mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2024-11-22 01:35:58 +00:00
22: Churchill complete!
This commit is contained in:
parent
c9a1ab201b
commit
eef5e32c5d
100
.clang-format
Normal file
100
.clang-format
Normal file
@ -0,0 +1,100 @@
|
||||
# +-------------+---------+-----------------------+
|
||||
# | Created 2022-04-23 |
|
||||
# +-----------------------------------------------+
|
||||
|
||||
# Default to Google style
|
||||
BasedOnStyle: Google
|
||||
|
||||
# Don't derive from file
|
||||
DeriveLineEnding: false
|
||||
DerivePointerAlignment: false
|
||||
|
||||
# Google limits lines to 80 columns. Don't do that.
|
||||
ColumnLimit: 0
|
||||
|
||||
# Here there be controversy
|
||||
IndentWidth: 4
|
||||
ConstructorInitializerIndentWidth: 4
|
||||
ContinuationIndentWidth: 4
|
||||
|
||||
# Alignment checks
|
||||
AlignConsecutiveAssignments: true
|
||||
AlignTrailingComments: true
|
||||
|
||||
# Sort include blocks, and regroup based on include category
|
||||
SortIncludes: CaseInsensitive
|
||||
IncludeBlocks: Regroup
|
||||
|
||||
# Allow short blocks on single line
|
||||
AllowShortBlocksOnASingleLine: Always
|
||||
AllowShortEnumsOnASingleLine: false
|
||||
AllowShortFunctionsOnASingleLine: Inline
|
||||
AllowShortIfStatementsOnASingleLine: AllIfsAndElse
|
||||
AllowShortLambdasOnASingleLine: Inline
|
||||
AllowShortLoopsOnASingleLine: true
|
||||
# Except case statements
|
||||
AllowShortCaseLabelsOnASingleLine: false
|
||||
|
||||
# Line wrapping should not happen, but just in case, keep the args together
|
||||
BinPackArguments: true
|
||||
BinPackParameters: true
|
||||
PackConstructorInitializers: CurrentLine
|
||||
|
||||
# When bitfield-packing a struct, spaces go after the colon, not before
|
||||
BitFieldColonSpacing: After
|
||||
|
||||
# By default, braces are obnoxiously wrapped to newlines
|
||||
BreakBeforeBraces: Custom
|
||||
# Disable that
|
||||
BraceWrapping:
|
||||
AfterEnum: false
|
||||
AfterFunction: false
|
||||
AfterNamespace: false
|
||||
AfterStruct: false
|
||||
AfterUnion: false
|
||||
AfterExternBlock: false
|
||||
AfterControlStatement: false
|
||||
|
||||
BeforeCatch: false
|
||||
BeforeElse: false
|
||||
BeforeLambdaBody: false
|
||||
BeforeWhile: false
|
||||
|
||||
IndentBraces: false
|
||||
|
||||
SplitEmptyFunction: false
|
||||
|
||||
# Don't break before ?:, it looks ugly
|
||||
BreakBeforeTernaryOperators: false
|
||||
|
||||
# Trim empty lines when there are more than 1
|
||||
MaxEmptyLinesToKeep: 1
|
||||
|
||||
# Align &*s toward the variable name (i.e. int &number; char *cstring)
|
||||
ReferenceAlignment: Pointer
|
||||
PointerAlignment: Right
|
||||
|
||||
# Put spaces after (int) c_style_casts and template <T>, but !after '!' operator
|
||||
SpaceAfterCStyleCast: true
|
||||
SpaceAfterLogicalNot: false
|
||||
SpaceAfterTemplateKeyword: true
|
||||
|
||||
# Put spaces before \.?\= operators, initializer {lists}, inline (parentheses), // comments.
|
||||
SpaceBeforeAssignmentOperators: true
|
||||
SpaceBeforeCpp11BracedList: true
|
||||
SpaceBeforeParens: Always
|
||||
SpacesBeforeTrailingComments: 1
|
||||
SpacesInLineCommentPrefix:
|
||||
Minimum: 1
|
||||
# Don't put spaces in case : statements, object : inheritance,
|
||||
# for (auto& loops : range), conditional ( statements ), ( parentheses ), [ brackets ]
|
||||
SpaceBeforeCaseColon: false
|
||||
SpaceBeforeInheritanceColon: false
|
||||
SpaceBeforeRangeBasedForLoopColon: false
|
||||
SpacesInConditionalStatement: false
|
||||
SpacesInParentheses: false
|
||||
SpacesInSquareBrackets: false
|
||||
|
||||
# Always use LF for line breaks, and NEVER use tabs for indentation
|
||||
UseCRLF: false
|
||||
UseTab: Never
|
435
22-Churchill/churchill.asm
Normal file
435
22-Churchill/churchill.asm
Normal file
@ -0,0 +1,435 @@
|
||||
Instructions:
|
||||
Size | Addr | CT | Data | Checksum?
