These posts will detail my answers to solving various microcorruption.com ctf challenges. To begin, you should have at least had a look at the lock manual for a number of helpful hints. These challenges are built to run on a MSP430 microcontroller unit, so if you need any assembly references, that is the architecture your are looking for!
Lets look at the tutorial level first.
tutorial level
As expected, the first level is super simple. Most of your time is spent on this level getting to know the web based debugger as well as general tips and tricks for moving around.
When you follow the tutorial, you will notice that the flaw you need to exploit in this challenge is simply a length based one as the check_password
routine simply checks if the password has a length of 9
.
4484 <check_password>
4484: 6e4f mov.b @r15, r14
4486: 1f53 inc r15
4488: 1c53 inc r12
448a: 0e93 tst r14
448c: fb23 jnz #0x4484 <check_password+0x0>
448e: 3c90 0900 cmp #0x9, r12 ; password length check
4492: 0224 jeq #0x4498 <check_password+0x14>
Once you hit the instruction at 0x4484
, the first character of the password you entered is loaded into r14
(which you can see from the memory layout if you were to browse to 0x439c
) from the memory location pointed to in r15
. Next, the registers r12
and r15
are incremented. This will continue until a null byte (a typical string terminator in C) is reached, causing the jump at 0x448c
not to be followed, making the cmp
be the next instruction.
If r12
ends up being 0x0009
(indicating that out passwords was 8 characters long with a null byte), then the jump at 0x4492
will occur, finally calling the interrupt to unlock the lock.
solution
Enter any 8 character string, such as password
.
other challenges
For my other write ups in the microcorruption series, checkout this link.