mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2024-11-25 19:55:59 +00:00
2.3 KiB
2.3 KiB
Taken from my notebook, verbatim
Page 5
LAGOS
45a0: 0b41 -> 3041 "ret"
WE CAN add #4130, sp
~ MOVE THE STACK ~
0: input [0x1bf]=
1: ret -> 4444 (sp+0x60)
2: Move stack to 2400+1c0
3: Ret -> arbitrary address (i.e. 2400+1c2)
4: Execute arbitrary code
Page 1
Lagos Alphanumerics Only
`0x200 B -> #2400`
Password valid range: 8-16 c
Valid chars:
[0-9] [A-Z] [a-z]
30-39 41-5a 61-7a
We have enough chars
to overwrite current
function
1b5 bytes before hitting
current instruction
3041 = ret
45a0 = 0b41
at index 1b5
Control of return addr
-> we can ret to string buffer
bypassing sanitizer!
ret to 2400+1bb
25b5
run code from there!
ret at index 0x11
... we need a JMP to get there.
... all our jumps are positive
Page 2
D p
4470 looks like a good place
D 0
for code, or 4430
5a37: jge $-14a ?
Arithmetic instructions
Form addresses with sub?
25 b6 bb25
^lsb
55-30 7a-30(ish)
547a + 3030 =
5630 - 307a = 25bb!
V 0 0 z
We can load from our string:
pop r4 = 3441
"4 A "
-> can be any reg from
0-9: 3r41
add.b = 7x5y
3451 = pop & add to r4
3441 3451
pop r4 add r4
Page 3
Instructions in range
30: jn
34: jge
38: jl
3c: jmp
4#: mov
5#: add
6#: addc
7#: subc
Feasible addressing modes
10 @Rn Register indirect
11 @Rn+ RI w/ post-inc
Subtract the stack from pc?
3071 subc @sp+, pc
"Large relative jump"
Alignment in 2400 buffer
is not same as in PC
Page 4
What is an alphanumeric character?
[0-9] [A-Z] [a-z]
30-39 41-5a 61-7a
Buffers: 43ed: stack buffer
2400: load buffer
43ed + 0x57: 4444
45a0: last byte copied (1b3 bytes)
&[43ed + 1b3] = 0x30, '0'
43ed + 1c0 = payload
Correction: sp at 43ec before
we gain exec
ret will tak sp to 43ee
... we need to create a fake stack
somewhere over in the controllable
zone
The loop only continues if the
FOLLOWING BYTE is valid.