Changes from August 15

2024-11-22 15:25:59 +00:00 · 2022-08-15 03:57:45 -05:00 · 2022-08-15 03:57:45 -05:00 · 3532abb66e
commit 3532abb66e
parent 417ec16b59
6 changed files with 86 additions and 21 deletions
--- a/17-Chernobyl/Code/hashbrek.py
+++ b/17-Chernobyl/Code/hashbrek.py
@ -17,7 +17,7 @@ while True:
         h = hash(bytes.fromhex(line[1:]));
      else:
         h = hash(line.encode())
-      print(f"hash: {h:x}, box: {h&7:x}");
+      print(f"hash: {h:x}, box[3]: {h&7:x}, box[4]: {h&0xf:x}");
   except EOFError:
      break
--- a/17-Chernobyl/Code/inc/chernobyl.h
+++ b/17-Chernobyl/Code/inc/chernobyl.h
@ -8,12 +8,12 @@ u16 walk (u16 r15);
 u16 run ();
 u16 *create_hash_table (u16 r15, u16 r14);
-u16 add_to_table (u16 r15, u16 r14, u16 r13);
+u16 add_to_table (u16 *table, char *username, u16 pin);
 // Return address of a buffer from the table
 // r15 = buffer address. r14
 u16 get_from_table (void *r15, char *r14);
 u16 hash (char *str);
-u16 rehash (u16 r15, u16 r14);
+u16 rehash (u16 *table, u16 r14);
 // Strings, named after the position of the first character in memory
 // Strings associated with <walk>
--- a/17-Chernobyl/Code/src/chernobyl.c
+++ b/17-Chernobyl/Code/src/chernobyl.c
@ -108,8 +108,23 @@ u16 hash (char *addr) {
   return hash;
 }
-u16 add_to_table (u16 r15, u16 r14, u16 r13) {
+u16 add_to_table (u16 *table, char *username, u16 pin) {
   // todo: add_to_table
   u16 r14 = table[1]; // Box bitmask exponent? 3
   u16 r12 = table[2]; // Box bitmask mantissa? 5
   //! What the hell is going on here?
   r12 <<= r14; // 3 <<= 5
   if (r12 < 0) {
      r12 = r12 + 3;
   }
   r12 >>= 2;
   if (table[0] < r12) { // if there are more names in table than 10:
      rehash(*table, r14); // Make more boxes, and shuffle them around?
   }
   table[0]++;
   hash(r14);
   r12 = 1 << table[1];
   // Then do some boring stuff
   return 0;
 }
@ -124,7 +139,8 @@ u16 get_from_table (void *r15, char *r14) {
   return 0;
 }
-u16 rehash (u16 r15, u16 r14) {
+u16 rehash (u16 *table, u16 exponent) { // Now I see the problem
-   // todo: this function is very long and performs dynalloc
+   // This function makes the hash table 2^exponent units long
   // and rehashes all the usernames stored in each box
   return 0;
 }
--- a/17-Chernobyl/Code/src/chernobyl_stdlib.c
+++ b/17-Chernobyl/Code/src/chernobyl_stdlib.c
@ -23,13 +23,39 @@ u16 get_w (u16 *addr) {
 }
 void *_malloc (u16 size) {
-   // if heap not initialized, initialize the heap
+   /*
-   // if (get_w (HEAP_BASE + 4)) {
+4678:  0b12           push	r11
-   //    u16 heap_ptr = HEAP_BASE;
+467a:  c293 0424      tst.b	&0x2404
-   //    set_w (heap_ptr, HEAP_BASE);
+467e:  0f24           jz	$+0x20 <malloc+0x26>
-   //    set_w (heap_ptr + 2, HEAP_BASE);
+4680:  1e42 0024      mov	&0x2400, r14
-   // }
+4684:  8e4e 0000      mov	r14, 0x0(r14)