|
||||
-- -:|------|----|----------------------------------|----------
|
||||
10 | 4400 | 00 | 55425C0135D0085A8245202831400044 | 8D
|
||||
10 | 4410 | 00 | 3F4020000F930824924220285C012F83 | 04
|
||||
10 | 4420 | 00 | 9F4F6E470024F8233F4000040F930724 | 5A
|
||||
10 | 4430 | 00 | 924220285C011F83CF432024F9233150 | 6E
|
||||
10 | 4440 | 00 | C0FF3F408646B012CA453F40AC46B012 | 5E
|
||||
10 | 4450 | 00 | CA453D4000040E433F402024B0121A46 | 96
|
||||
10 | 4460 | 00 | 3E40FF033F402024B012AC455B422024 | 75
|
||||
10 | 4470 | 00 | 8B105F4221240BDF594222245A422324 | 0D
|
||||
10 | 4480 | 00 | 0B9303343B9001F005283F40C846B012 | 1F
|
||||
10 | 4490 | 00 | CA45DB3F0F4A3F50FAFF3F90BB030528 | 58
|
||||
10 | 44A0 | 00 | 3F40FC46B012CA45D03F084A38502024 | 4D
|
||||
10 | 44B0 | 00 | 3D4040000E480F41B012E84519930D20 | D1
|
||||
10 | 44C0 | 00 | 0D410E4A3F402024B01266453D404000 | 59
|
||||
10 | 44D0 | 00 | 0E480F41B012FA45103C099309200C41 | D7
|
||||
10 | 44E0 | 00 | 0D4A3E4020243F400024B0127845053C | 50
|
||||
10 | 44F0 | 00 | 3F401347B012CA45A83F1F9305243F40 | D1
|
||||
10 | 4500 | 00 | 2A47B012CA45A13F3F404A47B012CA45 | A8
|
||||
10 | 4510 | 00 | 0D4A3E4024240F4BB012E8458B12953F | C4
|
||||
10 | 4520 | 00 | 32D0F000FD3F304084461F4102000212 | AD
|
||||
10 | 4530 | 00 | 4F4F8F103FD00080024FB01210003241 | 19
|
||||
10 | 4540 | 00 | 30410D120E120F1230123000B0122A45 | F7
|
||||
10 | 4550 | 00 | 315230410D120E120F1230123100B012 | D2
|
||||
10 | 4560 | 00 | 2A45315230410D120E120F1230123200 | 14
|
||||
10 | 4570 | 00 | B0122A45315230410B12041204412452 | 28
|
||||
10 | 4580 | 00 | 21838443FAFF3B40FAFF0B540B120C12 | B9
|
||||
10 | 4590 | 00 | 0D120E120F1230123300B0122A451F44 | B2
|
||||
10 | 45A0 | 00 | FAFF31500E0034413B4130410E120F12 | E0
|
||||
10 | 45B0 | 00 | 2312B0122A453150060030418F110F12 | DC
|
||||
10 | 45C0 | 00 | 0312B0122A45215230410B120B4F033C | 0B
|
||||
10 | 45D0 | 00 | 1B53B012BC456F4B4F93FA237F400A00 | 28
|
||||
10 | 45E0 | 00 | B012BC453B4130410C4F043CFC4E0000 | 36
|
||||
10 | 45F0 | 00 | 1C533D530D93FA2330410B120D930A24 | A3
|
||||
10 | 4600 | 00 | 7B4F7C4E4B9C04244F4B4E4C0F8E033C | F7
|
||||
10 | 4610 | 00 | 3D53F43F0F433B4130410B120A120912 | 44
|
||||
10 | 4620 | 00 | 08123D900600092C0C4F043CCC4E0000 | B3
|
||||
10 | 4630 | 00 | 1C533D530D93FA23203C4E4E4B4E0B93 | 8F
|
||||
10 | 4640 | 00 | 03240C4B8C100BDC1FB306243D53CF4E | C0
|
||||
10 | 4650 | 00 | 0000094F1953013C094F0C4D12C30C10 | B7
|
||||
10 | 4660 | 00 | 0A49084C8A4B00002A533853FB230C5C | 40
|
||||
10 | 4670 | 00 | 0C591DF30224CC4E0000384139413A41 | 17
|
||||
06 | 4680 | 00 | 3B4130410013 | 34
|
||||
|
||||
Strings:
|
||||
Size | Addr | CT | Data | Checksum?
