j/MicroCorruption
1
0
Fork 0
mirror of https://git.soft.fish/val/MicroCorruption.git synced 2024-11-21 19:25:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

22: Churchill complete!

Browse Source
This commit is contained in:
Val 2022-12-11 21:03:53 -06:00
parent c9a1ab201b
commit eef5e32c5d
9 changed files with 718 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
.clang-format Normal file
View File

@ -0,0 +1,100 @@
# +-------------+---------+-----------------------+
# | Created 2022-04-23 |
# +-----------------------------------------------+
# Default to Google style
BasedOnStyle: Google
# Don't derive from file
DeriveLineEnding: false
DerivePointerAlignment: false
# Google limits lines to 80 columns. Don't do that.
ColumnLimit: 0
# Here there be controversy
IndentWidth: 4
ConstructorInitializerIndentWidth: 4
ContinuationIndentWidth: 4
# Alignment checks
AlignConsecutiveAssignments: true
AlignTrailingComments: true
# Sort include blocks, and regroup based on include category
SortIncludes: CaseInsensitive
IncludeBlocks: Regroup
# Allow short blocks on single line
AllowShortBlocksOnASingleLine: Always
AllowShortEnumsOnASingleLine: false
AllowShortFunctionsOnASingleLine: Inline
AllowShortIfStatementsOnASingleLine: AllIfsAndElse
AllowShortLambdasOnASingleLine: Inline
AllowShortLoopsOnASingleLine: true
# Except case statements
AllowShortCaseLabelsOnASingleLine: false
# Line wrapping should not happen, but just in case, keep the args together
BinPackArguments: true
BinPackParameters: true
PackConstructorInitializers: CurrentLine
# When bitfield-packing a struct, spaces go after the colon, not before
BitFieldColonSpacing: After
# By default, braces are obnoxiously wrapped to newlines
BreakBeforeBraces: Custom
# Disable that
BraceWrapping:
AfterEnum: false
AfterFunction: false
AfterNamespace: false
AfterStruct: false
AfterUnion: false
AfterExternBlock: false
AfterControlStatement: false
BeforeCatch: false
BeforeElse: false
BeforeLambdaBody: false
BeforeWhile: false
IndentBraces: false
SplitEmptyFunction: false
# Don't break before ?:, it looks ugly
BreakBeforeTernaryOperators: false
# Trim empty lines when there are more than 1
MaxEmptyLinesToKeep: 1
# Align &*s toward the variable name (i.e. int &number; char *cstring)
ReferenceAlignment: Pointer
PointerAlignment: Right
# Put spaces after (int) c_style_casts and template <T>, but !after '!' operator
SpaceAfterCStyleCast: true
SpaceAfterLogicalNot: false
SpaceAfterTemplateKeyword: true
# Put spaces before \.?\= operators, initializer {lists}, inline (parentheses), // comments.
SpaceBeforeAssignmentOperators: true
SpaceBeforeCpp11BracedList: true
SpaceBeforeParens: Always
SpacesBeforeTrailingComments: 1
SpacesInLineCommentPrefix:
Minimum: 1
# Don't put spaces in case : statements, object : inheritance,
# for (auto& loops : range), conditional ( statements ), ( parentheses ), [ brackets ]
SpaceBeforeCaseColon: false
SpaceBeforeInheritanceColon: false
SpaceBeforeRangeBasedForLoopColon: false
SpacesInConditionalStatement: false
SpacesInParentheses: false
SpacesInSquareBrackets: false
# Always use LF for line breaks, and NEVER use tabs for indentation
UseCRLF: false
UseTab: Never

