diff --git a/.clang-format b/.clang-format new file mode 100644 index 0000000..fde4470 --- /dev/null +++ b/.clang-format @@ -0,0 +1,100 @@ +# +-------------+---------+-----------------------+ +# | Created 2022-04-23 | +# +-----------------------------------------------+ + +# Default to Google style +BasedOnStyle: Google + +# Don't derive from file +DeriveLineEnding: false +DerivePointerAlignment: false + +# Google limits lines to 80 columns. Don't do that. +ColumnLimit: 0 + +# Here there be controversy +IndentWidth: 4 +ConstructorInitializerIndentWidth: 4 +ContinuationIndentWidth: 4 + +# Alignment checks +AlignConsecutiveAssignments: true +AlignTrailingComments: true + +# Sort include blocks, and regroup based on include category +SortIncludes: CaseInsensitive +IncludeBlocks: Regroup + +# Allow short blocks on single line +AllowShortBlocksOnASingleLine: Always +AllowShortEnumsOnASingleLine: false +AllowShortFunctionsOnASingleLine: Inline +AllowShortIfStatementsOnASingleLine: AllIfsAndElse +AllowShortLambdasOnASingleLine: Inline +AllowShortLoopsOnASingleLine: true +# Except case statements +AllowShortCaseLabelsOnASingleLine: false + +# Line wrapping should not happen, but just in case, keep the args together +BinPackArguments: true +BinPackParameters: true +PackConstructorInitializers: CurrentLine + +# When bitfield-packing a struct, spaces go after the colon, not before +BitFieldColonSpacing: After + +# By default, braces are obnoxiously wrapped to newlines +BreakBeforeBraces: Custom +# Disable that +BraceWrapping: + AfterEnum: false + AfterFunction: false + AfterNamespace: false + AfterStruct: false + AfterUnion: false + AfterExternBlock: false + AfterControlStatement: false + + BeforeCatch: false + BeforeElse: false + BeforeLambdaBody: false + BeforeWhile: false + + IndentBraces: false + + SplitEmptyFunction: false + +# Don't break before ?:, it looks ugly +BreakBeforeTernaryOperators: false + +# Trim empty lines when there are more than 1 +MaxEmptyLinesToKeep: 1 + +# Align &*s toward the variable name (i.e. int &number; char *cstring) +ReferenceAlignment: Pointer +PointerAlignment: Right + +# Put spaces after (int) c_style_casts and template , but !after '!' operator +SpaceAfterCStyleCast: true +SpaceAfterLogicalNot: false +SpaceAfterTemplateKeyword: true + +# Put spaces before \.?\= operators, initializer {lists}, inline (parentheses), // comments. +SpaceBeforeAssignmentOperators: true +SpaceBeforeCpp11BracedList: true +SpaceBeforeParens: Always +SpacesBeforeTrailingComments: 1 +SpacesInLineCommentPrefix: + Minimum: 1 +# Don't put spaces in case : statements, object : inheritance, +# for (auto& loops : range), conditional ( statements ), ( parentheses ), [ brackets ] +SpaceBeforeCaseColon: false +SpaceBeforeInheritanceColon: false +SpaceBeforeRangeBasedForLoopColon: false +SpacesInConditionalStatement: false +SpacesInParentheses: false +SpacesInSquareBrackets: false + +# Always use LF for line breaks, and NEVER use tabs for indentation +UseCRLF: false +UseTab: Never diff --git a/22-Churchill/churchill.asm b/22-Churchill/churchill.asm new file mode 100644 index 0000000..6307d26 --- /dev/null +++ b/22-Churchill/churchill.asm @@ -0,0 +1,435 @@ +Instructions: +Size | Addr | CT | Data | Checksum? +-- -:|------|----|----------------------------------|---------- + 10 | 4400 | 00 | 55425C0135D0085A8245202831400044 | 8D + 10 | 4410 | 00 | 3F4020000F930824924220285C012F83 | 04 + 10 | 4420 | 00 | 9F4F6E470024F8233F4000040F930724 | 5A + 10 | 4430 | 00 | 924220285C011F83CF432024F9233150 | 6E + 10 | 4440 | 00 | C0FF3F408646B012CA453F40AC46B012 | 5E + 10 | 4450 | 00 | CA453D4000040E433F402024B0121A46 | 96 + 10 | 4460 | 00 | 3E40FF033F402024B012AC455B422024 | 75 + 10 | 4470 | 00 | 8B105F4221240BDF594222245A422324 | 0D + 10 | 4480 | 00 | 0B9303343B9001F005283F40C846B012 | 1F + 10 | 4490 | 00 | CA45DB3F0F4A3F50FAFF3F90BB030528 | 58 + 10 | 44A0 | 00 | 3F40FC46B012CA45D03F084A38502024 | 4D + 10 | 44B0 | 00 | 3D4040000E480F41B012E84519930D20 | D1 + 10 | 44C0 | 00 | 0D410E4A3F402024B01266453D404000 | 59 + 10 | 44D0 | 00 | 0E480F41B012FA45103C099309200C41 | D7 + 10 | 44E0 | 00 | 0D4A3E4020243F400024B0127845053C | 50 + 10 | 44F0 | 00 | 3F401347B012CA45A83F1F9305243F40 | D1 + 10 | 4500 | 00 | 2A47B012CA45A13F3F404A47B012CA45 | A8 + 10 | 4510 | 00 | 0D4A3E4024240F4BB012E8458B12953F | C4 + 10 | 4520 | 00 | 32D0F000FD3F304084461F4102000212 | AD + 10 | 4530 | 00 | 4F4F8F103FD00080024FB01210003241 | 19 + 10 | 4540 | 00 | 30410D120E120F1230123000B0122A45 | F7 + 10 | 4550 | 00 | 315230410D120E120F1230123100B012 | D2 + 10 | 4560 | 00 | 2A45315230410D120E120F1230123200 | 14 + 10 | 4570 | 00 | B0122A45315230410B12041204412452 | 28 + 10 | 4580 | 00 | 21838443FAFF3B40FAFF0B540B120C12 | B9 + 10 | 4590 | 00 | 0D120E120F1230123300B0122A451F44 | B2 + 10 | 45A0 | 00 | FAFF31500E0034413B4130410E120F12 | E0 + 10 | 45B0 | 00 | 2312B0122A453150060030418F110F12 | DC + 10 | 45C0 | 00 | 0312B0122A45215230410B120B4F033C | 0B + 10 | 45D0 | 00 | 1B53B012BC456F4B4F93FA237F400A00 | 28 + 10 | 45E0 | 00 | B012BC453B4130410C4F043CFC4E0000 | 36 + 10 | 45F0 | 00 | 1C533D530D93FA2330410B120D930A24 | A3 + 10 | 4600 | 00 | 7B4F7C4E4B9C04244F4B4E4C0F8E033C | F7 + 10 | 4610 | 00 | 3D53F43F0F433B4130410B120A120912 | 44 + 10 | 4620 | 00 | 08123D900600092C0C4F043CCC4E0000 | B3 + 10 | 4630 | 00 | 1C533D530D93FA23203C4E4E4B4E0B93 | 8F + 10 | 4640 | 00 | 03240C4B8C100BDC1FB306243D53CF4E | C0 + 10 | 4650 | 00 | 0000094F1953013C094F0C4D12C30C10 | B7 + 10 | 4660 | 00 | 0A49084C8A4B00002A533853FB230C5C | 40 + 10 | 4670 | 00 | 0C591DF30224CC4E0000384139413A41 | 17 + 06 | 4680 | 00 | 3B4130410013 | 34 + +Strings: +Size | Addr | CT | Data | Checksum? +-- -:|------|----|----------------------------------|---------- + 10 | 4686 | 00 | 57656C636F6D6520746F207468652073 | 61 + 10 | 4696 | 00 | 65637572652070726F6772616D206C6F | ED + 10 | 46A6 | 00 | 616465722E00506C6561736520656E74 | 79 + 10 | 46B6 | 00 | 6572206465627567207061796C6F6164 | EC + 10 | 46C6 | 00 | 2E004C6F61642061646472657373206F | A1 + 10 | 46D6 | 00 | 75747369646520616C6C6F7765642072 | AC + 10 | 46E6 | 00 | 616E6765206F66203078383030302D30 | 47 + 10 | 46F6 | 00 | 784630303000496E76616C6964207061 | AE + 10 | 4706 | 00 | 796C6F6164206C656E67746800496E76 | BB + 10 | 4716 | 00 | 616C6964207369676E61747572652074 | 73 + 10 | 4726 | 00 | 79706500496E636F7272656374207369 | 90 + 10 | 4736 | 00 | 676E61747572652C20636F6E74696E75 | 31 + 10 | 4746 | 00 | 696E67005369676E6174757265207661 | 7C + 10 | 4756 | 00 | 6C69642C20657865637574696E672070 | 72 + 08 | 4766 | 00 | 61796C6F61640000 | D1 + + 10 | 476E | 00 | A09AE3E830085A0169641E1E22118B45 | 97 + 10 | 477E | 00 | 7F9A95E7A133643CB578FB0C25940C4F | DA + 10 | FF80 | 00 | 26452645264526452645264526452645 | 19 + 10 | FF90 | 00 | 26452645264526452645264526450044 | 30 + 04 | 0000 | 03 | 00004400 | B5 + 00 | 0000 | 01 | | FF + + +Obj: +0010 <__trap_interrupt> +0010: 3041 ret +4400 <__watchdog_support> +4400: 5542 5c01 mov.b &0x015c, r5 +4404: 35d0 085a bis #0x5a08, r5 +4408: 8245 2028 mov r5, &0x2820 +440c <__init_stack> +440c: 3140 0044 mov #0x4400 <__watchdog_support>, sp +4410 <__do_copy_data> +4410: 3f40 2000 mov #0x20, r15 +4414: 0f93 tst r15 +4416: 0824 jz #0x4428 <__do_clear_bss+0x0> +4418: 9242 2028 5c01 mov &0x2820, &0x015c +441e: 2f83 decd r15 +4420: 9f4f 6e47 0024 mov 0x476e(r15), 0x2400(r15) +4426: f823 jnz #0x4418 <__do_copy_data+0x8> +4428 <__do_clear_bss> +4428: 3f40 0004 mov #0x400, r15 +442c: 0f93 tst r15 +442e: 0724 jz #0x443e +4430: 9242 2028 5c01 mov &0x2820, &0x015c +4436: 1f83 dec r15 +4438: cf43 2024 mov.b #0x0, 0x2420(r15) +443c: f923 jnz #0x4430 <__do_clear_bss+0x8> + +443e
+; char signature_buffer[64]; +443e: 3150 c0ff add #0xffc0, sp + +; puts ("Welcome to the secure program loader."); +4442: 3f40 8646 mov #0x4686 "Welcome to the secure program loader.", r15 +4446: b012 ca45 call #0x45ca +; puts ("Please enter debug payload."); +444a: 3f40 ac46 mov #0x46ac "Please enter debug payload.", r15 +444e: b012 ca45 call #0x45ca + +; char * static_buffer = (char *) 0x2420; +; memset (0x2420, 0, 0x400); +4452: 3d40 0004 mov #0x400, r13 +4456: 0e43 clr r14 +4458: 3f40 2024 mov #0x2420, r15 +445c: b012 1a46 call #0x461a + +; getsn (0x2420 /* static_buffer */, 0x3ff); +4460: 3e40 ff03 mov #0x3ff, r14 +4464: 3f40 2024 mov #0x2420, r15 +4468: b012 ac45 call #0x45ac + +; short loadaddr? = static_buffer[0]<<8+static_buffer[1]; +446c: 5b42 2024 mov.b &0x2420, r11 +4470: 8b10 swpb r11 +4472: 5f42 2124 mov.b &0x2421, r15 +4476: 