Microcorruption: Reverse Engineering and Exploitation

General technological topics without their own forum go here

Microcorruption: Reverse Engineering and Exploitation

Post by d1str0 on Thu Mar 06, 2014 11:32 pm
([msg=79764]see Microcorruption: Reverse Engineering and Exploitation[/msg])

Official discussion thread for all Microcorruption challenges. Please no spoilers but feel free to ask questions if you are stuck!
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.

You may also know me as fas
User avatar
d1str0
New User
New User
 
Posts: 28
Joined: Thu Jan 30, 2014 5:38 pm
Blog: View Blog (0)


Re: Microcorruption: Reverse Engineering and Exploitation

Post by sangino on Sat Mar 08, 2014 10:55 am
([msg=79774]see Re: Microcorruption: Reverse Engineering and Exploitation[/msg])

I've never used assembly before, but I got addicted to these challenges, it's very fun.
Took me over 2 hours to figure out new orleans, but now I'm stuck at sydney.

Can anyone help me out?

May I post here my ideas whether I'm in the right direction or would that spoil too much?
sangino
New User
New User
 
Posts: 4
Joined: Sat Mar 08, 2014 10:49 am
Blog: View Blog (0)


Re: Microcorruption: Reverse Engineering and Exploitation

Post by cyberdrain on Sat Mar 08, 2014 3:05 pm
([msg=79776]see Re: Microcorruption: Reverse Engineering and Exploitation[/msg])

The "About" page is useful for the next few missions (not really this one though), Google those hints given! As for Sydney, you really need some knowledge of how assembly works and how the CPU stores/retrieves values to/from memory.
Free your mind / Think clearly
User avatar
cyberdrain
Expert
Expert
 
Posts: 2160
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Microcorruption: Reverse Engineering and Exploitation

Post by d1str0 on Sat Mar 08, 2014 9:06 pm
([msg=79786]see Re: Microcorruption: Reverse Engineering and Exploitation[/msg])

Feel free to post a little bit regarding what you've tried. Just try not to make it too spoilerish.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.

You may also know me as fas
User avatar
d1str0
New User
New User
 
Posts: 28
Joined: Thu Jan 30, 2014 5:38 pm
Blog: View Blog (0)


Re: Microcorruption: Reverse Engineering and Exploitation

Post by sangino on Sun Mar 09, 2014 11:55 am
([msg=79820]see Re: Microcorruption: Reverse Engineering and Exploitation[/msg])

Well, when I get to the check_password function and it compares #0x3e7c to 0x0(r15) the carry flag is set so I change sr to 0002 to set the zero flag so it won't jump in the next instruction when it clears r14, then the door unlocks.

but I have no idea what the password would be, in the tutorial there is only one cmp instruction in check_password and the constant reveals the length of the password in the tutorial, in the sydney challenge there are 4 cmp instructions and as far as I know they don't reveal much when I read 0x3e7c, I only see 0000's so I don't know in what I should change r15 or the password.

I could be totally wrong here or maybe I've spoiled too much.
sangino
New User
New User
 
Posts: 4
Joined: Sat Mar 08, 2014 10:49 am
Blog: View Blog (0)


Re: Microcorruption: Reverse Engineering and Exploitation

Post by mShred on Sun Mar 09, 2014 2:32 pm
([msg=79824]see Re: Microcorruption: Reverse Engineering and Exploitation[/msg])

Definitely gonna have to look into this more. If only there was more free time in the day..... :cry:
User avatar
mShred
Addict
Addict
 
Posts: 1899
Joined: Tue Jun 22, 2010 4:22 pm
Blog: View Blog (2)


Re: Microcorruption: Reverse Engineering and Exploitation

Post by d1str0 on Sun Mar 09, 2014 6:06 pm
([msg=79825]see Re: Microcorruption: Reverse Engineering and Exploitation[/msg])

sangino wrote:Well, when I get to the check_password function and it compares #0x3e7c to 0x0(r15) the carry flag is set so I change sr to 0002 to set the zero flag so it won't jump in the next instruction when it clears r14, then the door unlocks.

but I have no idea what the password would be, in the tutorial there is only one cmp instruction in check_password and the constant reveals the length of the password in the tutorial, in the sydney challenge there are 4 cmp instructions and as far as I know they don't reveal much when I read 0x3e7c, I only see 0000's so I don't know in what I should change r15 or the password.

I could be totally wrong here or maybe I've spoiled too much.

You'll need to enter a password that causes the cmp to match (ie. not set any carry flags). Look at the manual and read what cmp does. Also, look at the address r15 is pointing too.

If you think you have it but the compare *still* doesn't work, read about Endianness and what little and big endian means.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.

You may also know me as fas
User avatar
d1str0
New User
New User
 
Posts: 28
Joined: Thu Jan 30, 2014 5:38 pm
Blog: View Blog (0)


Re: Microcorruption: Reverse Engineering and Exploitation

Post by Adrasteia the Inescapable on Sun Mar 09, 2014 7:00 pm
([msg=79828]see Re: Microcorruption: Reverse Engineering and Exploitation[/msg])

These are wonderful challenges! I'm still working on New Orleans, but I'm confident I'll figure it out eventually.

One thing I don't understand about the assembly, though: the jump and call instructions seem to give both an address and a label to jump to. If the code was disassembled, how do I know the names of the labels? And if not, why are the addresses listed as well?

For example, from the tutorial:
Code: Select all
call   #0x4558 <puts>


How does the debugger know that the code at 0x4558 is puts? If it knows that, why list the numerical address as well?
Adrasteia the Inescapable
New User
New User
 
Posts: 33
Joined: Sun Mar 09, 2014 12:02 am
Blog: View Blog (0)


Re: Microcorruption: Reverse Engineering and Exploitation

Post by cyberdrain on Sun Mar 09, 2014 8:32 pm
([msg=79830]see Re: Microcorruption: Reverse Engineering and Exploitation[/msg])

That's convenience, I've never seen a disassembler give a function a name before (excluding DLL calls), though that might just have to do with not using IDA. Also, the numbers are given so you'll know which hex corresponds to the disassembled code. You'll need this information later on.
Free your mind / Think clearly
User avatar
cyberdrain
Expert
Expert
 
Posts: 2160
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Microcorruption: Reverse Engineering and Exploitation

Post by d1str0 on Sun Mar 09, 2014 9:03 pm
([msg=79831]see Re: Microcorruption: Reverse Engineering and Exploitation[/msg])

Adrasteia the Inescapable wrote:These are wonderful challenges! I'm still working on New Orleans, but I'm confident I'll figure it out eventually.

One thing I don't understand about the assembly, though: the jump and call instructions seem to give both an address and a label to jump to. If the code was disassembled, how do I know the names of the labels? And if not, why are the addresses listed as well?

For example, from the tutorial:
Code: Select all
call   #0x4558 <puts>


How does the debugger know that the code at 0x4558 is puts? If it knows that, why list the numerical address as well?


The CPU doesn't work in names. It only knows addresses. That's why both call and jumps have addresses listed. The debugger happened to "find" extra information about the disassembled code. Ie. they didn't strip the function names. Assembly can be written using function names and when these locks were compiled, they left the function names there. I imagine later challenges might remove these, in which case you'll be in the dark.

Always go by the address. The function name is just a helper given to you by the debugger. You won't always have those labels.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.

You may also know me as fas
User avatar
d1str0
New User
New User
 
Posts: 28
Joined: Thu Jan 30, 2014 5:38 pm
Blog: View Blog (0)


Next

Return to General

Who is online

Users browsing this forum: No registered users and 0 guests