435
22-Churchill/churchill.asm Normal file
View File

@ -0,0 +1,435 @@
Instructions:
Size | Addr | CT | Data | Checksum?
-- -:|------|----|----------------------------------|----------
10 | 4400 | 00 | 55425C0135D0085A8245202831400044 | 8D
10 | 4410 | 00 | 3F4020000F930824924220285C012F83 | 04
10 | 4420 | 00 | 9F4F6E470024F8233F4000040F930724 | 5A
10 | 4430 | 00 | 924220285C011F83CF432024F9233150 | 6E
10 | 4440 | 00 | C0FF3F408646B012CA453F40AC46B012 | 5E
10 | 4450 | 00 | CA453D4000040E433F402024B0121A46 | 96
10 | 4460 | 00 | 3E40FF033F402024B012AC455B422024 | 75
10 | 4470 | 00 | 8B105F4221240BDF594222245A422324 | 0D
10 | 4480 | 00 | 0B9303343B9001F005283F40C846B012 | 1F
10 | 4490 | 00 | CA45DB3F0F4A3F50FAFF3F90BB030528 | 58
10 | 44A0 | 00 | 3F40FC46B012CA45D03F084A38502024 | 4D
10 | 44B0 | 00 | 3D4040000E480F41B012E84519930D20 | D1
10 | 44C0 | 00 | 0D410E4A3F402024B01266453D404000 | 59
10 | 44D0 | 00 | 0E480F41B012FA45103C099309200C41 | D7
10 | 44E0 | 00 | 0D4A3E4020243F400024B0127845053C | 50
10 | 44F0 | 00 | 3F401347B012CA45A83F1F9305243F40 | D1
10 | 4500 | 00 | 2A47B012CA45A13F3F404A47B012CA45 | A8
10 | 4510 | 00 | 0D4A3E4024240F4BB012E8458B12953F | C4
10 | 4520 | 00 | 32D0F000FD3F304084461F4102000212 | AD
10 | 4530 | 00 | 4F4F8F103FD00080024FB01210003241 | 19
10 | 4540 | 00 | 30410D120E120F1230123000B0122A45 | F7
10 | 4550 | 00 | 315230410D120E120F1230123100B012 | D2
10 | 4560 | 00 | 2A45315230410D120E120F1230123200 | 14
10 | 4570 | 00 | B0122A45315230410B12041204412452 | 28
10 | 4580 | 00 | 21838443FAFF3B40FAFF0B540B120C12 | B9
10 | 4590 | 00 | 0D120E120F1230123300B0122A451F44 | B2
10 | 45A0 | 00 | FAFF31500E0034413B4130410E120F12 | E0
10 | 45B0 | 00 | 2312B0122A453150060030418F110F12 | DC
10 | 45C0 | 00 | 0312B0122A45215230410B120B4F033C | 0B
10 | 45D0 | 00 | 1B53B012BC456F4B4F93FA237F400A00 | 28
10 | 45E0 | 00 | B012BC453B4130410C4F043CFC4E0000 | 36
10 | 45F0 | 00 | 1C533D530D93FA2330410B120D930A24 | A3
10 | 4600 | 00 | 7B4F7C4E4B9C04244F4B4E4C0F8E033C | F7
10 | 4610 | 00 | 3D53F43F0F433B4130410B120A120912 | 44
10 | 4620 | 00 | 08123D900600092C0C4F043CCC4E0000 | B3
10 | 4630 | 00 | 1C533D530D93FA23203C4E4E4B4E0B93 | 8F
10 | 4640 | 00 | 03240C4B8C100BDC1FB306243D53CF4E | C0
10 | 4650 | 00 | 0000094F1953013C094F0C4D12C30C10 | B7
10 | 4660 | 00 | 0A49084C8A4B00002A533853FB230C5C | 40
10 | 4670 | 00 | 0C591DF30224CC4E0000384139413A41 | 17
06 | 4680 | 00 | 3B4130410013 | 34
Strings:
Size | Addr | CT | Data | Checksum?
-- -:|------|----|----------------------------------|----------
10 | 4686 | 00 | 57656C636F6D6520746F207468652073 | 61
10 | 4696 | 00 | 65637572652070726F6772616D206C6F | ED
10 | 46A6 | 00 | 616465722E00506C6561736520656E74 | 79
10 | 46B6 | 00 | 6572206465627567207061796C6F6164 | EC
