mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2024-11-23 00:35:57 +00:00
33 lines
1.7 KiB
Markdown
33 lines
1.7 KiB
Markdown
### Run # vs. Internal SRAM hash
|
|
|
|
| Run # | Internal SRAM Hash (sha256) |
|
|
|------:|:-------------------------------------------------------------------|
|
|
| 1 | `C19684234B668225647FAF0ADC8103131C0E70489B3A548E9223853005FA1E68` |
|
|
| 2 | `2A43E7A0C3508BB96BCFAE927776BFBC9ECAD114C022593E524AB0461AD0338A` |
|
|
| 3 | `C6E4A567CFB88E05C6F04B9AC93E94BC7AEFCA745B60C4934C02430DAB613B16` |
|
|
|
|
Hash appears random each time
|
|
Hash is given prior to user input
|
|
|
|
### Approach:
|
|
Hash each individual byte of SRAM, and break the exfiltrated hashes
|
|
sha256(8 bit message) ~ identified by first 20 bits
|
|
smallest we can do on this mcu is 6 nybbles (24 bits)
|
|
Approach works!
|
|
|
|
```sh
|
|
$ ./halifax.py
|
|
> 4AE8158A8DE82D711694455E5A6E7A966C7CD12110B7D2526E340BA9253D383E5D279504A1FCE41F184F087D80594E518C2574E9B0C05C62E067C872EF2D12DF7E70D16BD262C66A19152D043A715A6E7A04D6C072DFCF4E0740E4FF5E4E0740AE3F46E52D9C7C5BD226E5BFA318C2EF6CBD4B68AB36A9E76DA43B8E35C2D4735E5FECEBA9253D98722E333E0A683257A9F515591B7CFFE679333E0A94455E2D31931F18D6FB95AA2D711667586E26E5BFEF2D128D33F544BD7A7CB7C4AE3F46
|
|
number of distinct values in all_hashes: 256
|
|
|
|
513f78eeaff2c4db005ccbdd799fab7a528950943542936dd973afb94c33c033c304c8bc2b0c58204a7132305cfc47bd45811f47ee8a1ddc7806bc35604816c3
|
|
00000000: 513f 78ee aff2 c4db 005c cbdd 799f ab7a Q?x......\..y..z
|
|
00000010: 5289 5094 3542 936d d973 afb9 4c33 c033 R.P.5B.m.s..L3.3
|
|
00000020: c304 c8bc 2b0c 5820 4a71 3230 5cfc 47bd ....+.X Jq20\.G.
|
|
00000030: 4581 1f47 ee8a 1ddc 7806 bc35 6048 16c3 E..G....x..5`H..
|
|
```
|
|
|
|
### Problems abound.
|
|
The payload doesn't work. I'm not sure how to find out what args 0x41 expects..?
|
|
Neither stuck_pixel nor Pokemod can either. This challenge is a doozy.
|