|
||||
-- -:|------|----|----------------------------------|----------
|
||||
10 | 4686 | 00 | 57656C636F6D6520746F207468652073 | 61
|
||||
10 | 4696 | 00 | 65637572652070726F6772616D206C6F | ED
|
||||
10 | 46A6 | 00 | 616465722E00506C6561736520656E74 | 79
|
||||
10 | 46B6 | 00 | 6572206465627567207061796C6F6164 | EC
|
||||
10 | 46C6 | 00 | 2E004C6F61642061646472657373206F | A1
|
||||
10 | 46D6 | 00 | 75747369646520616C6C6F7765642072 | AC
|
||||
10 | 46E6 | 00 | 616E6765206F66203078383030302D30 | 47
|
||||
10 | 46F6 | 00 | 784630303000496E76616C6964207061 | AE
|
||||
10 | 4706 | 00 | 796C6F6164206C656E67746800496E76 | BB
|
||||
10 | 4716 | 00 | 616C6964207369676E61747572652074 | 73
|
||||
10 | 4726 | 00 | 79706500496E636F7272656374207369 | 90
|
||||
10 | 4736 | 00 | 676E61747572652C20636F6E74696E75 | 31
|
||||
10 | 4746 | 00 | 696E67005369676E6174757265207661 | 7C
|
||||
10 | 4756 | 00 | 6C69642C20657865637574696E672070 | 72
|
||||
08 | 4766 | 00 | 61796C6F61640000 | D1
|
||||
|
||||
10 | 476E | 00 | A09AE3E830085A0169641E1E22118B45 | 97
|
||||
10 | 477E | 00 | 7F9A95E7A133643CB578FB0C25940C4F | DA
|
||||
10 | FF80 | 00 | 26452645264526452645264526452645 | 19
|
||||
10 | FF90 | 00 | 26452645264526452645264526450044 | 30
|
||||
04 | 0000 | 03 | 00004400 | B5
|
||||
00 | 0000 | 01 | | FF
|
||||
|
||||
|
||||
Obj:
|
||||
0010 <__trap_interrupt>
|
||||
0010: 3041 ret
|
||||
4400 <__watchdog_support>
|
||||
4400: 5542 5c01 mov.b &0x015c, r5
|
||||
4404: 35d0 085a bis #0x5a08, r5
|
||||
4408: 8245 2028 mov r5, &0x2820
|
||||
440c <__init_stack>
|
||||
440c: 3140 0044 mov #0x4400 <__watchdog_support>, sp
|
||||
4410 <__do_copy_data>
|
||||
4410: 3f40 2000 mov #0x20, r15
|
||||
4414: 0f93 tst r15
|
||||
4416: 0824 jz #0x4428 <__do_clear_bss+0x0>
|
||||
4418: 9242 2028 5c01 mov &0x2820, &0x015c
|
||||
441e: 2f83 decd r15
|
||||
4420: 9f4f 6e47 0024 mov 0x476e(r15), 0x2400(r15)
|
||||
4426: f823 jnz #0x4418 <__do_copy_data+0x8>
|
||||
4428 <__do_clear_bss>
|
||||
4428: 3f40 0004 mov #0x400, r15
|
||||
442c: 0f93 tst r15
|
||||
442e: 0724 jz #0x443e <main+0x0>
|
||||
4430: 9242 2028 5c01 mov &0x2820, &0x015c
|
||||
4436: 1f83 dec r15
|
||||
4438: cf43 2024 mov.b #0x0, 0x2420(r15)
|
||||
443c: f923 jnz #0x4430 <__do_clear_bss+0x8>
|
||||
|
||||
443e <main>
|
||||
; char signature_buffer[64];
|
||||
443e: 3150 c0ff add #0xffc0, sp
|
||||
|
||||
; puts ("Welcome to the secure program loader.");
|
||||
4442: 3f40 8646 mov #0x4686 "Welcome to the secure program loader.", r15
|
||||
4446: b012 ca45 call #0x45ca <puts>
|
||||
; puts ("Please enter debug payload.");
|
||||
444a: 3f40 ac46 mov #0x46ac "Please enter debug payload.", r15
|
||||
444e: b012 ca45 call #0x45ca <puts>
|
||||
|
||||
; char * static_buffer = (char *) 0x2420;
|
||||
; memset (0x2420, 0, 0x400);
|
||||
4452: 3d40 0004 mov #0x400, r13
|
||||
4456: 0e43 clr r14
|
||||
4458: 3f40 2024 mov #0x2420, r15
|
||||
445c: b012 1a46 call #0x461a <memset>
|
||||
|
||||
; getsn (0x2420 /* static_buffer */, 0x3ff);
|
||||
4460: 3e40 ff03 mov #0x3ff, r14
|
||||
4464: 3f40 2024 mov #0x2420, r15
|
||||
4468: b012 ac45 call #0x45ac <getsn>
|
||||
|
||||
; short loadaddr? = static_buffer[0]<<8+static_buffer[1];
|
||||
446c: 5b42 2024 mov.b &0x2420, r11
|
||||
4470: 8b10 swpb r11
|
||||