10 | 46C6 | 00 | 2E004C6F61642061646472657373206F | A1
10 | 46D6 | 00 | 75747369646520616C6C6F7765642072 | AC
10 | 46E6 | 00 | 616E6765206F66203078383030302D30 | 47
10 | 46F6 | 00 | 784630303000496E76616C6964207061 | AE
10 | 4706 | 00 | 796C6F6164206C656E67746800496E76 | BB
10 | 4716 | 00 | 616C6964207369676E61747572652074 | 73
10 | 4726 | 00 | 79706500496E636F7272656374207369 | 90
10 | 4736 | 00 | 676E61747572652C20636F6E74696E75 | 31
10 | 4746 | 00 | 696E67005369676E6174757265207661 | 7C
10 | 4756 | 00 | 6C69642C20657865637574696E672070 | 72
08 | 4766 | 00 | 61796C6F61640000 | D1
10 | 476E | 00 | A09AE3E830085A0169641E1E22118B45 | 97
10 | 477E | 00 | 7F9A95E7A133643CB578FB0C25940C4F | DA
10 | FF80 | 00 | 26452645264526452645264526452645 | 19
10 | FF90 | 00 | 26452645264526452645264526450044 | 30
04 | 0000 | 03 | 00004400 | B5
00 | 0000 | 01 | | FF
Obj:
0010 <__trap_interrupt>
0010: 3041 ret
4400 <__watchdog_support>
4400: 5542 5c01 mov.b &0x015c, r5
4404: 35d0 085a bis #0x5a08, r5
4408: 8245 2028 mov r5, &0x2820
440c <__init_stack>
440c: 3140 0044 mov #0x4400 <__watchdog_support>, sp
4410 <__do_copy_data>
4410: 3f40 2000 mov #0x20, r15
4414: 0f93 tst r15
4416: 0824 jz #0x4428 <__do_clear_bss+0x0>
4418: 9242 2028 5c01 mov &0x2820, &0x015c
441e: 2f83 decd r15
4420: 9f4f 6e47 0024 mov 0x476e(r15), 0x2400(r15)
4426: f823 jnz #0x4418 <__do_copy_data+0x8>
4428 <__do_clear_bss>
4428: 3f40 0004 mov #0x400, r15
442c: 0f93 tst r15
442e: 0724 jz #0x443e <main+0x0>
4430: 9242 2028 5c01 mov &0x2820, &0x015c
4436: 1f83 dec r15
4438: cf43 2024 mov.b #0x0, 0x2420(r15)
443c: f923 jnz #0x4430 <__do_clear_bss+0x8>
443e <main>
; char signature_buffer[64];
443e: 3150 c0ff add #0xffc0, sp
; puts ("Welcome to the secure program loader.");
4442: 3f40 8646 mov #0x4686 "Welcome to the secure program loader.", r15
4446: b012 ca45 call #0x45ca <puts>
; puts ("Please enter debug payload.");
444a: 3f40 ac46 mov #0x46ac "Please enter debug payload.", r15
444e: b012 ca45 call #0x45ca <puts>
; char * static_buffer = (char *) 0x2420;
; memset (0x2420, 0, 0x400);
4452: 3d40 0004 mov #0x400, r13
4456: 0e43 clr r14
4458: 3f40 2024 mov #0x2420, r15
445c: b012 1a46 call #0x461a <memset>
; getsn (0x2420 /* static_buffer */, 0x3ff);
4460: 3e40 ff03 mov #0x3ff, r14
4464: 3f40 2024 mov #0x2420, r15
4468: b012 ac45 call #0x45ac <getsn>
; short loadaddr? = static_buffer[0]<<8+static_buffer[1];
446c: 5b42 2024 mov.b &0x2420, r11
4470: 8b10 swpb r11
4472: 5f42 2124 mov.b &0x2421, r15
4476: 0bdf bis r15, r11
; char signature_type = static_buffer[2];
4478: 5942 2224 mov.b &0x2422, r9
; char payload_length = static_buffer[3];
447c: 5a42 2324 mov.b &0x2423, r10
