Document exercises Tutorial till Hanoi
This commit is contained in:
parent
f8eb24ec77
commit
69755b72aa
112
README.md
112
README.md
@ -1,3 +1,113 @@
|
|||||||
# microcorruption
|
# microcorruption
|
||||||
|
|
||||||
My solutions to the fantastic Microcorruption exercises.
|
My solutions to the fantastic Microcorruption exercises.
|
||||||
|
|
||||||
|
## Tutorial
|
||||||
|
|
||||||
|
Code that compares the password to the expected length of 8 characters.
|
||||||
|
|
||||||
|
```
|
||||||
|
4484: 6e4f mov.b @r15, r14
|
||||||
|
4486: 1f53 inc r15
|
||||||
|
4488: 1c53 inc r12
|
||||||
|
448a: 0e93 tst r14
|
||||||
|
448c: fb23 jnz $-0x8 <check_password+0x0>
|
||||||
|
448e: 3c90 0900 cmp #0x9, r12
|
||||||
|
4492: 0224 jz $+0x6 <check_password+0x14>
|
||||||
|
```
|
||||||
|
|
||||||
|
Any eight characters input is valid, for example:
|
||||||
|
|
||||||
|
```
|
||||||
|
password
|
||||||
|
```
|
||||||
|
|
||||||
|
## New Orleans
|
||||||
|
|
||||||
|
Password is hardcoded and located at address 0x2400.
|
||||||
|
|
||||||
|
```
|
||||||
|
2400: 764f 7050 6e4b 5300 0000 0000 0000 0000 vOpPnKS.
|
||||||
|
```
|
||||||
|
|
||||||
|
Solution:
|
||||||
|
|
||||||
|
```
|
||||||
|
vOpPnKS
|
||||||
|
```
|
||||||
|
|
||||||
|
## Sydney
|
||||||
|
|
||||||
|
The password is hardcoded in the `check_password` routine:
|
||||||
|
|
||||||
|
```
|
||||||
|
448a <check_password>
|
||||||
|
448a: bf90 4f78 0000 cmp #0x784f, 0x0(r15)
|
||||||
|
4490: 0d20 jnz $+0x1c <check_password+0x22>
|
||||||
|
4492: bf90 3b77 0200 cmp #0x773b, 0x2(r15)
|
||||||
|
4498: 0920 jnz $+0x14 <check_password+0x22>
|
||||||
|
449a: bf90 2b74 0400 cmp #0x742b, 0x4(r15)
|
||||||
|
44a0: 0520 jnz $+0xc <check_password+0x22>
|
||||||
|
44a2: 1e43 mov #0x1, r14
|
||||||
|
44a4: bf90 5d2f 0600 cmp #0x2f5d, 0x6(r15)
|
||||||
|
44aa: 0124 jz $+0x4 <check_password+0x24>
|
||||||
|
```
|
||||||
|
|
||||||
|
Solution (hex, byte ordering is little endian):
|
||||||
|
|
||||||
|
```
|
||||||
|
4f783b772b745d2f
|
||||||
|
```
|
||||||
|
|
||||||
|
ASCII equivalent:
|
||||||
|
|
||||||
|
```
|
||||||
|
Ox;w+t]/
|
||||||
|
```
|
||||||
|
|
||||||
|
## Hanoi
|
||||||
|
|
||||||
|
The input password does not matter. Instead, there is a hardcoded comparison of
|
||||||
|
0xb with the value at 0x2410.
|
||||||
|
|
||||||
|
```
|
||||||
|
4552: 3f40 d344 mov #0x44d3 "Testing if password is valid.", r15
|
||||||
|
4556: b012 de45 call #0x45de <puts>
|
||||||
|
455a: f290 0b00 1024 cmp.b #0xb, &0x2410
|
||||||
|
4560: 0720 jnz $+0x10 <login+0x50>
|
||||||
|
4562: 3f40 f144 mov #0x44f1 "Access granted.", r15
|
||||||
|
4566: b012 de45 call #0x45de <puts>
|
||||||
|
456a: b012 4844 call #0x4448 <unlock_door>
|
||||||
|
```
|
||||||
|
|
||||||
|
The input password is stored at 0x2400, so we can input a long enough string
|
||||||
|
to set 0x2410 to 0xb. Solution in hex:
|
||||||
|
|
||||||
|
```
|
||||||
|
16 bytes from 0x2400 to 0x240f
|
||||||
|
\
|
||||||
|
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb0b
|
||||||
|
--
|
||||||
|
set 0x2410 to 0xb /
|
||||||
|
```
|
||||||
|
|
||||||
|
## Cusco
|
||||||
|
|
||||||
|
At the end of the `login` function the stackpointer points to 0x43fe. The input
|
||||||
|
password is allocated to 0x43ee. That means we can override the return address
|
||||||
|
at 0x43fe with the address of the `unlock_door` door function at 0x4446.
|
||||||
|
|
||||||
|
Solution in hex:
|
||||||
|
|
||||||
|
```
|
||||||
|
16 bytes from 0x43ee to 0x43fe
|
||||||
|
\
|
||||||
|
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb4644
|
||||||
|
----
|
||||||
|
/
|
||||||
|
set 0x43fe to 0x4644 (unlock_door)
|
||||||
|
```
|
||||||
|
|
||||||
|
## Reykjavik
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user