j/MicroCorruption
1
0
Fork 0
mirror of https://git.soft.fish/val/MicroCorruption.git synced 2024-11-21 14:56:01 +00:00
Code Issues Packages Projects Releases Wiki Activity
main
MicroCorruption/25-Halifax/notes.md

1.7 KiB
Raw Permalink Blame History

Run # vs. Internal SRAM hash

Run # Internal SRAM Hash (sha256)
1 C19684234B668225647FAF0ADC8103131C0E70489B3A548E9223853005FA1E68
2 2A43E7A0C3508BB96BCFAE927776BFBC9ECAD114C022593E524AB0461AD0338A
3 C6E4A567CFB88E05C6F04B9AC93E94BC7AEFCA745B60C4934C02430DAB613B16

Hash appears random each time Hash is given prior to user input

Approach:

Hash each individual byte of SRAM, and break the exfiltrated hashes sha256(8 bit message) ~ identified by first 20 bits smallest we can do on this mcu is 6 nybbles (24 bits) Approach works!

$ ./halifax.py
> 4AE8158A8DE82D711694455E5A6E7A966C7CD12110B7D2526E340BA9253D383E5D279504A1FCE41F184F087D80594E518C2574E9B0C05C62E067C872EF2D12DF7E70D16BD262C66A19152D043A715A6E7A04D6C072DFCF4E0740E4FF5E4E0740AE3F46E52D9C7C5BD226E5BFA318C2EF6CBD4B68AB36A9E76DA43B8E35C2D4735E5FECEBA9253D98722E333E0A683257A9F515591B7CFFE679333E0A94455E2D31931F18D6FB95AA2D711667586E26E5BFEF2D128D33F544BD7A7CB7C4AE3F46
number of distinct values in all_hashes: 256

513f78eeaff2c4db005ccbdd799fab7a528950943542936dd973afb94c33c033c304c8bc2b0c58204a7132305cfc47bd45811f47ee8a1ddc7806bc35604816c3
00000000: 513f 78ee aff2 c4db 005c cbdd 799f ab7a  Q?x......\..y..z
00000010: 5289 5094 3542 936d d973 afb9 4c33 c033  R.P.5B.m.s..L3.3
00000020: c304 c8bc 2b0c 5820 4a71 3230 5cfc 47bd  ....+.X Jq20\.G.
00000030: 4581 1f47 ee8a 1ddc 7806 bc35 6048 16c3  E..G....x..5`H..

Problems abound.

The payload doesn't work. I'm not sure how to find out what args 0x41 expects..? Neither stuck_pixel nor Pokemod can either. This challenge is a doozy.