; if (0x8000 <= loadaddr && loadaddr < 0xf001) {/* goto load_range_succeed */}
4480: 0b93 tst r11
4482: 0334 jge #0x448a <main+0x4c> <load_range_fail>
4484: 3b90 01f0 cmp #0xf001, r11
4488: 0528 jnc #0x4494 <main+0x56> <load_range_succeed>
; else
load_range_fail:
; puts ("Load address outside allowed range of 0x8000-0xF000");
448a: 3f40 c846 mov #0x46c8 "Load address outside allowed range of 0x8000-0xF000", r15
448e: b012 ca45 call #0x45ca <puts>
; continue;
4492: db3f jmp #0x444a <main+0xc>
load_range_succeed:
; if (payload_length - 6 > 0x3bb)
4494: 0f4a mov r10, r15
4496: 3f50 faff add #0xfffa, r15
449a: 3f90 bb03 cmp #0x3bb, r15
449e: 0528 jnc #0x44aa <main+0x6c>
; puts ("Invalid payload length");
44a0: 3f40 fc46 mov #0x46fc "Invalid payload length", r15
44a4: b012 ca45 call #0x45ca <puts>
; continue;
44a8: d03f jmp #0x444a <main+0xc>
; char * payload_signature = static_buffer+payload_length
44aa: 084a mov r10, r8
44ac: 3850 2024 add #0x2420, r8
; memcpy (signature_buffer, payload_signature, 0x40)
44b0: 3d40 4000 mov #0x40, r13
44b4: 0e48 mov r8, r14
44b6: 0f41 mov sp, r15
44b8: b012 e845 call #0x45e8 <memcpy>
; if (signature_type == 0x1)
44bc: 1993 cmp #0x1, r9
44be: 0d20 jne #0x44da <main+0x9c>
; sha512 (static_buffer, payload_length, signature_buffer);
44c0: 0d41 mov sp, r13
44c2: 0e4a mov r10, r14
44c4: 3f40 2024 mov #0x2420, r15
44c8: b012 6645 call #0x4566 <sha512>
; memcmp (signature_buffer, payload_signature, 0x40)
44cc: 3d40 4000 mov #0x40, r13
44d0: 0e48 mov r8, r14
44d2: 0f41 mov sp, r15
44d4: b012 fa45 call #0x45fa <memcmp>
44d8: 103c jmp #0x44fa <main+0xbc>
; if (signature_type != 0)
44da: 0993 tst r9
44dc: 0920 jnz #0x44f0 <main+0xb2> <signature_type_invalid>
; verify_ed25519 (0x2400, static_buffer, )
44de: 0c41 mov sp, r12
44e0: 0d4a mov r10, r13
44e2: 3e40 2024 mov #0x2420, r14
44e6: 3f40 0024 mov #0x2400, r15
44ea: b012 7845 call #0x4578 <verify_ed25519>
44ee: 053c jmp #0x44fa <main+0xbc> <uncond_jump_target_44fa>
signature_type_invalid:
; puts ("Invalid signature type");
44f0: 3f40 1347 mov #0x4713 "Invalid signature type", r15
44f4: b012 ca45 call #0x45ca <puts>
44f8: a83f jmp #0x444a <main+0xc>
uncond_jump_target_44fa:
; if (r15 != 0x1)
44fa: 1f93 cmp #0x1, r15
44fc: 0524 jeq #0x4508 <main+0xca> ; else_4508
; puts ("Incorrect signature, continuing");
44fe: 3f40 2a47 mov #0x472a "Incorrect signature, continuing", r15
4502: b012 ca45 call #0x45ca <puts>
; continue;
4506: a13f jmp #0x444a <main+0xc>
else_4508:
; puts ("Signature valid, executing payload");
4508: 3f40 4a47 mov #0x474a "Signature valid, executing payload", r15
450c: b012 ca45 call #0x45ca <puts>
; memcpy ()
4510: 0d4a mov r10, r13
4512: 3e40 2424 mov #0x2424, r14
4516: 0f4b mov r11, r15
4518: b012 e845 call #0x45e8 <memcpy>