4472: 5f42 2124 mov.b &0x2421, r15
|
||||
4476: 0bdf bis r15, r11
|
||||
; char signature_type = static_buffer[2];
|
||||
4478: 5942 2224 mov.b &0x2422, r9
|
||||
; char payload_length = static_buffer[3];
|
||||
447c: 5a42 2324 mov.b &0x2423, r10
|
||||
|
||||
; if (0x8000 <= loadaddr && loadaddr < 0xf001) {/* goto load_range_succeed */}
|
||||
4480: 0b93 tst r11
|
||||
4482: 0334 jge #0x448a <main+0x4c> <load_range_fail>
|
||||
4484: 3b90 01f0 cmp #0xf001, r11
|
||||
4488: 0528 jnc #0x4494 <main+0x56> <load_range_succeed>
|
||||
; else
|
||||
load_range_fail:
|
||||
; puts ("Load address outside allowed range of 0x8000-0xF000");
|
||||
448a: 3f40 c846 mov #0x46c8 "Load address outside allowed range of 0x8000-0xF000", r15
|
||||
448e: b012 ca45 call #0x45ca <puts>
|
||||
; continue;
|
||||
4492: db3f jmp #0x444a <main+0xc>
|
||||
|
||||
load_range_succeed:
|
||||
; if (payload_length - 6 > 0x3bb)
|
||||
4494: 0f4a mov r10, r15
|
||||
4496: 3f50 faff add #0xfffa, r15
|
||||
449a: 3f90 bb03 cmp #0x3bb, r15
|
||||
449e: 0528 jnc #0x44aa <main+0x6c>
|
||||
; puts ("Invalid payload length");
|
||||
44a0: 3f40 fc46 mov #0x46fc "Invalid payload length", r15
|
||||
44a4: b012 ca45 call #0x45ca <puts>
|
||||
; continue;
|
||||
44a8: d03f jmp #0x444a <main+0xc>
|
||||
|
||||
; char * payload_signature = static_buffer+payload_length
|
||||
44aa: 084a mov r10, r8
|
||||
44ac: 3850 2024 add #0x2420, r8
|
||||
; memcpy (signature_buffer, payload_signature, 0x40)
|
||||
44b0: 3d40 4000 mov #0x40, r13
|
||||
44b4: 0e48 mov r8, r14
|
||||
44b6: 0f41 mov sp, r15
|
||||
44b8: b012 e845 call #0x45e8 <memcpy>
|
||||
; if (signature_type == 0x1)
|
||||
44bc: 1993 cmp #0x1, r9
|
||||
44be: 0d20 jne #0x44da <main+0x9c>
|
||||
; sha512 (static_buffer, payload_length, signature_buffer);
|
||||
44c0: 0d41 mov sp, r13
|
||||
44c2: 0e4a mov r10, r14
|
||||
44c4: 3f40 2024 mov #0x2420, r15
|
||||
44c8: b012 6645 call #0x4566 <sha512>
|
||||
; memcmp (signature_buffer, payload_signature, 0x40)
|
||||
44cc: 3d40 4000 mov #0x40, r13
|
||||
44d0: 0e48 mov r8, r14
|
||||
44d2: 0f41 mov sp, r15
|
||||
44d4: b012 fa45 call #0x45fa <memcmp>
|
||||
44d8: 103c jmp #0x44fa <main+0xbc>
|
||||
; if (signature_type != 0)
|
||||
44da: 0993 tst r9
|
||||
44dc: 0920 jnz #0x44f0 <main+0xb2> <signature_type_invalid>
|
||||
; verify_ed25519 (0x2400, static_buffer, )
|
||||
44de: 0c41 mov sp, r12
|
||||
44e0: 0d4a mov r10, r13
|
||||
44e2: 3e40 2024 mov #0x2420, r14
|
||||
44e6: 3f40 0024 mov #0x2400, r15
|
||||
44ea: b012 7845 call #0x4578 <verify_ed25519>
|
||||
44ee: 053c jmp #0x44fa <main+0xbc> <uncond_jump_target_44fa>
|
||||
signature_type_invalid:
|
||||
; puts ("Invalid signature type");
|
||||
44f0: 3f40 1347 mov #0x4713 "Invalid signature type", r15
|
||||
44f4: b012 ca45 call #0x45ca <puts>
|
||||
44f8: a83f jmp #0x444a <main+0xc>
|
||||
uncond_jump_target_44fa:
|
||||
; if (r15 != 0x1)
|
||||
44fa: 1f93 cmp #0x1, r15
|
||||
44fc: 0524 jeq #0x4508 <main+0xca> ; else_4508
|
||||
; puts ("Incorrect signature, continuing");
|
||||
44fe: 3f40 2a47 mov #0x472a "Incorrect signature, continuing", r15
|
||||
4502: b012 ca45 call #0x45ca <puts>
|
||||
; continue;
|
||||
4506: a13f jmp #0x444a <main+0xc>
|
||||
|
||||
else_4508:
|
||||
; puts ("Signature valid, executing payload");
|
||||
