#
1. New Orleans
#
Challenge Overview
OVERVIEW
- This is the first LockIT Pro Lock.
- This lock is not attached to any hardware security module.When running the module it asks for a password:
Enter the password to continue
> password
Invalid password; try again.
#
Solution
Looking at the disassembly:
4438 <main>
4438: 3150 9cff add #0xff9c, sp
443c: b012 7e44 call #0x447e <create_password>
4440: 3f40 e444 mov #0x44e4 "Enter the password to continue", r15
4444: b012 9445 call #0x4594 <puts>
4448: 0f41 mov sp, r15
444a: b012 b244 call #0x44b2 <get_password>
444e: 0f41 mov sp, r15
4450: b012 bc44 call #0x44bc <check_password>
4454: 0f93 tst r15
4456: 0520 jnz $+0xc <main+0x2a>
4458: 3f40 0345 mov #0x4503 "Invalid password; try again.", r15
445c: b012 9445 call #0x4594 <puts>
4460: 063c jmp $+0xe <main+0x36>
4462: 3f40 2045 mov #0x4520 "Access Granted!", r15
4466: b012 9445 call #0x4594 <puts>
446a: b012 d644 call #0x44d6 <unlock_door>
446e: 0f43 clr r15
4470: 3150 6400 add #0x64, sp
---
44bc <check_password>
44bc: 0e43 clr r14
44be: 0d4f mov r15, r13
44c0: 0d5e add r14, r13
44c2: ee9d 0024 cmp.b @r13, 0x2400(r14)
44c6: 0520 jnz $+0xc <check_password+0x16>
44c8: 1e53 inc r14
44ca: 3e92 cmp #0x8, r14
44cc: f823 jnz $-0xe <check_password+0x2>
44ce: 1f43 mov #0x1, r15
44d0: 3041 ret
44d2: 0f43 clr r15
44d4: 3041 retWe can see that there is a check against @r13 and 0x2400. Setting a breakpoint and inspecting the memory:
> r r13
439c 7061 7373 776f 7264 0000 0000 0000 0000 password........
43ac 0000 0000 0000 0000 0000 0000 0000 0000 ................
> r 0x2400+r14
2400 4363 5e33 4050 2700 0000 0000 0000 0000 Cc^3@P'.........
2410 0000 0000 0000 0000 0000 0000 0000 0000 ................r13 is our input.
Swapping this to the expected value of Cc^3@P' and removing the breakpoint.
Enter the password to continue
> Cc^3@P'
Access Granted!Nice warmup to learn the env and how the asm works.