov #0xa, r13
|
||
|
push r14
|
||
|
push r13
|
||
|
push r14
|
||
|
push pc
|
||
|
push sr
|
||
|
mov r14, r15
|
||
|
swpb r15
|
||
|
mov r15, sr
|
||
|
bis #0x8000, sr
|
||
|
call #0x10
|
||
|
pop sr
|
||
|
add #0x8, sp
|
||
|
|
||
|
;! Get password from user -> STACK
|
||
|
__get_pass_string: ; getsn
|
||
|
mov sp, r11
|
||
|
add #0x4, r11
|
||
|
mov #0x14, r12
|
||
|
mov #0x2, r13
|
||
|
push r12
|
||
|
push r11
|
||
|
push r13
|
||
|
push pc
|
||
|
push sr
|
||
|
mov r13, r15
|
||
|
swpb r15
|
||
|
mov r15, sr
|
||
|
bis #0x8000, sr
|
||
|
call #0x10 ; INT (2, )
|
||
|
0x2aa:
|
||
|
pop sr
|
||
|
add #0x8, sp
|
||
|
|
||
|
;! Check password with HSM-2
|
||
|
__check_password: ; conditional_unlock_door
|
||
|
add #0x7c, r13
|
||
|
mov sp, r12
|
||
|
push r12
|
||
|
push r11
|
||
|
push r13
|
||
|
push pc
|
||
|
push sr
|
||
|
mov r13, r15
|
||
|
swpb r15
|
||
|
mov r15, sr
|
||
|
bis #0x8000, sr
|
||
|
call #0x10
|
||
|
pop sr
|
||
|
add #0x8, sp
|
||
|
|
||
|
; "Wrong!" -> 0x2402
|
||
|
mov.b #0x57, &0x2402
|
||
|
mov.b #0x72, &0x2403
|
||
|
mov.b #0x6f, &0x2404
|
||
|
mov.b #0x6e, &0x2405
|
||
|
mov.b #0x67, &0x2406
|
||
|
mov.b #0x21, &0x2407
|
||
|
mov.b r14, &0x2408 ; Hah, nice hint: r14 still 0
|
||
|
mov #0x7, &0x2400 ; length: 7
|
||
|
|
||
|
;* puts
|
||
|
mov #0x2402, r13
|
||
|
jmp $+0x22 <_aslr_main+0x2a2>
|
||
|
__print_wrong_string: ; puts ("Wrong!")
|
||
|
inc r13
|
||
|
sxt r12
|
||
|
push r14
|
||
|
push r12
|
||
|
push r14
|
||
|
push pc
|
||
|
push sr
|
||
|
mov r14, r15
|
||
|
swpb r15
|
||
|
mov r15, sr
|
||
|
bis #0x8000, sr
|
||
|
call #0x10
|
||
|
pop sr
|
||
|
add #0x8, sp
|
||
|
print_wrong_string:
|
||
|
mov.b @r13, r12
|
||
|
tst.b r12
|
||
|
jnz $-0x24 <_aslr_main+0x282>
|
||
|
; print newline
|
||
|
clr r14
|
||
|
mov #0xa, r13
|
||
|
push r14
|
||
|
push r13
|
||
|
push r14
|
||
|
push pc
|
||
|
push sr
|
||
|
mov r14, r15
|
||
|
swpb r15
|
||
|
mov r15, sr
|
||
|
bis #0x8000, sr
|
||
|
call #0x10
|
||
|
pop sr
|
||
|
add #0x8, sp
|
||
|
mov sp, r14
|
||
|
|
||
|
; r15 = ++r14
|
||
|
incd r14
|
||
|
push r14
|
||
|
pop r15
|
||
|
4754:
|
||
|
add #0x8, sp
|
||
|
pop r10
|
||
|
pop r11
|
||
|
ret
|
||
|
|
||
|
|
||
|
rand_base_0x35c: <aslr_main>
|
||
|
aslr_main:
|
||
|
475c: 0e4f mov r15, r14
|
||
|
475e: 3e50 8200 add #0x82, r14
|
||
|
4762: 8e12 call r14
|
||
|
; SR |= 0x00f0
|
||
|