4508: 3f40 4a47 mov #0x474a "Signature valid, executing payload", r15
|
||||
450c: b012 ca45 call #0x45ca <puts>
|
||||
; memcpy ()
|
||||
4510: 0d4a mov r10, r13
|
||||
4512: 3e40 2424 mov #0x2424, r14
|
||||
4516: 0f4b mov r11, r15
|
||||
4518: b012 e845 call #0x45e8 <memcpy>
|
||||
; payload();
|
||||
451c: 8b12 call r11
|
||||
; continue;
|
||||
451e: 953f jmp #0x444a <main+0xc>
|
||||
|
||||
4520 <__stop_progExec__>
|
||||
4520: 32d0 f000 bis #0xf0, sr
|
||||
4524: fd3f jmp #0x4520 <__stop_progExec__+0x0>
|
||||
4526 <__ctors_end>
|
||||
4526: 3040 8446 br #0x4684 <_unexpected_>
|
||||
452a <INT>
|
||||
452a: 1f41 0200 mov 0x2(sp), r15
|
||||
452e: 0212 push sr
|
||||
4530: 4f4f mov.b r15, r15
|
||||
4532: 8f10 swpb r15
|
||||
4534: 3fd0 0080 bis #0x8000, r15
|
||||
4538: 024f mov r15, sr
|
||||
453a: b012 1000 call #0x10
|
||||
453e: 3241 pop sr
|
||||
4540: 3041 ret
|
||||
4542 <sha1>
|
||||
4542: 0d12 push r13
|
||||
4544: 0e12 push r14
|
||||
4546: 0f12 push r15
|
||||
4548: 3012 3000 push #0x30
|
||||
454c: b012 2a45 call #0x452a <INT>
|
||||
4550: 3152 add #0x8, sp
|
||||
4552: 3041 ret
|
||||
4554 <sha256>
|
||||
4554: 0d12 push r13
|
||||
4556: 0e12 push r14
|
||||
4558: 0f12 push r15
|
||||
455a: 3012 3100 push #0x31
|
||||
455e: b012 2a45 call #0x452a <INT>
|
||||
4562: 3152 add #0x8, sp
|
||||
4564: 3041 ret
|
||||
4566 <sha512>
|
||||
4566: 0d12 push r13
|
||||
4568: 0e12 push r14
|
||||
456a: 0f12 push r15
|
||||
456c: 3012 3200 push #0x32
|
||||
4570: b012 2a45 call #0x452a <INT>
|
||||
4574: 3152 add #0x8, sp
|
||||
4576: 3041 ret
|
||||
4578 <verify_ed25519>
|
||||
4578: 0b12 push r11
|
||||
457a: 0412 push r4
|
||||
457c: 0441 mov sp, r4
|
||||
457e: 2452 add #0x4, r4
|
||||
4580: 2183 decd sp
|
||||
4582: 8443 faff clr -0x6(r4)
|
||||
4586: 3b40 faff mov #0xfffa, r11
|
||||
458a: 0b54 add r4, r11
|
||||
458c: 0b12 push r11
|
||||
458e: 0c12 push r12
|
||||
4590: 0d12 push r13
|
||||
4592: 0e12 push r14
|
||||
4594: 0f12 push r15
|
||||
4596: 3012 3300 push #0x33
|
||||
459a: b012 2a45 call #0x452a <INT>
|
||||
459e: 1f44 faff mov -0x6(r4), r15
|
||||
45a2: 3150 0e00 add #0xe, sp
|
||||
45a6: 3441 pop r4
|
||||
45a8: 3b41 pop r11
|
||||
45aa: 3041 ret
|
||||
45ac <getsn>
|
||||
45ac: 0e12 push r14
|
||||
45ae: 0f12 push r15
|
||||
45b0: 2312 push #0x2
|
||||
45b2: b012 2a45 call #0x452a <INT>
|
||||
45b6: 3150 0600 add #0x6, sp
|
||||
45ba: 3041 ret
|
||||
45bc <putchar>
|
||||
45bc: 8f11 sxt r15
|
||||
45be: 0f12 push r15
|
||||
45c0: 0312 push #0x0
|
||||
45c2: b012 2a45 call #0x452a <INT>
|
||||
45c6: 2152 add #0x4, sp
|
||||
45c8: 3041 ret
|
||||
45ca <puts>
|
||||
45ca: 0b12 push r11
|
||||
45cc: 0b4f mov r15, r11
|
||||
45ce: 033c jmp #0x45d6 <puts+0xc>
|
||||
45d0: 1b53 inc r11
|
||||
45d2: b012 bc45 call #0x45bc <putchar>
|
||||
45d6: 6f4b mov.b @r11, r15
|
||||
45d8: 4f93 tst.b r15
|
||||
45da: fa23 jnz #0x45d0 <puts+0x6>
|
||||
45dc: 7f40 0a00 mov.b #0xa, r15
|
||||
45e0: b012 bc45 call #0x45bc <putchar>
|
||||
45e4: 3b41 pop r11
|
||||
45e6: 3041 ret
|
||||
45e8 <memcpy>
|
||||
45e8: 0c4f mov r15, r12
|
||||
45ea: 043c jmp #0x45f4 <memcpy+0xc>
|
||||
45ec: fc4e 0000 mov.b @r14+, 0x0(r12)
|
||||
45f0: 1c53 inc r12
|
||||
45f2: 3d53 add #-0x1, r13
|
||||
45f4: 0d93 tst r13
|
||||
45f6: fa23 jnz #0x45ec <memcpy+0x4>