0bdf bis r15, r11 +; char signature_type = static_buffer[2]; +4478: 5942 2224 mov.b &0x2422, r9 +; char payload_length = static_buffer[3]; +447c: 5a42 2324 mov.b &0x2423, r10 + +; if (0x8000 <= loadaddr && loadaddr < 0xf001) {/* goto load_range_succeed */} +4480: 0b93 tst r11 +4482: 0334 jge #0x448a +4484: 3b90 01f0 cmp #0xf001, r11 +4488: 0528 jnc #0x4494 +; else +load_range_fail: +; puts ("Load address outside allowed range of 0x8000-0xF000"); +448a: 3f40 c846 mov #0x46c8 "Load address outside allowed range of 0x8000-0xF000", r15 +448e: b012 ca45 call #0x45ca +; continue; +4492: db3f jmp #0x444a + +load_range_succeed: +; if (payload_length - 6 > 0x3bb) +4494: 0f4a mov r10, r15 +4496: 3f50 faff add #0xfffa, r15 +449a: 3f90 bb03 cmp #0x3bb, r15 +449e: 0528 jnc #0x44aa +; puts ("Invalid payload length"); +44a0: 3f40 fc46 mov #0x46fc "Invalid payload length", r15 +44a4: b012 ca45 call #0x45ca +; continue; +44a8: d03f jmp #0x444a + +; char * payload_signature = static_buffer+payload_length +44aa: 084a mov r10, r8 +44ac: 3850 2024 add #0x2420, r8 +; memcpy (signature_buffer, payload_signature, 0x40) +44b0: 3d40 4000 mov #0x40, r13 +44b4: 0e48 mov r8, r14 +44b6: 0f41 mov sp, r15 +44b8: b012 e845 call #0x45e8 +; if (signature_type == 0x1) +44bc: 1993 cmp #0x1, r9 +44be: 0d20 jne #0x44da +; sha512 (static_buffer, payload_length, signature_buffer); +44c0: 0d41 mov sp, r13 +44c2: 0e4a mov r10, r14 +44c4: 3f40 2024 mov #0x2420, r15 +44c8: b012 6645 call #0x4566 +; memcmp (signature_buffer, payload_signature, 0x40) +44cc: 3d40 4000 mov #0x40, r13 +44d0: 0e48 mov r8, r14 +44d2: 0f41 mov sp, r15 +44d4: b012 fa45 call #0x45fa +44d8: 103c jmp #0x44fa +; if (signature_type != 0) +44da: 0993 tst r9 +44dc: 0920 jnz #0x44f0 +; verify_ed25519 (0x2400, static_buffer, ) +44de: 0c41 mov sp, r12 +44e0: 0d4a mov r10, r13 +44e2: 3e40 2024 mov #0x2420, r14 +44e6: 3f40 0024 mov #0x2400, r15 +44ea: b012 7845 call #0x4578 +44ee: 053c jmp #0x44fa +signature_type_invalid: +; puts ("Invalid signature type"); +44f0: 3f40 1347 mov #0x4713 "Invalid signature type", r15 +44f4: b012 ca45 call #0x45ca +44f8: a83f jmp #0x444a +uncond_jump_target_44fa: +; if (r15 != 0x1) +44fa: 1f93 cmp #0x1, r15 +44fc: 0524 jeq #0x4508 ; else_4508 +; puts ("Incorrect signature, continuing"); +44fe: 3f40 2a47 mov #0x472a "Incorrect signature, continuing", r15 +4502: b012 ca45 call #0x45ca +; continue; +4506: a13f jmp #0x444a + +else_4508: +; puts ("Signature valid, executing payload"); +4508: 3f40 4a47 mov #0x474a "Signature valid, executing payload", r15 +450c: b012 ca45 call #0x45ca +; memcpy () +4510: 0d4a mov r10, r13 +4512: 3e40 2424 mov #0x2424, r14 +4516: 0f4b mov r11, r15 +4518: b012 e845 call #0x45e8 +; payload(); +451c: 8b12 call r11 +; continue; +451e: 953f jmp #0x444a + +4520 <__stop_progExec__> +4520: 32d0 f000 bis #0xf0, sr +4524: fd3f jmp #0x4520 <__stop_progExec__+0x0> +4526 <__ctors_end> +4526: 3040 8446 br #0x4684 <_unexpected_> +452a +452a: 1f41 0200 mov 0x2(sp), r15 +452e: 0212 push sr +4530: 4f4f mov.b r15, r15 +4532: 8f10 swpb r15 +4534: 3fd0 0080 bis #0x8000, r15 +4538: 024f mov r15, sr +453a: b012 1000 call #0x10 +453e: 3241 pop sr +4540: 3041 ret +4542 +4542: 0d12 push r13 +4544: 0e12 push r14 +4546: 0f12 push r15 +4548: 3012 3000 push #0x30 +454c: b012 2a45 call #0x452a +4550: 3152 add #0x8, sp +4552: 3041 ret +4554 +4554: 0d12 push r13 +4556: 0e12 push r14 +4558: 0f12 push r15 +455a: 3012 3100 push #0x31 +455e: b012 2a45 call #0x452a +4562: 3152 add #0x8, sp +4564: 3041 ret +4566 +4566: 0d12 push r13 +4568: 0e12 push r14 +456a: 0f12 push r15 +456c: 3012 3200 push #0x32 +4570: b012 2a45 call #0x452a +4574: 3152 add #0x8, sp +4576: 3041 ret +4578 +4578: 0b12 push r11 +457a: 0412 push r4 +457c: 0441 mov sp, r4 +457e: 2452 add #0x4, r4 +4580: 2183 decd sp +4582: 8443 faff clr -0x6(r4) +4586: 3b40 faff mov #0xfffa, r11 +458a: 0b54 add r4, r11 +458c: 0b12 push r11 +458e: 0c12 push r12 +4590: 0d12 push r13 +4592: 0e12 push r14 +4594: 0f12 push r15 +4596: 3012 3300 push #0x33 +459a: b012 2a45 call #0x452a +459e: 1f44 faff mov -0x6(r4), r15 +45a2: 3150 0e00 add #0xe, sp +45a6: 3441 pop r4 +45a8: 3b41 pop r11 +45aa: 3041 ret +45ac +45ac: 0e12 push r14 +45ae: 0f12 push r15 +45b0: 2312 push #0x2 +45b2: b012 2a45 call #0x452a +45b6: 3150 0600 add #0x6, sp +45ba: 3041 ret +45bc +45bc: 8f11 sxt r15 +45be: 0f12 push r15 +45c0: 0312 push #0x0 +45c2: b012 2a45 call #0x452a +45c6: 2152 add #0x4, sp +45c8: 3041 ret +45ca +45ca: 0b12 push r11 +45cc: 0b4f mov r15, r11 +45ce: 033c jmp #0x45d6 +45d0: 1b53 inc r11 +45d2: b012 bc45 call #0x45bc +45d6: 6f4b mov.b @r11, r15 +45d8: 4f93 tst.b r15 +45da: fa23 jnz #0x45d0 +45dc: 7f40 0a00 mov.b #0xa, r15 +45e0: b012 bc45 call #0x45bc +45e4: 3b41 pop r11 +45e6: 3041 ret +45e8 +45e8: 0c4f mov r15, r12 +45ea: 043c jmp #0x45f4 +45ec: fc4e 0000 mov.b @r14+, 0x0(r12) +45f0: 1c53 inc r12 +45f2: 3d53 add #-0x1, r13 +45f4: 0d93 tst r13 +45f6: fa23 jnz #0x45ec +45f8: 3041 ret +45fa +45fa: 0b12 push r11 +45fc: 0d93 tst r13 +45fe: 0a24 jz #0x4614 +4600: 7b4f mov.b @r15+, r11 +4602: 7c4e mov.b @r14+, r12 +4604: 4b9c cmp.b r12, r11 +4606: 0424 jeq #0x4610 +4608: 4f4b mov.b r11, r15 +460a: 4e4c mov.b r12, r14 +460c: 0f8e sub r14, r15 +460e: 033c jmp #0x4616 +4610: 3d53 add #-0x1, r13 +4612: f43f jmp #0x45fc +4614: 0f43 clr r15 +4616: 3b41 pop r11 +4618: 3041 ret +461a +461a: 0b12 push r11 +461c: 0a12 push r10 +461e: 0912 push r9 +4620: 0812 push r8 +4622: 3d90 0600 cmp #0x6, r13 +4626: 092c jc #0x463a +4628: 0c4f mov r15, r12 +462a: 043c jmp #0x4634 +462c: cc4e 0000 mov.b r14, 0x0(r12) +4630: 1c53 inc r12 +4632: 3d53 add #-0x1, r13 +4634: 0d93 tst r13 +4636: fa23 jnz #0x462c +4638: 203c jmp #0x467a +463a: 4e4e mov.b r14, r14 +463c: 4b4e mov.b r14, r11 +463e: 0b93 tst r11 +4640: 0324 jz #0x4648 +4642: 0c4b mov r11, r12 +4644: 8c10 swpb r12 +4646: 0bdc bis r12, r11 +4648: 1fb3 bit #0x1, r15 +464a: 0624 jz #0x4658 +464c: 3d53 add #-0x1, r13 +464e: cf4e 0000 mov.b r14, 0x0(r15) +4652: 094f mov r15, r9 +4654: 1953 inc r9 +4656: 013c jmp #0x465a +4658: 094f mov r15, r9 +465a: 0c4d mov r13, r12 +465c: 12c3 clrc +465e: 0c10 rrc r12 +4660: 0a49 mov r9, r10 +4662: 084c mov r12, r8 +4664: 8a4b 0000 mov r11, 0x0(r10) +4668: 2a53 incd r10 +466a: 3853 add #-0x1, r8 +466c: fb23 jnz #0x4664 +466e: 0c5c add r12, r12 +4670: 0c59 add r9, r12 +4672: 1df3 and #0x1, r13 +4674: 0224 jz #0x467a +4676: cc4e 0000 mov.b r14, 0x0(r12) +467a: 3841 pop r8 +467c: 3941 pop r9 +467e: 3a41 pop r10 +4680: 3b41 pop r11 +4682: 3041 ret +4684 <_unexpected_> +4684: 0013 reti pc +4686 .strings: +4686: "Welcome to the secure program loader." +46ac: "Please enter debug payload." +46c8: "Load address outside allowed range of 0x8000-0xF000" +46fc: "Invalid payload length" +4713: "Invalid signature type" +472a: "Incorrect signature, continuing" +474a: "Signature valid, executing payload" + +Prereqs: "Cold Lake" +Name: "Churchill" +Text: + Lockitall LOCKIT 2 r A.01 + ______________________________________________________________________ + + User Manual: Lockitall LockIT 2, rev a.01 + ______________________________________________________________________ + + + OVERVIEW + + - Lockitall is under new management. + - All vulnerabilities in our old locks are now resolved. + + DETAILS + + The LockIT 2 A.03 is the second of a new series of locks. It is + controlled by a MSP430 microcontroller. The MSP430 is a very low- + power device, chosen because we found several crates of old stock. + + This lock only accepts biometric and NFC inputs, and does not have + a traditional password prompt. + + To support rapid development cycles this lock accepts a program + from the old password input prompt. Only programs signed by us are + allowed. + + 800000063041c26436953f8f3cadf1442fc218b185051ab6c20853a45f093fc32a + df31529d05a5ec3e96a9e41ed9ad1b14dcbdb98e50e37a7ddc3d595b867807ed16 + 05f2070e + + This is Hardware Version Beta. + + This is Software Revision 03. + + + +(c) 2021 LOCKITALL Page 1/1 + + "X": 122, + "Y": 212, + "Rating": 30, + "Patch": "" +}, diff --git a/22-Churchill/churchill.c b/22-Churchill/churchill.c new file mode 100644 index 0000000..dbc8d4e --- /dev/null +++ b/22-Churchill/churchill.c @@ -0,0 +1,53 @@ + +// uC includes +#include "../io.c" +#include "../lib.c" + +int main () { + char signature_buffer[64]; // >=> sp + char *static_buffer = mem_get (0x2420); // >=> 0x2420 + + puts ("Welcome to the secure program loader."); + + while (1) { + unsigned short loadaddr; // >=> r11 + unsigned char signature_type; // >=> r9 + unsigned