4764: 32d0 f000 bis #0xf0, sr
|
||
|
4768: 3041 ret
|
||
|
|
||
|
|
||
|
aslr_base_0x36a: <printf>
|
||
|
printf:
|
||
|
; Save registers
|
||
|
push r11
|
||
|
push r10
|
||
|
push r9
|
||
|
push r8
|
||
|
push r7
|
||
|
push r6
|
||
|
push r4
|
||
|
; Create a new stack frame of 0xe bytes
|
||
|
mov sp, r4
|
||
|
add #0xe, r4
|
||
|
|
||
|
; Get the first argument
|
||
|
decd sp
|
||
|
mov 0x2(r4), r10
|
||
|
mov sp, -0x10(r4)
|
||
|
mov r10, r15
|
||
|
|
||
|
clr r14
|
||
|
jmp $+0x18 <__target_1> +3a
|
||
|
inc r15
|
||
|
cmp.b #0x25, r13
|
||
|
jnz $+0x10 <__target_1> +3a
|
||
|
cmp.b @r15, r13
|
||
|
jnz $+0x8 <__target_2> +36
|
||
|
__target_4:
|
||
|
inc r15
|
||
|
clr r13
|
||
|
jmp $+0x4 <__target_3> +38
|
||
|
__target_2:
|
||
|
mov #0x1, r13
|
||
|
add r13, r14
|
||
|
__target_3:
|
||
|
mov.b @r15, r13
|
||
|
tst.b r13
|
||
|
jnz $-0x1a <__target_4> +24
|
||
|
mov r14, r15
|
||
|
add r15, r15
|
||
|
incd r15
|
||
|
sub r15, sp
|
||
|
mov sp, r11
|
||
|
mov r4, r12
|
||
|
add #0x4, r12
|
||
|
mov sp, r15
|
||
|
clr r13
|
||
|
jmp $+0xc <printf+0x5e>
|
||
|
mov @r12, 0x0(r15)
|
||
|
inc r13
|
||
|
incd r15
|
||
|
incd r12
|
||
|
cmp r14, r13
|
||
|
jl $-0xc <printf+0x54>
|
||
|
clr r12
|
||
|
mov #0x9, r6
|
||
|
mov r12, r13
|
||
|
mov #0x25, r7
|
||
|
jmp $+0xf8 <printf+0x166>
|
||
|
inc r10
|
||
|
cmp.b #0x25, r15
|
||
|
jz $+0x26 <printf+0x9c>
|
||
|
inc r12
|
||
|
|
||
|
__target_1:
|
||
|
mov.b r15, r14
|
||
|
sxt r14
|
||
|
push r13
|
||
|
push r14
|
||
|
push r13
|
||
|
push pc
|
||
|
push sr
|
||
|
mov r13, r15
|
||
|
swpb r15
|
||
|
mov r15, sr
|
||
|
bis #0x8000, sr
|
||
|
call #0x10
|
||
|
pop sr
|
||
|
add #0x8, sp
|
||
|
jmp $+0xcc <printf+0x166>
|
||
|
mov.b @r10, r14
|
||
|
cmp.b r15, r14
|
||
|
jnz $+0x22 <printf+0xc2>
|
||
|
inc r12
|
||
|
push r13
|
||
|
push r7
|
||
|
push r13
|
||
|
push pc
|
||
|
push sr
|
||
|
mov r13, r15
|
||
|
swpb r15
|
||
|
mov r15, sr
|
||
|
bis #0x8000, sr
|
||
|
call #0x10
|
||
|
pop sr
|
||
|
add #0x8, sp
|
||
|
jmp $+0xa2 <printf+0x162>
|
||
|
cmp.b #0x73, r14
|
||
|
jnz $+0x32 <printf+0xf8>
|
||
|
mov @r11, r14
|
||
|
clr r8
|
||
|
jmp $+0x24 <printf+0xf0>
|
||
|
inc r12
|
||
|
inc r14
|
||
|
sxt r9
|
||
|
push r8
|
||
|
push r9
|
||
|
push r8
|
||
|
push pc
|
||
|
push sr
|
||
|
mov r8, r15
|
||
|
swpb r15
|
||
|
mov r15, sr
|
||
|
bis #0x8000, sr
|
||
|
call #0x10
|
||
|
pop sr