|
||||
45f8: 3041 ret
|
||||
45fa <memcmp>
|
||||
45fa: 0b12 push r11
|
||||
45fc: 0d93 tst r13
|
||||
45fe: 0a24 jz #0x4614 <memcmp+0x1a>
|
||||
4600: 7b4f mov.b @r15+, r11
|
||||
4602: 7c4e mov.b @r14+, r12
|
||||
4604: 4b9c cmp.b r12, r11
|
||||
4606: 0424 jeq #0x4610 <memcmp+0x16>
|
||||
4608: 4f4b mov.b r11, r15
|
||||
460a: 4e4c mov.b r12, r14
|
||||
460c: 0f8e sub r14, r15
|
||||
460e: 033c jmp #0x4616 <memcmp+0x1c>
|
||||
4610: 3d53 add #-0x1, r13
|
||||
4612: f43f jmp #0x45fc <memcmp+0x2>
|
||||
4614: 0f43 clr r15
|
||||
4616: 3b41 pop r11
|
||||
4618: 3041 ret
|
||||
461a <memset>
|
||||
461a: 0b12 push r11
|
||||
461c: 0a12 push r10
|
||||
461e: 0912 push r9
|
||||
4620: 0812 push r8
|
||||
4622: 3d90 0600 cmp #0x6, r13
|
||||
4626: 092c jc #0x463a <memset+0x20>
|
||||
4628: 0c4f mov r15, r12
|
||||
462a: 043c jmp #0x4634 <memset+0x1a>
|
||||
462c: cc4e 0000 mov.b r14, 0x0(r12)
|
||||
4630: 1c53 inc r12
|
||||
4632: 3d53 add #-0x1, r13
|
||||
4634: 0d93 tst r13
|
||||
4636: fa23 jnz #0x462c <memset+0x12>
|
||||
4638: 203c jmp #0x467a <memset+0x60>
|
||||
463a: 4e4e mov.b r14, r14
|
||||
463c: 4b4e mov.b r14, r11
|
||||
463e: 0b93 tst r11
|
||||
4640: 0324 jz #0x4648 <memset+0x2e>
|
||||
4642: 0c4b mov r11, r12
|
||||
4644: 8c10 swpb r12
|
||||
4646: 0bdc bis r12, r11
|
||||
4648: 1fb3 bit #0x1, r15
|
||||
464a: 0624 jz #0x4658 <memset+0x3e>
|
||||
464c: 3d53 add #-0x1, r13
|
||||
464e: cf4e 0000 mov.b r14, 0x0(r15)
|
||||
4652: 094f mov r15, r9
|
||||
4654: 1953 inc r9
|
||||
4656: 013c jmp #0x465a <memset+0x40>
|
||||
4658: 094f mov r15, r9
|
||||
465a: 0c4d mov r13, r12
|
||||
465c: 12c3 clrc
|
||||
465e: 0c10 rrc r12
|
||||
4660: 0a49 mov r9, r10
|
||||
4662: 084c mov r12, r8
|
||||
4664: 8a4b 0000 mov r11, 0x0(r10)
|
||||
4668: 2a53 incd r10
|
||||
466a: 3853 add #-0x1, r8
|
||||
466c: fb23 jnz #0x4664 <memset+0x4a>
|
||||
466e: 0c5c add r12, r12
|
||||
4670: 0c59 add r9, r12
|
||||
4672: 1df3 and #0x1, r13
|
||||
4674: 0224 jz #0x467a <memset+0x60>
|
||||
4676: cc4e 0000 mov.b r14, 0x0(r12)
|
||||
467a: 3841 pop r8
|
||||
467c: 3941 pop r9
|
||||
467e: 3a41 pop r10
|
||||
4680: 3b41 pop r11
|
||||
4682: 3041 ret
|
||||
4684 <_unexpected_>
|
||||
4684: 0013 reti pc
|
||||
4686 .strings:
|
||||
4686: "Welcome to the secure program loader."
|
||||
46ac: "Please enter debug payload."
|
||||
46c8: "Load address outside allowed range of 0x8000-0xF000"
|
||||
46fc: "Invalid payload length"
|
||||
4713: "Invalid signature type"
|
||||
472a: "Incorrect signature, continuing"
|
||||
474a: "Signature valid, executing payload"
|
||||
|
||||
Prereqs: "Cold Lake"
|
||||
Name: "Churchill"
|
||||
Text:
|
||||
Lockitall LOCKIT 2 r A.01
|
||||
______________________________________________________________________
|
||||
|
||||
User Manual: Lockitall LockIT 2, rev a.01
|
||||
______________________________________________________________________
|
||||
|
||||
|
||||
OVERVIEW
|
||||
|
||||
- Lockitall is under new management.
|
||||
- All vulnerabilities in our old locks are now resolved.
|
||||
|
||||
DETAILS
|
||||
|
||||
The LockIT 2 A.03 is the second of a new series of locks. It is
|
||||
controlled by a MSP430 microcontroller. The MSP430 is a very low-
|
||||
power device, chosen because we found several crates of old stock.
