MicroCorruption/17-Lagos/notes.md

`Taken from my notebook, verbatim`


### Page 5
```
LAGOS
    45a0: 0b41 -> 3041 "ret"

    WE CAN add #4130, sp
      ~ MOVE THE STACK ~

    0: input [0x1bf]=
    1: ret -> 4444 (sp+0x60)
    2: Move stack to 2400+1c0
    3: Ret -> arbitrary address (i.e. 2400+1c2)
    4: Execute arbitrary code
```

### Page 1
```
Lagos   Alphanumerics Only
    `0x200 B -> #2400`
    Password valid range: 8-16 c
    Valid chars:
    [0-9]  [A-Z]  [a-z]
    30-39  41-5a  61-7a

    We have enough chars
    to overwrite current
    function

    1b5 bytes before hitting
    current instruction

    3041 = ret
        45a0 = 0b41
            at index 1b5
    Control of return addr
     -> we can ret to string buffer
        bypassing sanitizer!

        ret to 2400+1bb
                25b5
        run code from there!
    ret at index 0x11
    ... we need a JMP to get there.
    ... all our jumps are positive
```

### Page 2
```
    D p
    4470 looks like a good place
                      D 0
         for code, or 4430

    5a37: jge $-14a  ?

    Arithmetic instructions
        Form addresses with sub?
          25 b6      bb25
                     ^lsb
      55-30    7a-30(ish)
      547a + 3030 =
      5630 - 307a = 25bb!
      V 0    0 z

    We can load from our string:
      pop r4 = 3441
              "4 A "
            -> can be any reg from
               0-9: 3r41
      add.b = 7x5y
      3451  = pop & add to r4

  3441   3451
  pop r4 add r4
```

### Page 3
```
    Instructions in range
    30:  jn
    34:  jge
    38:  jl
    3c:  jmp

    4#:  mov
    5#:  add
    6#:  addc
    7#:  subc

    Feasible addressing modes
      10  @Rn  Register indirect
      11  @Rn+ RI w/ post-inc

    Subtract the stack from pc?
        3071 subc @sp+, pc
        "Large relative jump"

    Alignment in 2400 buffer
        is not same as in PC
```

### Page 4
```
What is an alphanumeric character?
    [0-9] [A-Z] [a-z]
    30-39 41-5a 61-7a

Buffers:    43ed: stack buffer
            2400: load  buffer

    43ed + 0x57: 4444

    45a0: last byte copied (1b3 bytes)
    &[43ed + 1b3] = 0x30, '0'
      43ed + 1c0  = payload

    Correction: sp at 43ec before
        we gain exec
        ret will tak sp to 43ee
    ... we need to create a fake stack
        somewhere over in the controllable
        zone

    The loop only continues if the
        FOLLOWING BYTE is valid.
```