|
||
|
add #0x8, sp
|
||
|
mov.b @r14, r9
|
||
|
tst.b r9
|
||
|
jnz $-0x26 <printf+0xce>
|
||
|
jmp $+0x6c <printf+0x162>
|
||
|
cmp.b #0x78, r14
|
||
|
jnz $+0x5a <printf+0x156>
|
||
|
mov @r11, r14
|
||
|
mov #0x4, r9
|
||
|
jmp $+0x4a <printf+0x14c>
|
||
|
mov r14, r15
|
||
|
swpb r15
|
||
|
and #0xff, r15
|
||
|
clrc
|
||
|
rrc r15
|
||
|
rra r15
|
||
|
rra r15
|
||
|
rra r15
|
||
|
cmp r15, r6
|
||
|
jl $+0xa <printf+0x122>
|
||
|
mov r15, r8
|
||
|
add #0x30, r8
|
||
|
jmp $+0x8 <printf+0x128>
|
||
|
mov r15, r8
|
||
|
add #0x57, r8
|
||
|
push r13
|
||
|
push r8
|
||
|
push r13
|
||
|
push pc
|
||
|
push sr
|
||
|
mov r13, r15
|
||
|
swpb r15
|
||
|
mov r15, sr
|
||
|
bis #0x8000, sr
|
||
|
call #0x10
|
||
|
pop sr
|
||
|
add #0x8, sp
|
||
|
add r14, r14
|
||
|
add r14, r14
|
||
|
add r14, r14
|
||
|
add r14, r14
|
||
|
add #-0x1, r9
|
||
|
cmp #-0x1, r9
|
||
|
jnz $-0x4c <printf+0x104>
|
||
|
add #0x4, r12
|
||
|
jmp $+0xe <printf+0x162>
|
||
|
cmp.b #0x6e, r14
|
||
|
jnz $+0x8 <printf+0x162>
|
||
|
mov @r11, r15
|
||
|
mov r12, 0x0(r15)
|
||
|
incd r11
|
||
|
inc r10
|
||
|
mov.b @r10, r15
|
||
|
tst.b r15
|
||
|
jnz $-0xfa <printf+0x70>
|
||
|
mov -0x10(r4), sp
|
||
|
incd sp
|
||
|
pop r4
|
||
|
pop r6
|
||
|
pop r7
|
||
|
pop r8
|
||
|
pop r9
|
||
|
pop r10
|
||
|
pop r11
|
||
|
ret
|
||
|
|
||
|
;;;
|
||
|
def bypass (printf_loc):
|
||
|
aslr_base = printf_loc - 0x36a;
|
||
|
print(b'%n%x'.hex())
|
||
|
print(f"{b'AAAA1011'.hex()}{aslr_base+0x56c:x}7f7f{aslr_base+0x4f4:x}")
|
||
|
;;;
|
||
|
|
||
|
aslr_base_0x4ec: <_INT>
|
||
|
_INT:
|
||
|
48ec: 1e41 0200 mov 0x2(sp), r14
|
||
|
48f0: 0212 push sr
|
||
|
48f2: 0f4e mov r14, r15
|
||
|
aslr_base_0x4f4:
|
||
|
48f4: 8f10 swpb r15
|
||
|
48f6: 024f mov r15, sr
|
||
|
48f8: 32d0 0080 bis #0x8000, sr
|
||
|
48fc: b012 1000 call #0x10
|
||
|
4900: 3241 pop sr
|
||
|
4902: 3041 ret
|
||
|
|
||
|
aslr_base_0x504: <INT>
|
||
|
INT:
|
||
|
4904: 0c4f mov r15, r12
|
||
|
4906: 0d12 push r13
|
||
|
4908: 0e12 push r14
|
||
|
490a: 0c12 push r12
|
||
|
490c: 0012 push pc
|
||
|
490e: 0212 push sr
|
||
|
4910: 0f4c mov r12, r15
|
||
|
4912: 8f10 swpb r15
|
||
|
4914: 024f mov r15, sr
|
||
|
4916: 32d0 0080 bis #0x8000, sr
|
||
|
491a: b012 1000 call #0x10
|
||
|
491e: 3241 pop sr
|
||
|
4920: 3152 add #0x8, sp
|
||
|
4922: 3041 ret
|
||
|
|
||
|
aslr_base_0x524: <putchar>
|