|
||||
|
||||
This lock only accepts biometric and NFC inputs, and does not have
|
||||
a traditional password prompt.
|
||||
|
||||
To support rapid development cycles this lock accepts a program
|
||||
from the old password input prompt. Only programs signed by us are
|
||||
allowed.
|
||||
|
||||
800000063041c26436953f8f3cadf1442fc218b185051ab6c20853a45f093fc32a
|
||||
df31529d05a5ec3e96a9e41ed9ad1b14dcbdb98e50e37a7ddc3d595b867807ed16
|
||||
05f2070e
|
||||
|
||||
This is Hardware Version Beta.
|
||||
|
||||
This is Software Revision 03.
|
||||
|
||||
|
||||
|
||||
(c) 2021 LOCKITALL Page 1/1
|
||||
|
||||
"X": 122,
|
||||
"Y": 212,
|
||||
"Rating": 30,
|
||||
"Patch": ""
|
||||
},
|
53
22-Churchill/churchill.c
Normal file
53
22-Churchill/churchill.c
Normal file
@ -0,0 +1,53 @@
|
||||
|
||||
// uC includes
|
||||
#include "../io.c"
|
||||
#include "../lib.c"
|
||||
|
||||
int main () {
|
||||
char signature_buffer[64]; // >=> sp
|
||||
char *static_buffer = mem_get (0x2420); // >=> 0x2420
|
||||
|
||||
puts ("Welcome to the secure program loader.");
|
||||
|
||||
while (1) {
|
||||
unsigned short loadaddr; // >=> r11
|
||||
unsigned char signature_type; // >=> r9
|
||||
unsigned char payload_length; // >=> r10
|
||||
puts ("Please enter debug payload.");
|
||||
|
||||
memset (static_buffer, 0, 0x400);
|
||||
getsn (static_buffer, 0x3ff);
|
||||
|
||||
loadaddr = (static_buffer[0] << 8) + (static_buffer[1]);
|
||||
signature_type = static_buffer[2];
|
||||
payload_length = static_buffer[3];
|
||||
if (0x8000 > loadaddr || loadaddr >= 0xf001) {
|
||||
puts ("Load address outside allowed range of 0x8000-0xF000");
|
||||
continue;
|
||||
}
|
||||
if (payload_length - 6 > 0x3bb) {
|
||||
puts ("Invalid payload length");
|
||||
continue;
|
||||
}
|
||||
char *payload_signature = static_buffer + payload_length;
|
||||
int result;
|
||||
memcpy (signature_buffer, payload_signature, 0x40);
|
||||
if (signature_type == 0x1) {
|
||||
sha512 (static_buffer, payload_length, signature_buffer);
|
||||
result = memcmp (signature_buffer, payload_signature, 0x40);
|
||||
}
|
||||
if (signature_type != 0x0) {
|
||||
puts ("Invalid signature type");
|
||||
continue;
|
||||
} else {
|
||||
result = verify_ed25519 (mem_get (0x2400), static_buffer, payload_length, signature_buffer);
|
||||
}
|
||||
if (result != 0x1) {
|
||||
puts ("Incorrect signature, continuing");
|
||||
continue;
|
||||
}
|
||||
puts ("Signature valid, executing payload");
|
||||
memcpy (mem_get (loadaddr), static_buffer + 0x4, payload_length);
|
||||
puts ((char *) mem_get (loadaddr));
|
||||
}
|
||||
}
|
8
22-Churchill/gen_payload_hash.py
Normal file
8
22-Churchill/gen_payload_hash.py
Normal file
@ -0,0 +1,8 @@
|
||||
#!/usr/bin/env python3
|
||||
|
||||
import hashlib
|
||||
|
||||
payload = bytes.fromhex("8000 01 0c 3240 00ff b012 1000")
|
||||
|
||||
print(f"{payload.hex()}{hashlib.sha512(payload).hexdigest()}")
|
||||
print("800000063041c26436953f8f3cadf1442fc218b185051ab6c20853a45f093fc32adf31529d05a5ec3e96a9e41ed9ad1b14dcbdb98e50e37a7ddc3d595b867807ed1605f2070e")
|
41
22-Churchill/notes.md
Normal file
41
22-Churchill/notes.md
Normal file
@ -0,0 +1,41 @@
|
||||
|
||||
|
||||
Churchill seems to not verify after 0xff bytes?
|
||||
|
||||
|
||||
## Sample input
|
||||
|
||||
```hex
|
||||
8000 00 06 3041 c26436953f8f3cadf1442fc218b185051ab6c20853a45f093fc32adf31529d05a5ec3e96a9e41ed9ad1b14dcbdb98e50e37a7ddc3d595b867807ed1605f2070e
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Layout:
|
||||
Loadaddr | Signature Type | length | payload | Signature
|
||||
---------|----------------|--------|----------|----------
|
||||
8000 | 00 (ed25519) | 06 | 3041 ret | c26436...