char payload_length; // >=> r10 + puts ("Please enter debug payload."); + + memset (static_buffer, 0, 0x400); + getsn (static_buffer, 0x3ff); + + loadaddr = (static_buffer[0] << 8) + (static_buffer[1]); + signature_type = static_buffer[2]; + payload_length = static_buffer[3]; + if (0x8000 > loadaddr || loadaddr >= 0xf001) { + puts ("Load address outside allowed range of 0x8000-0xF000"); + continue; + } + if (payload_length - 6 > 0x3bb) { + puts ("Invalid payload length"); + continue; + } + char *payload_signature = static_buffer + payload_length; + int result; + memcpy (signature_buffer, payload_signature, 0x40); + if (signature_type == 0x1) { + sha512 (static_buffer, payload_length, signature_buffer); + result = memcmp (signature_buffer, payload_signature, 0x40); + } + if (signature_type != 0x0) { + puts ("Invalid signature type"); + continue; + } else { + result = verify_ed25519 (mem_get (0x2400), static_buffer, payload_length, signature_buffer); + } + if (result != 0x1) { + puts ("Incorrect signature, continuing"); + continue; + } + puts ("Signature valid, executing payload"); + memcpy (mem_get (loadaddr), static_buffer + 0x4, payload_length); + puts ((char *) mem_get (loadaddr)); + } +} diff --git a/22-Churchill/gen_payload_hash.py b/22-Churchill/gen_payload_hash.py new file mode 100644 index 0000000..e4851bc --- /dev/null +++ b/22-Churchill/gen_payload_hash.py @@ -0,0 +1,8 @@ +#!/usr/bin/env python3 + +import hashlib + +payload = bytes.fromhex("8000 01 0c 3240 00ff b012 1000") + +print(f"{payload.hex()}{hashlib.sha512(payload).hexdigest()}") +print("800000063041c26436953f8f3cadf1442fc218b185051ab6c20853a45f093fc32adf31529d05a5ec3e96a9e41ed9ad1b14dcbdb98e50e37a7ddc3d595b867807ed1605f2070e") diff --git a/22-Churchill/notes.md b/22-Churchill/notes.md new file mode 100644 index 0000000..f778dbb --- /dev/null +++ b/22-Churchill/notes.md @@ -0,0 +1,41 @@ + + +Churchill seems to not verify after 0xff bytes? + + +## Sample input + +```hex +8000 00 06 3041 c26436953f8f3cadf1442fc218b185051ab6c20853a45f093fc32adf31529d05a5ec3e96a9e41ed9ad1b14dcbdb98e50e37a7ddc3d595b867807ed1605f2070e +``` + + + +## Layout: +Loadaddr | Signature Type | length | payload | Signature +---------|----------------|--------|----------|---------- +8000 | 00 (ed25519) | 06 | 3041 ret | c26436... +8000 | 01 (sha512) | 12 | 324000ffb0121000 | f009805ec519029923b72a6e63589a081295759bbf7e12090be7b784f622a24e135d2603b861cc0398b366b1a5d8a89836544a164c39f4e68361413ab6f049a5 + +```c +324000ff mov #ff00, sr +b0121000 call #0010 +``` + +## Payload +8000 01 0c 3240 00ff b012 1000 + +Hash: +80a0ca7614b653247b207a739e8a5445bfc34f755d4bd0bd413ec5f65a748fe04f9488f7e10700b5bfb57f41ba56f2a314a0f9545b74d08764af7a5c0cfc40ec + +complete payload: +8000 01 0c 324000ff b0121000 80a0ca7614b653247b207a739e8a5445bfc34f755d4bd0bd413ec5f65a748fe04f9488f7e10700b5bfb57f41ba56f2a314a0f9545b74d08764af7a5c0cfc40ec + +# THE TWIST +The program explicitly checks for `0x1` when evaluating the results of a hash +For perfectly identical strings, this DOESN'T WORK, because, memcmp returns `0`. + +Solution: subtract 1 from the last byte of payload_signature. It'll be off by one, and when the program evaluates it, it'll end up with 0x0001 in r15 + +# Final Answer: +8000 01 0c 324000ff b0121000 80a0ca7614b653247b207a739e8a5445bfc34f755d4bd0bd413ec5f65a748fe04f9488f7e10700b5bfb57f41ba56f2a314a0f9545b74d08764af7a5c0cfc40eb diff --git a/common/io.c b/common/io.c new file mode 100644 index 0000000..addd8eb --- /dev/null +++ b/common/io.c @@ -0,0 +1,39 @@ +#ifndef __uC_IO_C__ +#define __uC_IO_C__ + +#include +#include +#include "mem.h" +// 512 600 0011 +void INT (int arg, ...); + +char hascii(int i) { + if (i > '9') + i += 9; + return i & 0x0f; +} + +// gets (getsn) +void getsn (char* buf, size_t size) { + char *temp = malloc(size*2); + fgets(temp, size*2, stdin); + for (int i = 0; i < size * 2; i+=2) { + buf[i/2] = ((hascii(temp[i]))<<4)|(hascii(temp[i+1])); + printf("%02x", buf[i/2] & 0xff); + } + printf("\n"); + free(temp); +} + +// putchar +// int putchar (int c); + +// puts +// int puts(const char *); + +// printf +//int printf (const char * restrict format_str, ...); + + + +#endif // __uC_IO_C__ diff --git a/common/lib.c b/common/lib.c new file mode 100644 index 0000000..e7a0ac1 --- /dev/null +++ b/common/lib.c @@ -0,0 +1,17 @@ +#ifndef __uC_LIB_C__ +#define __uC_LIB_C__ + +#include +#include "mem.h" + +int verify_ed25519 (char * ed25519_pubkey, void * buf, int size, char * signature) {return 1;}; + + +//void *memcpy(void *__restrict__ __dest, const void *__restrict__ __src, size_t __n); +//int memcmp(const void *__s1, const void *__s2, size_t __n); + +void sha1(void *buf, char * out_buf, size_t size) {} +void sha256 (void *buf, char * out_buf, size_t size) {} +void sha512 (void *buf, char * out_buf, size_t size) {} + +#endif // __uC_LIB_C__ diff --git a/common/mem.h b/common/mem.h new file mode 100644 index 0000000..8899e35 --- /dev/null +++ b/common/mem.h @@ -0,0 +1,24 @@ +#ifndef __uC_MEM_H__ +#define __uC_MEM_H__ + +#include + +void * mem; +const int mem_size = 65536; + +void mem_create() __attribute__ ((constructor)); +void mem_destroy() __attribute__ ((destructor)); + +void mem_create() { + mem = malloc(mem_size); +} + +void mem_destroy() { + free(mem); +} + +void * mem_get(short addr) { + return mem+(addr%mem_size); +} + +#endif // __uC_MEM_H__ diff --git a/readme.md b/readme.md index 599368a..98a712a 100644 --- a/readme.md +++ b/readme.md @@ -38,5 +38,5 @@ Hopefully in the coming weeks I'll learn enough about malloc and free to get som ### 2022 Dec 4 PM - 2022 Dec 11 PM: Cold Lake -### 2022 Dec 11 PM - Ongoing: +### 2022 Dec 11 PM Churchill