; payload();
451c: 8b12 call r11
; continue;
451e: 953f jmp #0x444a <main+0xc>
4520 <__stop_progExec__>
4520: 32d0 f000 bis #0xf0, sr
4524: fd3f jmp #0x4520 <__stop_progExec__+0x0>
4526 <__ctors_end>
4526: 3040 8446 br #0x4684 <_unexpected_>
452a <INT>
452a: 1f41 0200 mov 0x2(sp), r15
452e: 0212 push sr
4530: 4f4f mov.b r15, r15
4532: 8f10 swpb r15
4534: 3fd0 0080 bis #0x8000, r15
4538: 024f mov r15, sr
453a: b012 1000 call #0x10
453e: 3241 pop sr
4540: 3041 ret
4542 <sha1>
4542: 0d12 push r13
4544: 0e12 push r14
4546: 0f12 push r15
4548: 3012 3000 push #0x30
454c: b012 2a45 call #0x452a <INT>
4550: 3152 add #0x8, sp
4552: 3041 ret
4554 <sha256>
4554: 0d12 push r13
4556: 0e12 push r14
4558: 0f12 push r15
455a: 3012 3100 push #0x31
455e: b012 2a45 call #0x452a <INT>
4562: 3152 add #0x8, sp
4564: 3041 ret
4566 <sha512>
4566: 0d12 push r13
4568: 0e12 push r14
456a: 0f12 push r15
456c: 3012 3200 push #0x32
4570: b012 2a45 call #0x452a <INT>
4574: 3152 add #0x8, sp
4576: 3041 ret
4578 <verify_ed25519>
4578: 0b12 push r11
457a: 0412 push r4
457c: 0441 mov sp, r4
457e: 2452 add #0x4, r4
4580: 2183 decd sp
4582: 8443 faff clr -0x6(r4)
4586: 3b40 faff mov #0xfffa, r11
458a: 0b54 add r4, r11
458c: 0b12 push r11
458e: 0c12 push r12
4590: 0d12 push r13
4592: 0e12 push r14
4594: 0f12 push r15
4596: 3012 3300 push #0x33
459a: b012 2a45 call #0x452a <INT>
459e: 1f44 faff mov -0x6(r4), r15
45a2: 3150 0e00 add #0xe, sp
45a6: 3441 pop r4
45a8: 3b41 pop r11
45aa: 3041 ret
45ac <getsn>
45ac: 0e12 push r14
45ae: 0f12 push r15
45b0: 2312 push #0x2
45b2: b012 2a45 call #0x452a <INT>
45b6: 3150 0600 add #0x6, sp
45ba: 3041 ret
45bc <putchar>
45bc: 8f11 sxt r15
45be: 0f12 push r15
45c0: 0312 push #0x0
45c2: b012 2a45 call #0x452a <INT>
45c6: 2152 add #0x4, sp
45c8: 3041 ret
45ca <puts>
45ca: 0b12 push r11
45cc: 0b4f mov r15, r11
45ce: 033c jmp #0x45d6 <puts+0xc>
45d0: 1b53 inc r11
45d2: b012 bc45 call #0x45bc <putchar>
45d6: 6f4b mov.b @r11, r15
45d8: 4f93 tst.b r15
45da: fa23 jnz #0x45d0 <puts+0x6>
45dc: 7f40 0a00 mov.b #0xa, r15
45e0: b012 bc45 call #0x45bc <putchar>
45e4: 3b41 pop r11
45e6: 3041 ret
45e8 <memcpy>
45e8: 0c4f mov r15, r12
45ea: 043c jmp #0x45f4 <memcpy+0xc>
45ec: fc4e 0000 mov.b @r14+, 0x0(r12)
45f0: 1c53 inc r12
45f2: 3d53 add #-0x1, r13
45f4: 0d93 tst r13
45f6: fa23 jnz #0x45ec <memcpy+0x4>
45f8: 3041 ret
45fa <memcmp>
45fa: 0b12 push r11
45fc: 0d93 tst r13
45fe: 0a24 jz #0x4614 <memcmp+0x1a>
4600: 7b4f mov.b @r15+, r11
4602: 7c4e mov.b @r14+, r12
4604: 4b9c cmp.b r12, r11
4606: 0424 jeq #0x4610 <memcmp+0x16>
4608: 4f4b mov.b r11, r15
460a: 4e4c mov.b r12, r14
460c: 0f8e sub r14, r15
460e: 033c jmp #0x4616 <memcmp+0x1c>
4610: 3d53 add #-0x1, r13
4612: f43f jmp #0x45fc <memcmp+0x2>
4614: 0f43 clr r15
4616: 3b41 pop r11
4618: 3041 ret
461a <memset>
461a: 0b12 push r11
461c: 0a12 push r10
461e: 0912 push r9
4620: 0812 push r8
4622: 3d90 0600 cmp #0x6, r13
4626: 092c jc #0x463a <memset+0x20>
4628: 0c4f mov r15, r12
462a: 043c jmp #0x4634 <memset+0x1a>
462c: cc4e 0000 mov.b r14, 0x0(r12)
4630: 1c53 inc r12
4632: 3d53 add #-0x1, r13
4634: 0d93 tst r13
4636: fa23 jnz #0x462c <memset+0x12>
4638: 203c jmp #0x467a <memset+0x60>
463a: 4e4e mov.b r14, r14
463c: 4b4e mov.b r14, r11
463e: 0b93 tst r11
4640: 0324 jz #0x4648 <memset+0x2e>
4642: 0c4b mov r11, r12
4644: 8c10 swpb r12
4646: 0bdc bis r12, r11
4648: 1fb3 bit #0x1, r15
464a: 0624 jz #0x4658 <memset+0x3e>
464c: 3d53 add #-0x1, r13
464e: cf4e 0000 mov.b r14, 0x0(r15)
4652: 094f mov r15, r9
4654: 1953 inc r9
4656: 013c jmp #0x465a <memset+0x40>
4658: 094f mov r15, r9
465a: 0c4d mov r13, r12
465c: 12c3 clrc
465e: 0c10 rrc r12
4660: 0a49 mov r9, r10
4662: 084c mov r12, r8
4664: 8a4b 0000 mov r11, 0x0(r10)
4668: 2a53 incd r10
466a: 3853 add #-0x1, r8
466c: fb23 jnz #0x4664 <memset+0x4a>
466e: 0c5c add r12, r12
4670: 0c59 add r9, r12
4672: 1df3 and #0x1, r13
4674: 0224 jz #0x467a <memset+0x60>
4676: cc4e 0000 mov.b r14, 0x0(r12)
467a: 3841 pop r8
467c: 3941 pop r9
467e: 3a41 pop r10
4680: 3b41 pop r11
4682: 3041 ret
4684 <_unexpected_>
4684: 0013 reti pc
4686 .strings:
4686: "Welcome to the secure program loader."
46ac: "Please enter debug payload."
46c8: "Load address outside allowed range of 0x8000-0xF000"
46fc: "Invalid payload length"
4713: "Invalid signature type"
472a: "Incorrect signature, continuing"
474a: "Signature valid, executing payload"
Prereqs: "Cold Lake"
Name: "Churchill"
Text:
Lockitall LOCKIT 2 r A.01
______________________________________________________________________
User Manual: Lockitall LockIT 2, rev a.01
______________________________________________________________________
OVERVIEW
- Lockitall is under new management.
- All vulnerabilities in our old locks are now resolved.
DETAILS
The LockIT 2 A.03 is the second of a new series of locks. It is
controlled by a MSP430 microcontroller. The MSP430 is a very low-
power device, chosen because we found several crates of old stock.
This lock only accepts biometric and NFC inputs, and does not have
a traditional password prompt.
To support rapid development cycles this lock accepts a program
from the old password input prompt. Only programs signed by us are
allowed.
800000063041c26436953f8f3cadf1442fc218b185051ab6c20853a45f093fc32a
df31529d05a5ec3e96a9e41ed9ad1b14dcbdb98e50e37a7ddc3d595b867807ed16
05f2070e
This is Hardware Version Beta.
This is Software Revision 03.
(c) 2021 LOCKITALL Page 1/1
"X": 122,
"Y": 212,
"Rating": 30,
"Patch": ""
},