-   // create a new block on the heap
+4688:  8e4e 0200      mov	r14, 0x2(r14)
 468c:  1d42 0224      mov	&0x2402, r13
 4690:  3d50 faff      add	#0xfffa, r13
 4694:  0d5d           add	r13, r13
 4696:  8e4d 0400      mov	r13, 0x4(r14)
 469a:  c243 0424      mov.b	#0x0, &0x2404
 ; malloc+0x26:
 469e:  1b42 0024      mov	&0x2400, r11
 46a2:  0e4b           mov	r11, r14
 46a4:  1d4e 0400      mov	0x4(r14), r13
 46a8:  1db3           bit	#0x1, r13
 46aa:  2820           jnz	$+0x52 <46fc>
 46fc:  0d4e           mov	r14, r13
 46fe:  1e4e 0200      mov	0x2(r14), r14
 4702:  0e9d           cmp	r13, r14
 4704:  0228           jnc	$+0x6 <malloc+0x92>
 4706:  0e9b           cmp	r11, r14
 4708:  cd23           jnz	$-0x64 <malloc+0x2c>
 ; puts("Heap exhausted. Aborting")
 470a:  3f40 5e46      mov	#0x465e, r15
 470e:  b012 504d      call	#0x4d50 <puts>
 4712:  3040 3e44      br	#0x443e <__stop_progExec__>
 4716:  0f43           clr	r15
 4718:  3b41           pop	r11
 471a:  3041           ret
 */
   // return the address of the new block
   return 0;
--- a/17-Chernobyl/Notes
+++ b/17-Chernobyl/Notes
@ -3,14 +3,14 @@ Hash Table, plus one full box:
 5000: 0050 1050 1500 0b00 0300 0500 1650 2c50   .P.P.........P,P
 5010: 0050 2650 2100 4250 a250 0251 6251 c251   .P&P!.BP.P.QbQ.Q
-5020: 2252 8252 e252 1050 3c50 2100 0a00 0000   "R.R.R.P<P!.....
+5020: 2252 8252 e252 1050 3c50 2100 0b00 0000   "R.R.R.P<P!.....
 5030: 0000 0000 0000 0000 0000 0000 2650 9c50   ............&P.P
 5040: b500 4141 4141 4141 4141 4141 4141 4141   ..AAAAAAAAAAAAAA
 5050: 4100 e004 4141 4141 4141 4141 4141 4141   A...AAAAAAAAAAAA
 5060: 4141 4100 e004 4141 4141 4141 4141 4141   AAA...AAAAAAAAAA
 5070: 4141 4141 4100 e004 4141 4141 4141 4141   AAAAA...AAAAAAAA
 5080: 4141 4141 4141 4100 e004 4141 4141 4141   AAAAAAA...AAAAAA
-5090: 4141 4141 4141 4141 4100 e004 4141 4141   AAAAAAAAA...AAAA
+5090: 4141 4141 4141 4141 4100 e004 4141 4141   AAAAAAAAA...AAAA ; wait a second
 50a0: 4141 4141 4141 4141 4141 4100 e004 4141   AAAAAAAAAAA...AA
 50b0: 4141 4141 4141 4141 4141 4141 4100 e004   AAAAAAAAAAAAA...
 50c0: 4141 4141 4141 4141 4141 4141 4141 4100   AAAAAAAAAAAAAAA.
@ -19,7 +19,7 @@ Hash Table, plus one full box:
 50f0: 4141 4100 e004 4141 4141 4800 9c50 5c51   AAA...AAAAH..P\Q
 5100: b500 0000 0000 e004 0000 0000 0000 0000   ................
-Heap metadata @ 4d9e:
+Heap metadata @ 2400: 0050 0080 0000
 Heap start: 0x5000
 Heap  size: 0x8000 (0x5000-0xD000)
@ -31,7 +31,7 @@ Data: 0b00 0300 0500 1650 2c50
   02: 0003: Parameter 1 (Box bitmask = 2^(<3>+1) - 1)
   04: 0005: Parameter 2 (Rightshift?)
   06: 5016: & Box Pointer List
-   08: 502c: & Other Data Section
+   08: 502c: & Per-box User Count List
 Box Pointer List:
 Box list header metadata @ 5010: 0050 2650 2100
@ -50,3 +50,11 @@ Other Data Section (?)
