#
2. Sydney
#
Challenge Overview
OVERVIEW
- We have revised the software in revision 02.
- This lock is not attached to any hardware security module.
---
This is Software Revision 02. We have received reports that the
prior version of the lock was bypassable without knowing the
password. We have fixed this and removed the password from memory.
#
Solution
Looking at the assembly:
4438 <main>
4438: 3150 9cff add #0xff9c, sp
443c: 3f40 b444 mov #0x44b4 "Enter the password to continue.", r15
4440: b012 6645 call #0x4566 <puts>
4444: 0f41 mov sp, r15
4446: b012 8044 call #0x4480 <get_password>
444a: 0f41 mov sp, r15
444c: b012 8a44 call #0x448a <check_password>
4450: 0f93 tst r15
4452: 0520 jnz $+0xc <main+0x26>
4454: 3f40 d444 mov #0x44d4 "Invalid password; try again.", r15
4458: b012 6645 call #0x4566 <puts>
445c: 093c jmp $+0x14 <main+0x38>
445e: 3f40 f144 mov #0x44f1 "Access Granted!", r15
4462: b012 6645 call #0x4566 <puts>
4466: 3012 7f00 push #0x7f
446a: b012 0245 call #0x4502 <INT>
446e: 2153 incd sp
4470: 0f43 clr r15
4472: 3150 6400 add #0x64, sp
---
448a <check_password>
448a: bf90 4760 0000 cmp #0x6047, 0x0(r15)
4490: 0d20 jnz $+0x1c <check_password+0x22>
4492: bf90 5d3e 0200 cmp #0x3e5d, 0x2(r15)
4498: 0920 jnz $+0x14 <check_password+0x22>
449a: bf90 7140 0400 cmp #0x4071, 0x4(r15)
44a0: 0520 jnz $+0xc <check_password+0x22>
44a2: 1e43 mov #0x1, r14
44a4: bf90 6b70 0600 cmp #0x706b, 0x6(r15)
44aa: 0124 jz $+0x4 <check_password+0x24>
44ac: 0e43 clr r14
44ae: 0f4e mov r14, r15
44b0: 3041 retSetting a breakpoint at the start of check_password
r r15
439c 7061 7373 776f 7264 0000 0000 0000 0000 password........
43ac 0000 0000 0000 0000 0000 0000 0000 0000 ................So inputting the bytes 47605d3e71406b70 as the password should work:
Enter the password to continue
> 47605d3e71406b70
Access Granted!