So I initially input nothing for the password prompt, and hit c to continue through the remainder of the program, which failed and I received invalid password.RESET
Break at main
Continue execution to main
I set a break point for each. Then step into "create_password" function.
This function looks fairly simple, it moves the location 0x2400 into r15, then one byte at a time adds 0x5b3a243d236e2a00 into memory at that location. As I step through it, sure enough, one byte at a time, a string is entered into memory at that location.
I hit c to continue to the get_password breakpoint, then step through until password prompt. I input the hex from create password function, because the function was named create password...
I hit send, then c to continue to the breakpoint at the check password function. Then step into it.
I added the function and the register state at this point for reference. Looking over the function:
It appears that r14 will be cleared. So turned to 0000
then 439c will be moved into r13, looking at memory location 439c it appears our password we input is located there.
Then adding r14 to r13, but r14 will be 0 out so not sure why this step? I'm sure I don't fully understand add....
Then it will compare the byte located at r13 to r14, r13 byte would be \x5b and r14 would be \x00, so this should return false.
Then after the compare, it will jump with the 44d2 of the check password function, which will clr r15 and then return to main.
As I step through it, it appears I was wrong regarding the cmp.b, as it did not jump, which meant that \x5b @ 439c == \x00 @ 0000 which doesn't make sense to me. It was at this point that I paid more attention to the 0x2400 in front of r14 and realized that this must either mean 2400 after the location in r14, which is where the create password function stored the string, and now it makes sense why the cmp.b passed.
This then increments r14 and then checks to see if r14 is 0008, which it is not, and so the jne will loop back up to 44be. It will repeat moving r15 (our password location) to r13, then add r14 to r13... AHHHHH now it makes sense why the add. Not needed to compare the first byte; however, each loop it increments r14 and r13 by the loop counter, so it can compare one character at a time.
This will loop 7 times, and when it increments r14 to 8, the jne will not execute, and we move 0x1 into r15, and then return to main.
Once back at main, we immediate run tst r15. r15 is 0001, so I'm assuming tst is a boolean check where 0000 is false and 0001 is true, since if we failed the check password function, it cleared r15 and would be == 0000.
Since our tst passes, jnz executes, which moves us to 42 bytes beyond the start of main, from 4438 to 4462, which is where we move Access Granted string and put it to screen, then call the function unlock_door.
I did not look at the unlock door function.
Notes:
I would like to learn more on exactly what the tst instruction does, since I could not find a list of instructions that contained tst for RISC. Googling only seemed to result in ARM and x86, which both seemed to state that I should have two register that are ANDd, and not just the one like in this challenge. Maybe no second register means its ANDing against null, but if I understanding AND correctly, 0001 AND 0000 would be 0000, so the jnz wouldn't execute? So I am left a little confused here.
0 comments:
Post a Comment