Document exercises Tutorial till Hanoi
parent
f8eb24ec77
commit
69755b72aa
112
README.md
112
README.md
|
|
@ -1,3 +1,113 @@
|
|||
# microcorruption
|
||||
|
||||
My solutions to the fantastic Microcorruption exercises.
|
||||
My solutions to the fantastic Microcorruption exercises.
|
||||
|
||||
## Tutorial
|
||||
|
||||
Code that compares the password to the expected length of 8 characters.
|
||||
|
||||
```
|
||||
4484: 6e4f mov.b @r15, r14
|
||||
4486: 1f53 inc r15
|
||||
4488: 1c53 inc r12
|
||||
448a: 0e93 tst r14
|
||||
448c: fb23 jnz $-0x8 <check_password+0x0>
|
||||
448e: 3c90 0900 cmp #0x9, r12
|
||||
4492: 0224 jz $+0x6 <check_password+0x14>
|
||||
```
|
||||
|
||||
Any eight characters input is valid, for example:
|
||||
|
||||
```
|
||||
password
|
||||
```
|
||||
|
||||
## New Orleans
|
||||
|
||||
Password is hardcoded and located at address 0x2400.
|
||||
|
||||
```
|
||||
2400: 764f 7050 6e4b 5300 0000 0000 0000 0000 vOpPnKS.
|
||||
```
|
||||
|
||||
Solution:
|
||||
|
||||
```
|
||||
vOpPnKS
|
||||
```
|
||||
|
||||
## Sydney
|
||||
|
||||
The password is hardcoded in the `check_password` routine:
|
||||
|
||||
```
|
||||
448a <check_password>
|
||||
448a: bf90 4f78 0000 cmp #0x784f, 0x0(r15)
|
||||
4490: 0d20 jnz $+0x1c <check_password+0x22>
|
||||
4492: bf90 3b77 0200 cmp #0x773b, 0x2(r15)
|
||||
4498: 0920 jnz $+0x14 <check_password+0x22>
|
||||
449a: bf90 2b74 0400 cmp #0x742b, 0x4(r15)
|
||||
44a0: 0520 jnz $+0xc <check_password+0x22>
|
||||
44a2: 1e43 mov #0x1, r14
|
||||
44a4: bf90 5d2f 0600 cmp #0x2f5d, 0x6(r15)
|
||||
44aa: 0124 jz $+0x4 <check_password+0x24>
|
||||
```
|
||||
|
||||
Solution (hex, byte ordering is little endian):
|
||||
|
||||
```
|
||||
4f783b772b745d2f
|
||||
```
|
||||
|
||||
ASCII equivalent:
|
||||
|
||||
```
|
||||
Ox;w+t]/
|
||||
```
|
||||
|
||||
## Hanoi
|
||||
|
||||
The input password does not matter. Instead, there is a hardcoded comparison of
|
||||
0xb with the value at 0x2410.
|
||||
|
||||
```
|
||||
4552: 3f40 d344 mov #0x44d3 "Testing if password is valid.", r15
|
||||
4556: b012 de45 call #0x45de <puts>
|
||||
455a: f290 0b00 1024 cmp.b #0xb, &0x2410
|
||||
4560: 0720 jnz $+0x10 <login+0x50>
|
||||
4562: 3f40 f144 mov #0x44f1 "Access granted.", r15
|
||||
4566: b012 de45 call #0x45de <puts>
|
||||
456a: b012 4844 call #0x4448 <unlock_door>
|
||||
```
|
||||
|
||||
The input password is stored at 0x2400, so we can input a long enough string
|
||||
to set 0x2410 to 0xb. Solution in hex:
|
||||
|
||||
```
|
||||
16 bytes from 0x2400 to 0x240f
|
||||
\
|
||||
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb0b
|
||||
--
|
||||
set 0x2410 to 0xb /
|
||||
```
|
||||
|
||||
## Cusco
|
||||
|
||||
At the end of the `login` function the stackpointer points to 0x43fe. The input
|
||||
password is allocated to 0x43ee. That means we can override the return address
|
||||
at 0x43fe with the address of the `unlock_door` door function at 0x4446.
|
||||
|
||||
Solution in hex:
|
||||
|
||||
```
|
||||
16 bytes from 0x43ee to 0x43fe
|
||||
\
|
||||
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb4644
|
||||
----
|
||||
/
|
||||
set 0x43fe to 0x4644 (unlock_door)
|
||||
```
|
||||
|
||||
## Reykjavik
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue