Up next, Sydney! Our prompt says…
Wait, what was that last bit?
We have received reports that the prior version of the lock was bypassable without knowing the password. We have fixed this and removed the password from memory.
Sydney Program Structure
So, if we check out the main section of the code again, we can get an idea of how this program works, and what might be different (compared to the New Orleans level).
So it isn’t too different from last time, aside from the fact that this level has no
create_password function. Generally speaking, this program:
- Prompts the user for their password.
- Reads in the user response.
- Checks it against a known good value (presumably… somewhere…)
- Grants access (or not)
Nothing too different from the previous level. Let’s see if we can figure out how it determines if a password is valid or not.
check_password function looks interesting…
I set a breakpoint in the
check_password function. You can either click on line 448a, or type
break check_password in the debugger console.
Reset the program if you need to, and then type
c to continue until you get to your breakpoint. I gave the program a password attempt of “AAAAAAAA”
The first line says to compare the value 0x7d71 with the value at the address of r15 (starting with the 0th byte).
What is that address? Take a peek at the Register State view.
R15 is (hex) “439c”. If we look at our Live Memory Dump:
See where all the “41"s start? That’s the hex value for ASCII character “A”, which is what I entered as the password. If you count over from 4390, you see that the “A"s start at… 0x439c. Yay.
Okay, so we’re comparing 0x7d71 with the first two bytes of memory at 0x439c… which are “AA” or “0x4141”. We can type
s to step to the next instruction. Okay, so that comparison is obviously not going to work. Because our comparison failed, we’ll get kicked down to 0x44ac where r14 is cleared, moved into r15, and we return.
Before we go, however, let’s see what happens when we know the answer is wrong. Another way of asking this is: how does the microcontroller know what the result of the
cmp instruction was? It looks at the status register or
sr. You may have noticed that before the
cmp instruction, the value of
sr was 0000. Now, it’s 0004.
reset and try again, and enter in “}q”, which is the ASCII equivalent of “7d 71″… we see… oh no. The
sr is equal to 0004 again. What’s going on?
The issue is the order in which we’re providing the bytes.
Even though it looks right (see the 7d 71 in the image above), it’s out of order to the computer. This is called endianness.
It’s a bit of a “reading right-to-left vs left-to-right” problem, but for computers. What it means for us is that we have to swap our order. If we
reset and enter in “q}” instead of “}q”, and continue to our breakpoint:
Once we’re at our breakpoint, type
s to step to the next instruction. Our
sr register is set to 0003 this time. Interesting!
You can read more about the status register and conditional flags here. The difference in
sr values means that we’re on the right path.
If we look at the check_password function again, we can get an idea of what we need to provide as a password.
448a <check_password> 448a: bf90 717d 0000 cmp #0x7d71, 0x0(r15) 4490: 0d20 jnz $+0x1c 4492: bf90 6672 0200 cmp #0x7266, 0x2(r15) 4498: 0920 jnz $+0x14 449a: bf90 5c5f 0400 cmp #0x5f5c, 0x4(r15) 44a0: 0520 jne #0x44ac <check_password+0x22> 44a2: 1e43 mov #0x1, r14 44a4: bf90 4939 0600 cmp #0x3949, 0x6(r15) 44aa: 0124 jeq #0x44ae <check_password+0x24> 44ac: 0e43 clr r14 44ae: 0f4e mov r14, r15 44b0: 3041 ret
We need 0x7d71, adjusted for endianness, and then 0x7266 (also adjusted), and then 0x5f5c (yep, also adjusted).
That is… “q}fr_” Wow. This password’s got entropy. After resetting, and entering that password, we can get all the way to this line:
We’ve moved a value of “1” into r14, which could give us a return value of “true” or “1”, meaning that we gave the correct password.
But… we’ve still got one hurdle left to clear. The last two bytes of the password are compared to 0x3949. Let’s add that to our password and try again: “q}fr_I9”
TL;DR The password, as we’ve found by looking at the comparison of two bytes of input at a time, is “q}fr_I9”. We had to consider endianness, and also use the status register comparison flags to help us find our way.
To solve the level, type “solve” and then enter in “q}fr_I9” as the password. Yay!