|
||||
8000 | 01 (sha512) | 12 | 324000ffb0121000 | f009805ec519029923b72a6e63589a081295759bbf7e12090be7b784f622a24e135d2603b861cc0398b366b1a5d8a89836544a164c39f4e68361413ab6f049a5
|
||||
|
||||
```c
|
||||
324000ff mov #ff00, sr
|
||||
b0121000 call #0010
|
||||
```
|
||||
|
||||
## Payload
|
||||
8000 01 0c 3240 00ff b012 1000
|
||||
|
||||
Hash:
|
||||
80a0ca7614b653247b207a739e8a5445bfc34f755d4bd0bd413ec5f65a748fe04f9488f7e10700b5bfb57f41ba56f2a314a0f9545b74d08764af7a5c0cfc40ec
|
||||
|
||||
complete payload:
|
||||
8000 01 0c 324000ff b0121000 80a0ca7614b653247b207a739e8a5445bfc34f755d4bd0bd413ec5f65a748fe04f9488f7e10700b5bfb57f41ba56f2a314a0f9545b74d08764af7a5c0cfc40ec
|
||||
|
||||
# THE TWIST
|
||||
The program explicitly checks for `0x1` when evaluating the results of a hash
|
||||
For perfectly identical strings, this DOESN'T WORK, because, memcmp returns `0`.
|
||||
|
||||
Solution: subtract 1 from the last byte of payload_signature. It'll be off by one, and when the program evaluates it, it'll end up with 0x0001 in r15
|
||||
|
||||
# Final Answer:
|
||||
8000 01 0c 324000ff b0121000 80a0ca7614b653247b207a739e8a5445bfc34f755d4bd0bd413ec5f65a748fe04f9488f7e10700b5bfb57f41ba56f2a314a0f9545b74d08764af7a5c0cfc40eb
|
39
common/io.c
Normal file
39
common/io.c
Normal file
@ -0,0 +1,39 @@
|
||||
#ifndef __uC_IO_C__
|
||||
#define __uC_IO_C__
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include "mem.h"
|
||||
// 512 600 0011
|
||||
void INT (int arg, ...);
|
||||
|
||||
char hascii(int i) {
|
||||
if (i > '9')
|
||||
i += 9;
|
||||
return i & 0x0f;
|
||||
}
|
||||
|
||||
// gets (getsn)
|
||||
void getsn (char* buf, size_t size) {
|
||||
char *temp = malloc(size*2);
|
||||
fgets(temp, size*2, stdin);
|
||||
for (int i = 0; i < size * 2; i+=2) {
|
||||
buf[i/2] = ((hascii(temp[i]))<<4)|(hascii(temp[i+1]));
|
||||
printf("%02x", buf[i/2] & 0xff);
|
||||
}
|
||||
printf("\n");
|
||||
free(temp);
|
||||
}
|
||||
|
||||
// putchar
|
||||
// int putchar (int c);
|
||||
|
||||
// puts
|
||||
// int puts(const char *);
|
||||
|
||||
// printf
|
||||
//int printf (const char * restrict format_str, ...);
|
||||
|
||||
|
||||
|
||||
#endif // __uC_IO_C__
|
17
common/lib.c
Normal file
17
common/lib.c
Normal file
@ -0,0 +1,17 @@
|
||||
#ifndef __uC_LIB_C__
|
||||
#define __uC_LIB_C__
|
||||
|
||||
#include <stdlib.h>
|
||||
#include "mem.h"
|
||||
|
||||
int verify_ed25519 (char * ed25519_pubkey, void * buf, int size, char * signature) {return 1;};
|
||||
|
||||
|
||||
//void *memcpy(void *__restrict__ __dest, const void *__restrict__ __src, size_t __n);
|
||||
//int memcmp(const void *__s1, const void *__s2, size_t __n);
|
||||
|
||||
void sha1(void *buf, char * out_buf, size_t size) {}
|
||||
void sha256 (void *buf, char * out_buf, size_t size) {}
|
||||
void sha512 (void *buf, char * out_buf, size_t size) {}
|
||||
|
||||
#endif // __uC_LIB_C__
|
24
common/mem.h
Normal file
24
common/mem.h
Normal file
@ -0,0 +1,24 @@
|
||||
#ifndef __uC_MEM_H__
|
||||
#define __uC_MEM_H__
|
||||
|
||||
#include <stdlib.h>
|
||||
|
||||
void * mem;
|
||||
const int mem_size = 65536;
|
||||
|
||||
void mem_create() __attribute__ ((constructor));
|
||||
void mem_destroy() __attribute__ ((destructor));
|
||||
|
||||
void mem_create() {
|
||||
mem = malloc(mem_size);
|
||||
}
|
||||
|
||||
void mem_destroy() {
|
||||
free(mem);
|
||||
}
|
||||
|
||||
void * mem_get(short addr) {
|
||||
return mem+(addr%mem_size);
|
||||
}
|
||||
|
||||
#endif // __uC_MEM_H__
|
Loading…
Reference in New Issue
Block a user