This is the another post about Microcorruption CTF where we’ll be solving the SYDNEY challenge. So let’s start.
While going through the description of this challenge you’ll come to know that unlike the previous one, the password isn’t present in the memory.
This is Software Revision 02. We have received reports that the prior version of the lock was bypassable without knowing the password. We have fixed this and removed the password from memory.
So let’s proceed to solve this level.
As always, let’s start by examining the
The code flow here is very close to the previous one except the
routine has been removed. The
check_password routine looks interesting here.
Let’s take a closer look.
While examining the main routine, we observe that right before calling
mov sp, r15 instruction is executed at
r15 is the location where the user input is being stored & here in the
check_password routine its relatives are being compared to some other
cmp which compares a word unlike
cmp.b which compares
You’ll also observe that there is a jump instruction after every compare
instruction. There the
$ operator represents the address of the
Program Counter(PC) reffered as Instruction Pointer(IP).
In this way the check_password routine checks if
In layman’s terms, r15 is checked against 0x57245b557a422449.
So that’s our 8 bytes password. But its not that easy.
Data Representation in memory is done here in little-endianess.
This architecture uses a 16-bit addressing mode, so we have to convert each 2 bytes & then pass it through.
This was also a little tricky one & I tried to do it quick & easy.
Hope you understood it.
That’s it for this one.
Good Bye !!!