53
22-Churchill/churchill.c Normal file
View File

@ -0,0 +1,53 @@
// uC includes
#include "../io.c"
#include "../lib.c"
int main () {
char signature_buffer[64]; // >=> sp
char *static_buffer = mem_get (0x2420); // >=> 0x2420
puts ("Welcome to the secure program loader.");
while (1) {
unsigned short loadaddr; // >=> r11
unsigned char signature_type; // >=> r9
unsigned char payload_length; // >=> r10
puts ("Please enter debug payload.");
memset (static_buffer, 0, 0x400);
getsn (static_buffer, 0x3ff);
loadaddr = (static_buffer[0] << 8) + (static_buffer[1]);
signature_type = static_buffer[2];
payload_length = static_buffer[3];
if (0x8000 > loadaddr || loadaddr >= 0xf001) {
puts ("Load address outside allowed range of 0x8000-0xF000");
continue;
}
if (payload_length - 6 > 0x3bb) {
puts ("Invalid payload length");
continue;
}
char *payload_signature = static_buffer + payload_length;
int result;
memcpy (signature_buffer, payload_signature, 0x40);
if (signature_type == 0x1) {
sha512 (static_buffer, payload_length, signature_buffer);
result = memcmp (signature_buffer, payload_signature, 0x40);
}
if (signature_type != 0x0) {
puts ("Invalid signature type");
continue;
} else {
result = verify_ed25519 (mem_get (0x2400), static_buffer, payload_length, signature_buffer);
}
if (result != 0x1) {
puts ("Incorrect signature, continuing");
continue;
}
puts ("Signature valid, executing payload");
memcpy (mem_get (loadaddr), static_buffer + 0x4, payload_length);
puts ((char *) mem_get (loadaddr));
}
}

8
22-Churchill/gen_payload_hash.py Normal file
View File

@ -0,0 +1,8 @@
#!/usr/bin/env python3
import hashlib
payload = bytes.fromhex("8000 01 0c 3240 00ff b012 1000")
print(f"{payload.hex()}{hashlib.sha512(payload).hexdigest()}")
print("800000063041c26436953f8f3cadf1442fc218b185051ab6c20853a45f093fc32adf31529d05a5ec3e96a9e41ed9ad1b14dcbdb98e50e37a7ddc3d595b867807ed1605f2070e")

