MICROCORRUPTION-NEW ORLEANS-CTF WALKTHROUGH

Posted by on 

    The LockIT Pro a.01  is the first of a new series  of locks. It is
    controlled by a  MSP430 microcontroller, and is  the most advanced
    MCU-controlled lock available on the  market. The MSP430 is a very
    low-power device which allows the LockIT  Pro to run in almost any
    environment.

    The  LockIT  Pro   contains  a  Bluetooth  chip   allowing  it  to
    communiciate with the  LockIT Pro App, allowing the  LockIT Pro to
    be inaccessable from the exterior of the building.

    There is  no default password  on the LockIT  Pro---upon receiving
    the LockIT Pro, a new password must be set by connecting it to the
    LockIT Pro  App and  entering a password  when prompted,  and then
    restarting the LockIT Pro using the red button on the back.
    
    This is Hardware  Version A.  It contains  the Bluetooth connector
    built in, and one available port  to which the LockIT Pro Deadbolt
    should be connected.


The instructions in the main function are:



main function
Solution1 :

Under the main function, there is an interesting function named create_password which gets called.

Analyzing the create_password function.

447e <create_password>
447e:  3f40 0024      mov #0x2400, r15
4482:  ff40 6200 0000 mov.b #0x62, 0x0(r15)
4488:  ff40 7a00 0100 mov.b #0x7a, 0x1(r15)
448e:  ff40 7700 0200 mov.b #0x77, 0x2(r15)
4494:  ff40 7000 0300 mov.b #0x70, 0x3(r15)
449a:  ff40 6400 0400 mov.b #0x64, 0x4(r15)
44a0:  ff40 2700 0500 mov.b #0x27, 0x5(r15)
44a6:  ff40 4000 0600 mov.b #0x40, 0x6(r15)
44ac:  cf43 0700      mov.b #0x0, 0x7(r15)
44b0:  3041           ret


1. mov.b implies a byte operation, that means a byte of information is transferred from source to destination.

2. 0x0(r15) is an indexed addressing mode.

#0x62, 0x7a ...etc are hexadecimal values that are stored on the index address of r15. these are total 8 values so the length of password must be 8.

On decoding these hex values we get the password.


hex decoding

Solution2:


Making a breakpoint on the check_password.



 In check_password function, the instruction at address 44c2 compares the password with the password we entered one byte at a time. The password we entered is stored in r13.

If the password byte matched it increments the r14 value by 1 every time.

At address 44ca, at last, it is comparing the final length of the password with value in r14 that is 8.

looking at address 2400 in live memory dump, the password and hex are easily visible.


Hacker,Developer,Human

Comments

Post a Comment