||
|
putchar:
|
||
|
4924: 0e4f mov r15, r14
|
||
|
4926: 0d43 clr r13
|
||
|
4928: 0d12 push r13
|
||
|
492a: 0e12 push r14
|
||
|
492c: 0d12 push r13
|
||
|
492e: 0012 push pc
|
||
|
4930: 0212 push sr
|
||
|
4932: 0f4d mov r13, r15
|
||
|
4934: 8f10 swpb r15
|
||
|
4936: 024f mov r15, sr
|
||
|
4938: 32d0 0080 bis #0x8000, sr
|
||
|
493c: b012 1000 call #0x10
|
||
|
4940: 3241 pop sr
|
||
|
4942: 3152 add #0x8, sp
|
||
|
4944: 0f4e mov r14, r15
|
||
|
4946: 3041 ret
|
||
|
|
||
|
aslr_base_0x548: <getchar>
|
||
|
getchar:
|
||
|
4948: 2183 decd sp
|
||
|
494a: 0d43 clr r13
|
||
|
494c: 1e43 mov #0x1, r14
|
||
|
494e: 0c41 mov sp, r12
|
||
|
4950: 0d12 push r13
|
||
|
4952: 0c12 push r12
|
||
|
4954: 0e12 push r14
|
||
|
4956: 0012 push pc
|
||
|
4958: 0212 push sr
|
||
|
495a: 0f4e mov r14, r15
|
||
|
495c: 8f10 swpb r15
|
||
|
495e: 024f mov r15, sr
|
||
|
4960: 32d0 0080 bis #0x8000, sr
|
||
|
4964: b012 1000 call #0x10
|
||
|
4968: 3241 pop sr
|
||
|
496a: 3152 add #0x8, sp
|
||
|
496c: 6f41 mov.b @sp, r15
|
||
|
496e: 8f11 sxt r15
|
||
|
4970: 2153 incd sp
|
||
|
4972: 3041 ret
|
||
|
|
||
|
aslr_base_0x574: <getsn>
|
||
|
getsn:
|
||
|
4974: 0d4f mov r15, r13
|
||
|
4976: 2c43 mov #0x2, r12
|
||
|
4978: 0e12 push r14
|
||
|
497a: 0d12 push r13
|
||
|
497c: 0c12 push r12
|
||
|
497e: 0012 push pc
|
||
|
4980: 0212 push sr
|
||
|
4982: 0f4c mov r12, r15
|
||
|
4984: 8f10 swpb r15
|
||
|
4986: 024f mov r15, sr
|
||
|
4988: 32d0 0080 bis #0x8000, sr
|
||
|
498c: b012 1000 call #0x10
|
||
|
4990: 3241 pop sr
|
||
|
4992: 3152 add #0x8, sp
|
||
|
4994: 3041 ret
|
||
|
|
||
|
aslr_base_0x596: <puts>
|
||
|
puts:
|
||
|
4996: 0e4f mov r15, r14
|
||
|
4998: 0c43 clr r12
|
||
|
499a: 103c jmp $+0x22 <puts+0x26>
|
||
|
499c: 1e53 inc r14
|
||
|
499e: 8d11 sxt r13
|
||
|
49a0: 0c12 push r12
|
||
|
49a2: 0d12 push r13
|
||
|
49a4: 0c12 push r12
|
||
|
49a6: 0012 push pc
|
||
|
49a8: 0212 push sr
|
||
|
49aa: 0f4c mov r12, r15
|
||
|
49ac: 8f10 swpb r15
|
||
|
49ae: 024f mov r15, sr
|
||
|
49b0: 32d0 0080 bis #0x8000, sr
|
||
|
49b4: b012 1000 call #0x10
|
||
|
49b8: 3241 pop sr
|
||
|
49ba: 3152 add #0x8, sp
|
||
|
49bc: 6d4e mov.b @r14, r13
|
||
|
49be: 4d93 tst.b r13
|
||
|
49c0: ed23 jnz $-0x24 <puts+0x6>
|
||
|
49c2: 0e43 clr r14
|
||
|
49c4: 3d40 0a00 mov #0xa, r13
|
||
|
49c8: 0e12 push r14
|
||
|
49ca: 0d12 push r13
|
||
|
