Next Level: Sydney!
Starting this level and reading through the pop-up manual, we see that the vulnerability we used
prior version of the lock was bypassable without knowing the
password. We have fixed this and removed the password from memory.
seems to be fixed.
Let’s check that out.
We will have a look at the main function:
Look very similar to level New Orleans:
We see a get_password, check_password and a tst of register r15. We want that register not to be zero, because then we will jump to 0x445e. Jumping there will print “Access Granted”, 0x7f will be pushed onto the stack and this will unlock the deadbolt!
Let’s have also a closer look at check_password:
The first instruction is comparing word 5c57 (or 2 bytes, since the MSP430 is a 16 bit microcontroller) with the word stored in r15. This is done by subtracting the word stored in r15 from the word 5c57.
The status register (sr) will be set accordingly. The next instruction at 0x4490 will test sr and if it is not zero, we will jump 0x1c (in decimal: 14) bytes onwards to 0x44ac and return to main.
Enough theory and static analysis, let’s set a breakpoint at 0x448a, which is the entry point of check_password, and start the debugger.
When asked for the password, I enter AAAAAAAA (let’s stay creative…).
Arrived at 0x448a, I read register r15 and, no surprise, in r15 the address of the beginning of our passphrase is stored!
