Microcorruption Writeup - Part 1
This a writeup series on the embedded reverse engineering challenges on microcorruption.com.
Let's start.
New Orleans
There was a create password function in the main function.
447e <create_password>
447e: 3f40 0024 mov #0x2400, r15
4482: ff40 5500 0000 mov.b #0x55, 0x0(r15)
4488: ff40 2b00 0100 mov.b #0x2b, 0x1(r15)
448e: ff40 7700 0200 mov.b #0x77, 0x2(r15)
4494: ff40 5d00 0300 mov.b #0x5d, 0x3(r15)
449a: ff40 5100 0400 mov.b #0x51, 0x4(r15)
44a0: ff40 5b00 0500 mov.b #0x5b, 0x5(r15)
44a6: ff40 4a00 0600 mov.b #0x4a, 0x6(r15)
44ac: cf43 0700 mov.b #0x0, 0x7(r15)
44b0: 3041 ret
Here the password is created into r15. We can see a hexadecimal character being pushed to an index of r15. Let's create a small python script to join these characters together.
characters = [0x55,0x2b,0x77,0x5d,0x51,0x5b,0x4a,0x0]
password = ""
for i in range(len(characters)):
password+=chr(characters[i])
print(password)
Password: - U+w]Q[J
Sydney
Here the check password function seemed to compare characters of r15.
448a <check_password>
448a: bf90 4941 0000 cmp #0x4149, 0x0(r15)
4490: 0d20 jnz $+0x1c
4492: bf90 4b4a 0200 cmp #0x4a4b, 0x2(r15)
4498: 0920 jnz $+0x14
449a: bf90 2558 0400 cmp #0x5825, 0x4(r15)
44a0: 0520 jne #0x44ac <check_password+0x22>
44a2: 1e43 mov #0x1, r14
44a4: bf90 2f22 0600 cmp #0x222f, 0x6(r15)
44aa: 0124 jeq #0x44ae <check_password+0x24>
44ac: 0e43 clr r14
44ae: 0f4e mov r14, r15
44b0: 3041 ret
Since one character is represented by two bytes and there are four bytes comparing to the indices of the r15 register, we can assume that there are two characters being compared.
Furthermore, since the microcorruption system is a little-endian model the bytes are flipped. Hence we have to read from backwords. Here's the python code to find the password to this challenge.
characters = [0x49,0x41,0x4b,0x4a,0x25,0x58,0x2f,0x22]
password = ""
for i in range(len(characters)):
password+=chr(characters[i])
print(password)
Password: - IAKJ%X/"
Hanoi
The test_password_valid function proved to be interesting.
4454 <test_password_valid>
4454: 0412 push r4
4456: 0441 mov sp, r4
4458: 2453 incd r4
445a: 2183 decd sp
445c: c443 fcff mov.b #0x0, -0x4(r4)
4460: 3e40 fcff mov #0xfffc, r14
4464: 0e54 add r4, r14
4466: 0e12 push r14
4468: 0f12 push r15
446a: 3012 7d00 push #0x7d
446e: b012 7a45 call #0x457a <INT>
4472: 5f44 fcff mov.b -0x4(r4), r15
4476: 8f11 sxt r15
4478: 3152 add #0x8, sp
447a: 3441 pop r4
447c: 3041 ret
Here the sxt command adds one extra byte to the register r15.
4520 <login>
4520: c243 1024 mov.b #0x0, &0x2410
4524: 3f40 7e44 mov #0x447e "Enter the password to continue.", r15
4528: b012 de45 call #0x45de <puts>
452c: 3f40 9e44 mov #0x449e "Remember: passwords are between 8 and 16 characters.", r15
4530: b012 de45 call #0x45de <puts>
4534: 3e40 1c00 mov #0x1c, r14
4538: 3f40 0024 mov #0x2400, r15
453c: b012 ce45 call #0x45ce <getsn>
4540: 3f40 0024 mov #0x2400, r15
4544: b012 5444 call #0x4454 <test_password_valid>
4548: 0f93 tst r15
454a: 0324 jz $+0x8
454c: f240 a600 1024 mov.b #0xa6, &0x2410
4552: 3f40 d344 mov #0x44d3 "Testing if password is valid.", r15
4556: b012 de45 call #0x45de <puts>
455a: f290 5800 1024 cmp.b #0x58, &0x2410
4560: 0720 jne #0x4570 <login+0x50>
4562: 3f40 f144 mov #0x44f1 "Access granted.", r15
4566: b012 de45 call #0x45de <puts>
456a: b012 4844 call #0x4448 <unlock_door>
456e: 3041 ret
4570: 3f40 0145 mov #0x4501 "That password is not correct.", r15
4574: b012 de45 call #0x45de <puts>
4578: 3041 ret
Later in the main function in the line "cmp.b #0x58, 0x2410" clearly compares the hexadecimal character 0x58 which is "X" in ASCII to the last byte of r15. So the password must contain 16 random characters and the 17th one should be "X"
Password: - aaaaaaaaaaaaaaaaX
Comments
Post a Comment