MicroCorruption: New Orleans

You find a manual for the LockIT Pro Lock:

You learn some things from the manual:

  • It is not attached to a HSM module.
  • Password set by entering it on the app restarting the lock.

You are presented with a live debugger, a live memory dump, a disassembler and a view of the register states.

Looking through the main you notice a create_password function that gets called before the input is required or a check for correct input is done.

You do a quick run of the program with a dummy input test to follow through the flow. This is how the create_password is like:

A password is clearly generated and stored at address 0x2400. The input you put in is stored at address 0x439c

So, flowing back through main, create_password generates and stores a password at 0x2400 -> get_password scans and stores user input at 0x439c -> then next instruction calls check_password.

Already there’s a hunch that the created password is what is compared to your input… but you want to see it. :)

In the check_password function:

  • A cmp.b instruction is called for each byte of the input(r13 points to the input) and the created password.

In pseudocode:

r14 = 0
r13 = 0x439c
for r14 != 8{
	r13 += r14
	if *r13 != *(0x2400 + r14){
		r15 = 0
		return
	}
	r14++
}
r15 = 1
return

Keep comparing the byte of the input at index(r14) to the byte of the created password at index(r14). If they are not equal, clear r15(becomes zero) and return. If they are equal, repeat for each byte until 8(this is the required length of the password). Set r15 to 1 and return.

Falling back to main, only if r15 is not zero does the door unlock.

You now put in the correct input: the created password:

And the door unlocks to you!!

Off to Sydney :)

MicroCorruption: Hanoi

MicroCorruption: Sydney

comments powered by Disqus