Skip to main content

New Orleans

Microcorruption Hacking
Table of Contents
micro - This article is part of a series.
Part 1: This Article
Part 2: Sydney

Introduction
#

We will be working with the MSP430 microcontroller. The assembly syntax will be opcode source, destination

Where source and destination refer to registers, constants, or memory locations.

Overview
#

Starting from <main>, I can immediately see a call subroutine <create_password. Set a breakpoint and step into the function.

# Program entry point

4438 <main>
4438:  3150 9cff      add	#0xff9c, sp
443c:  b012 7e44      call	#0x447e <create_password>
4440:  3f40 e444      mov	#0x44e4 "Enter the password to continue", r15
4444:  b012 9445      call	#0x4594 <puts>
4448:  0f41           mov	sp, r15
444a:  b012 b244      call	#0x44b2 <get_password>
444e:  0f41           mov	sp, r15
4450:  b012 bc44      call	#0x44bc <check_password>
4454:  0f93           tst	r15
4456:  0520           jnz	$+0xc <main+0x2a>
4458:  3f40 0345      mov	#0x4503 "Invalid password; try again.", r15
445c:  b012 9445      call	#0x4594 <puts>
4460:  063c           jmp	$+0xe <main+0x36>
4462:  3f40 2045      mov	#0x4520 "Access Granted!", r15
4466:  b012 9445      call	#0x4594 <puts>
446a:  b012 d644      call	#0x44d6 <unlock_door>
446e:  0f43           clr	r15
4470:  3150 6400      add	#0x64, sp

Examining the code
#

Now, Stepping into <create_password> lets review each line of code starting with the first.

447e: mov #0x2400, r15

move value 0x2400 to register 15

0x2400 is a memory address. How do we know its an address? There is not much context in itself, but the next lines of instructions will show it, lets continue on.

4482: mov.b #0x36, 0x0(r15)

move value 0x36 to memory address 0x2400 + 0

What is the destination operand telling us here? It’s giving us a memory address location. r15 contains the base address (0x2400) and 0x0 is an offset.

The subsequent lines of instructions follow the same pattern, where we put a hex value into a memory location

4488: mov.b #0x23, 0x1(r15)

move value 0x23 to 0x2400 + 1

448e: mov.b #0x7c, 0x2(r15)

move value 0x7c to 0x2400 + 2

4494: mov.b #0x34, 0x3(r15)

move value 0x34 to address 0x2400 + 3

449a: mov.b #0x22, 0x4(r15)

move value 0x22 to address 0x2400 + 4

44a0: mov.b #0x5d, 0x5(r15)

move value 0x5d to address 0x2400 + 5

44a6: mov.b #0x21, 0x6(r15)

move value 0x21 to address 0x2400 + 6

44ac: mov.b #0x0, 0x7(r15)

move value 0x0 to address 0x2400 + 7

# Call subroutine <create_password>

447e <create_password>
447e:  3f40 0024      mov	#0x2400, r15
4482:  ff40 3600 0000 mov.b	#0x36, 0x0(r15)
4488:  ff40 2300 0100 mov.b	#0x23, 0x1(r15)
448e:  ff40 7c00 0200 mov.b	#0x7c, 0x2(r15)
4494:  ff40 3400 0300 mov.b	#0x34, 0x3(r15)
449a:  ff40 2200 0400 mov.b	#0x22, 0x4(r15)
44a0:  ff40 5d00 0500 mov.b	#0x5d, 0x5(r15)
44a6:  ff40 2100 0600 mov.b	#0x21, 0x6(r15)
44ac:  cf43 0700      mov.b	#0x0, 0x7(r15)
44b0:  3041           ret

Conclusion
#

Once the subroutine finishes, it gives us a hex password of 3623 7c34 225d 2100. We can now solve the level.

micro - This article is part of a series.
Part 1: This Article
Part 2: Sydney