49cc: 0e12 push r14
|
||
|
49ce: 0012 push pc
|
||
|
49d0: 0212 push sr
|
||
|
49d2: 0f4e mov r14, r15
|
||
|
49d4: 8f10 swpb r15
|
||
|
49d6: 024f mov r15, sr
|
||
|
49d8: 32d0 0080 bis #0x8000, sr
|
||
|
49dc: b012 1000 call #0x10
|
||
|
49e0: 3241 pop sr
|
||
|
49e2: 3152 add #0x8, sp
|
||
|
49e4: 0f4e mov r14, r15
|
||
|
49e6: 3041 ret
|
||
|
|
||
|
aslr_base_0x5e8: <_memcpy>
|
||
|
memcpy:
|
||
|
49e8: 1c41 0600 mov 0x6(sp), r12
|
||
|
49ec: 0f43 clr r15
|
||
|
49ee: 093c jmp $+0x14 <_memcpy+0x1a>
|
||
|
49f0: 1e41 0200 mov 0x2(sp), r14
|
||
|
49f4: 0e5f add r15, r14
|
||
|
49f6: 1d41 0400 mov 0x4(sp), r13
|
||
|
49fa: 0d5f add r15, r13
|
||
|
49fc: ee4d 0000 mov.b @r13, 0x0(r14)
|
||
|
4a00: 1f53 inc r15
|
||
|
4a02: 0f9c cmp r12, r15
|
||
|
4a04: f523 jnz $-0x14 <_memcpy+0x8>
|
||
|
4a06: 3041 ret
|
||
|
|
||
|
aslr_base_608: <_bzero>
|
||
|
bzero:
|
||
|
4a08: 0d43 clr r13
|
||
|
4a0a: 053c jmp $+0xc <_bzero+0xe>
|
||
|
4a0c: 0c4f mov r15, r12
|
||
|
4a0e: 0c5d add r13, r12
|
||
|
4a10: cc43 0000 mov.b #0x0, 0x0(r12)
|
||
|
4a14: 1d53 inc r13
|
||
|
4a16: 0d9e cmp r14, r13
|
||
|
4a18: f923 jnz $-0xc <_bzero+0x4>
|
||
|
4a1a: 3041 ret
|
||
|
|
||
|
aslr_base_0x61c: <rand>
|
||
|
rand:
|
||
|
4a1c: 0e43 clr r14
|
||
|
4a1e: 3d40 2000 mov #0x20, r13
|
||
|
4a22: 0e12 push r14
|
||
|
4a24: 0e12 push r14
|
||
|
4a26: 0d12 push r13
|
||
|
4a28: 0012 push pc
|
||
|
4a2a: 0212 push sr
|
||
|
4a2c: 0f4d mov r13, r15
|
||
|
4a2e: 8f10 swpb r15
|
||
|
4a30: 024f mov r15, sr
|
||
|
4a32: 32d0 0080 bis #0x8000, sr
|
||
|
4a36: b012 1000 call #0x10
|
||
|
4a3a: 3241 pop sr
|
||
|
4a3c: 3152 add #0x8, sp
|
||
|
4a3e: 0f4f mov r15, r15
|
||
|
4a40: 3041 ret
|
||
|
|
||
|
aslr_base_0x642: <conditional_unlock_door>
|
||
|
conditional_unlock_door:
|
||
|
4a42: 2183 decd sp
|
||
|
4a44: 0e4f mov r15, r14
|
||
|
4a46: 3d40 7e00 mov #0x7e, r13
|
||
|
4a4a: 0c41 mov sp, r12
|
||
|
4a4c: 0c12 push r12
|
||
|
4a4e: 0e12 push r14
|
||
|
4a50: 0d12 push r13
|
||
|
4a52: 0012 push pc
|
||
|
4a54: 0212 push sr
|
||
|
4a56: 0f4d mov r13, r15
|
||
|
4a58: 8f10 swpb r15
|
||
|
4a5a: 024f mov r15, sr
|
||
|
4a5c: 32d0 0080 bis #0x8000, sr
|
||
|
4a60: b012 1000 call #0x10
|
||
|
4a64: 3241 pop sr
|
||
|
4a66: 3152 add #0x8, sp
|
||
|
4a68: 0f43 clr r15
|
||
|
4a6a: 2153 incd sp
|
||
|
4a6c: 3041 ret
|
||
|
4a6e <_unexpected_>
|
||
|
4a6e: 0013 reti pc
|