Document exercises Tutorial till Hanoi

2023-01-21 13:20:59 -05:00 · 2023-01-21 13:20:59 -05:00 · 69755b72aa
commit 69755b72aa
parent f8eb24ec77
1 changed files with 111 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -1,3 +1,113 @@
 # microcorruption

-My solutions to the fantastic Microcorruption exercises.
+My solutions to the fantastic Microcorruption exercises.
+
+## Tutorial
+
+Code that compares the password to the expected length of 8 characters.
+
+```
+4484:  6e4f           mov.b	@r15, r14
+4486:  1f53           inc	r15
+4488:  1c53           inc	r12
+448a:  0e93           tst	r14
+448c:  fb23           jnz	$-0x8 <check_password+0x0>
+448e:  3c90 0900      cmp	#0x9, r12
+4492:  0224           jz	$+0x6 <check_password+0x14>
+```
+
+Any eight characters input is valid, for example:
+
+```
+password
+```
+
+## New Orleans
+
+Password is hardcoded and located at address 0x2400.
+
+```
+2400: 764f 7050 6e4b 5300 0000 0000 0000 0000   vOpPnKS.
+```
+
+Solution:
+
+```
+vOpPnKS
+```
+
+## Sydney
+
+The password is hardcoded in the `check_password` routine:
+
+```
+448a <check_password>
+448a:  bf90 4f78 0000 cmp	#0x784f, 0x0(r15)
+4490:  0d20           jnz	$+0x1c <check_password+0x22>
+4492:  bf90 3b77 0200 cmp	#0x773b, 0x2(r15)
+4498:  0920           jnz	$+0x14 <check_password+0x22>
+449a:  bf90 2b74 0400 cmp	#0x742b, 0x4(r15)
+44a0:  0520           jnz	$+0xc <check_password+0x22>
+44a2:  1e43           mov	#0x1, r14
+44a4:  bf90 5d2f 0600 cmp	#0x2f5d, 0x6(r15)
+44aa:  0124           jz	$+0x4 <check_password+0x24>
+```
+
+Solution (hex, byte ordering is little endian):
+
+```
+4f783b772b745d2f
+```
+
+ASCII equivalent:
+
+```
+Ox;w+t]/
+```
+
+## Hanoi
+
+The input password does not matter. Instead, there is a hardcoded comparison of
+0xb with the value at 0x2410.
+
+```
+4552:  3f40 d344      mov	#0x44d3 "Testing if password is valid.", r15
+4556:  b012 de45      call	#0x45de <puts>
+455a:  f290 0b00 1024 cmp.b	#0xb, &0x2410
+4560:  0720           jnz	$+0x10 <login+0x50>
+4562:  3f40 f144      mov	#0x44f1 "Access granted.", r15
+4566:  b012 de45      call	#0x45de <puts>
+456a:  b012 4844      call	#0x4448 <unlock_door>
+```
+
+The input password is stored at 0x2400, so we can input a long enough string
+to set 0x2410 to 0xb. Solution in hex:
+
+```
+16 bytes from 0x2400 to 0x240f
+                              \
+bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb0b
+                                --
+             set 0x2410 to 0xb /
+```
+
+## Cusco
+
+At the end of the `login` function the stackpointer points to 0x43fe. The input
+password is allocated to 0x43ee. That means we can override the return address
+at 0x43fe with the address of the `unlock_door` door function at 0x4446.
+
+Solution in hex:
+
+```
+16 bytes from 0x43ee to 0x43fe
+                              \
+bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb4644
+                                ----
+                               /
+                               set 0x43fe to 0x4644 (unlock_door)
+```
+
+## Reykjavik
+
+