41
22-Churchill/notes.md Normal file
View File

@ -0,0 +1,41 @@
Churchill seems to not verify after 0xff bytes?
## Sample input
```hex
8000 00 06 3041 c26436953f8f3cadf1442fc218b185051ab6c20853a45f093fc32adf31529d05a5ec3e96a9e41ed9ad1b14dcbdb98e50e37a7ddc3d595b867807ed1605f2070e
```
## Layout:
Loadaddr | Signature Type | length | payload | Signature
---------|----------------|--------|----------|----------
8000 | 00 (ed25519) | 06 | 3041 ret | c26436...
8000 | 01 (sha512) | 12 | 324000ffb0121000 | f009805ec519029923b72a6e63589a081295759bbf7e12090be7b784f622a24e135d2603b861cc0398b366b1a5d8a89836544a164c39f4e68361413ab6f049a5
```c
324000ff mov #ff00, sr
b0121000 call #0010
```
## Payload
8000 01 0c 3240 00ff b012 1000
Hash:
80a0ca7614b653247b207a739e8a5445bfc34f755d4bd0bd413ec5f65a748fe04f9488f7e10700b5bfb57f41ba56f2a314a0f9545b74d08764af7a5c0cfc40ec
complete payload:
8000 01 0c 324000ff b0121000 80a0ca7614b653247b207a739e8a5445bfc34f755d4bd0bd413ec5f65a748fe04f9488f7e10700b5bfb57f41ba56f2a314a0f9545b74d08764af7a5c0cfc40ec
# THE TWIST
The program explicitly checks for `0x1` when evaluating the results of a hash
For perfectly identical strings, this DOESN'T WORK, because, memcmp returns `0`.
Solution: subtract 1 from the last byte of payload_signature. It'll be off by one, and when the program evaluates it, it'll end up with 0x0001 in r15
# Final Answer:
8000 01 0c 324000ff b0121000 80a0ca7614b653247b207a739e8a5445bfc34f755d4bd0bd413ec5f65a748fe04f9488f7e10700b5bfb57f41ba56f2a314a0f9545b74d08764af7a5c0cfc40eb

39
common/io.c Normal file
View File

@ -0,0 +1,39 @@
#ifndef __uC_IO_C__
#define __uC_IO_C__
#include <stdio.h>
#include <string.h>
#include "mem.h"
// 512 600 0011
void INT (int arg, ...);
char hascii(int i) {
if (i > '9')
i += 9;
return i & 0x0f;
}
// gets (getsn)
void getsn (char* buf, size_t size) {
char *temp = malloc(size*2);
fgets(temp, size*2, stdin);
for (int i = 0; i < size * 2; i+=2) {
buf[i/2] = ((hascii(temp[i]))<<4)|(hascii(temp[i+1]));
printf("%02x", buf[i/2] & 0xff);
}
printf("\n");
free(temp);
}
// putchar
// int putchar (int c);
// puts
// int puts(const char *);
// printf
//int printf (const char * restrict format_str, ...);
#endif // __uC_IO_C__

17
common/lib.c Normal file
View File

@ -0,0 +1,17 @@
#ifndef __uC_LIB_C__
#define __uC_LIB_C__
#include <stdlib.h>
#include "mem.h"
int verify_ed25519 (char * ed25519_pubkey, void * buf, int size, char * signature) {return 1;};
//void *memcpy(void *__restrict__ __dest, const void *__restrict__ __src, size_t __n);
//int memcmp(const void *__s1, const void *__s2, size_t __n);
void sha1(void *buf, char * out_buf, size_t size) {}
void sha256 (void *buf, char * out_buf, size_t size) {}
void sha512 (void *buf, char * out_buf, size_t size) {}
#endif // __uC_LIB_C__

24
common/mem.h Normal file
View File

@ -0,0 +1,24 @@
#ifndef __uC_MEM_H__
#define __uC_MEM_H__
#include <stdlib.h>
void * mem;
const int mem_size = 65536;
void mem_create() __attribute__ ((constructor));
void mem_destroy() __attribute__ ((destructor));
void mem_create() {
mem = malloc(mem_size);
}
void mem_destroy() {
free(mem);
}
void * mem_get(short addr) {
return mem+(addr%mem_size);
}
#endif // __uC_MEM_H__

2
readme.md
View File

@ -38,5 +38,5 @@ Hopefully in the coming weeks I'll learn enough about malloc and free to get som
### 2022 Dec 4 PM - 2022 Dec 11 PM:
Cold Lake
### 2022 Dec 11 PM - Ongoing:
### 2022 Dec 11 PM
Churchill