MicroCorruption: Reykjavik

Military-grade security lock they say. Here is the manual:

  • This lock is not attached to any HSM module.
  • Military-grade on-device encryption has been implemented to keep the password secure.
  • Passwords entered cannot be read from memory.

This is the main function:

Interesting findings:

  • A block of opcode:
    • beginning from 0x4520
    • spanning for 0xf8

is passed to enc function. The destination of the result is set for #0x2400.

The enc function basically interchanges the opcode for the one destination to the other using some operations to determine the address (you decide to save the details for this; you can inspect it later).
You focus on the memory dump. You can disassemble the block from #0x2400 and follow through…

but let’s make things easier. You run the program and put in a test input aaaaaaaa

This gets stored at #0x43da.

Instead of stepping and reading an opcode at a time(this is painfully slow), a better way is to disassemble the the block just after the call to get the input.

if *0x43da == 0x75f2{
	// unlock door
	push 0x7F
	call INT	
}else{
	exit program
}

The first byte of the input is compared to value #0x75f2. If equal, unlock door :)

Sweet!! Shall we? ;D

That was one hekla of a place :)

Ride on! To Whitehorse and beyond.

MicroCorruption: Montevideo

MicroCorruption: Whitehorse

comments powered by Disqus