 Section header metadata @ 5026: 1050 3c50 2100
   [ Prev: 5010, Next: 503c, Size: 0010 ]
 Data: 0a00 0000 0000 0000 0000 0000 0000 0000
 The Exploit:
 When an 11th user is added, the software will attempt to double the size of the heap. Overwriting a heap Next pointer allows us toAAAA
 for c in ['1', '9', 'A', 'I', 'Q', '0', '8', '@', 'H', 'P', 'AAAAAAAAAAAAAAAA', '']:
   print(f'new {c} ;',end="")
--- a/17-Chernobyl/mc-disasm.asm
+++ b/17-Chernobyl/mc-disasm.asm
@ -304,6 +304,7 @@
 46a4:  1d4e 0400      mov	0x4(r14), r13
 46a8:  1db3           bit	#0x1, r13
 46aa:  2820           jnz	$+0x52 <malloc+0x84>
 ; This is all initialization
 46ac:  0c4d           mov	r13, r12
 46ae:  12c3           clrc
 46b0:  0c10           rrc	r12
@ -339,6 +340,7 @@
 4704:  0228           jnc	$+0x6 <malloc+0x92>
 4706:  0e9b           cmp	r11, r14
 4708:  cd23           jnz	$-0x64 <malloc+0x2c>
 ; puts("Heap exhausted. Aborting")
 470a:  3f40 5e46      mov	#0x465e, r15
 470e:  b012 504d      call	#0x4d50 <puts>
 4712:  3040 3e44      br	#0x443e <__stop_progExec__>
@ -479,24 +481,33 @@ hash_loop_start:
 483e:  1e4f 0200      mov	0x2(r15), r14
 4842:  1c4f 0400      mov	0x4(r15), r12
 4846:  0f4e           mov	r14, r15
 ; r12 << r15
 4848:  0f93           tst	r15
 484a:  0324           jz	$+0x8 <add_to_table+0x20>
-484c:  0c5c           add	r12, r12
+484c:  0c5c           add	r12, r12 ; RLA r12
 484e:  1f83           dec	r15
 4850:  fd23           jnz	$-0x4 <add_to_table+0x1a>
 ; if (r12 < 0):
 4852:  0c93           tst	r12
 4854:  0234           jge	$+0x6 <add_to_table+0x28>
 ;   r12 = (r12 + 3) >> 1
 4856:  3c50 0300      add	#0x3, r12
 485a:  0c11           rra	r12
 ; r12 >>= 1
 485c:  0c11           rra	r12
 ; if (r11[0] < r12):
 485e:  2c9b           cmp	@r11, r12
 4860:  0434           jge	$+0xa <add_to_table+0x38>
 ;   rehash(r14, r11)
 4862:  1e53           inc	r14
 4864:  0f4b           mov	r11, r15
 4866:  b012 d448      call	#0x48d4 <rehash>
 ; *r11++
 486a:  9b53 0000      inc	0x0(r11)
 ; r15 = hash (r10)
 486e:  0f4a           mov	r10, r15
 4870:  b012 0e48      call	#0x480e <hash>
 ; r12 = (1 << r11[2]) - 1
 4874:  1c43           mov	#0x1, r12
 4876:  1e4b 0200      mov	0x2(r11), r14
 487a:  0e93           tst	r14
@ -505,6 +516,7 @@ hash_loop_start:
 4880:  1e83           dec	r14
 4882:  fd23           jnz	$-0x4 <add_to_table+0x4c>
 4884:  3c53           add	#-0x1, r12
 4886:  0cff           and	r15, r12
 4888:  0c5c           add	r12, r12
 488a:  1f4b 0800      mov	0x8(r11), r15
@ -522,17 +534,20 @@ hash_loop_start:
 48a6:  1e53           inc	r14
 48a8:  8f4e 0000      mov	r14, 0x0(r15)
 48ac:  0f43           clr	r15
-48ae:  093c           jmp	$+0x14 <add_to_table+0x90>
+48ae:  093c           jmp	$+0x14 <add_to_table+0x90> ; A
 ; *C
 48b0:  0b4c           mov	r12, r11
 48b2:  0b5f           add	r15, r11
 48b4:  cb4e 0000      mov.b	r14, 0x0(r11)
 48b8:  1f53           inc	r15
 48ba:  3f90 0f00      cmp	#0xf, r15
-48be:  0424           jz	$+0xa <add_to_table+0x96>
+48be:  0424           jz	$+0xa <add_to_table+0x96> ; B
 48c0:  1a53           inc	r10
 ; *A
 48c2:  6e4a           mov.b	@r10, r14
 48c4:  4e93           tst.b	r14
-48c6:  f423           jnz	$-0x16 <add_to_table+0x7e>
+48c6:  f423           jnz	$-0x16 <add_to_table+0x7e> ; C
 ; *B
 48c8:  8c49 1000      mov	r9, 0x10(r12)
 48cc:  3941           pop	r9
 48ce:  3a41           pop	r10