The Mess Of NebulaGravitations towards point origin
CategoriesTagsAbout

MicroCorruption: Sydney

2020-08-26

Another LockIT Pro Lock manual but this is a more secure, revised version they say ;) :

You learn that:

  • The lock is not attached to a HSM(Hardware Security Module).
  • The password is now not stored in memory.

This is how the main function looks like:

There is a check_password function called. You do the usual quick run of the program using a dummy input test, set a breakpoint on check_password and follow through the flow.

The input test gets stored at address 0x439c.

In the check_password function:

  • There are a bunch of comparisons done on the bytes of the input with hex values. This could definitely be the password bytes, you infer.

In pseudocode:

r15 = 0x439c
r14 = 0
if *(r15+[0-1]) != 0x5f62 || *(r15+[2-3]) != 0x2e5c || *(r15+[4-5]) != 0x3977 || *(r15+[6-7]) != 0x567c {
	r14 = 0
	r15 = r14
	return
} else {
	r14 = 1
	r15 = r14
	return
}

Compare every two bytes of the input to the hex values 0x5f62, 0x2e5c, 0x3977 and 0x567c respectively. If any of this is not equal, clear r14(set it to zero) and return. If they match, set r15 = r14 = 1.

Falling back to main, the call to unlock door happens only if r15 is not zero.

You now put in the correct input bytes:

Open Sesame!!

You fly to Hanoi :D.

#Reverse Engineering#Micro Corruption#input check

MicroCorruption: New Orleans

GDAL on Travis

comments powered by Disqus

© 2023 Eva Levanto

Powered by Hugo and the Notepadium