Skip to content

Commit 022c00c

Browse files
dagnirdagnir
committed
Add partial notes for Santa Cruz.
1 parent 4f13652 commit 022c00c

File tree

2 files changed

+280
-0
lines changed

2 files changed

+280
-0
lines changed

santa_cruz/disassembly.asm

+267
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,267 @@
1+
0010 <__trap_interrupt>
2+
0010: 3041 ret
3+
4400 <__init_stack>
4+
4400: 3140 0044 mov #0x4400, sp
5+
4404 <__low_level_init>
6+
4404: 1542 5c01 mov &0x015c, r5
7+
4408: 75f3 and.b #-0x1, r5
8+
440a: 35d0 085a bis #0x5a08, r5
9+
440e <__do_copy_data>
10+
440e: 3f40 0400 mov #0x4, r15
11+
4412: 0f93 tst r15
12+
4414: 0724 jz #0x4424 <__do_clear_bss+0x0>
13+
4416: 8245 5c01 mov r5, &0x015c
14+
441a: 2f83 decd r15
15+
441c: 9f4f 6a47 0024 mov 0x476a(r15), 0x2400(r15)
16+
4422: f923 jnz #0x4416 <__do_copy_data+0x8>
17+
4424 <__do_clear_bss>
18+
4424: 3f40 6400 mov #0x64, r15
19+
4428: 0f93 tst r15
20+
442a: 0624 jz #0x4438 <main+0x0>
21+
442c: 8245 5c01 mov r5, &0x015c
22+
4430: 1f83 dec r15
23+
4432: cf43 0424 mov.b #0x0, 0x2404(r15)
24+
4436: fa23 jnz #0x442c <__do_clear_bss+0x8>
25+
4438 <main>
26+
4438: 3150 ceff add #0xffce, sp
27+
443c: b012 5045 call #0x4550 <login>
28+
4440 <__stop_progExec__>
29+
4440: 32d0 f000 bis #0xf0, sr
30+
4444: fd3f jmp #0x4440 <__stop_progExec__+0x0>
31+
4446 <__ctors_end>
32+
4446: 3040 6847 br #0x4768 <_unexpected_>
33+
444a <unlock_door>
34+
444a: 3012 7f00 push #0x7f
35+
444e: b012 c446 call #0x46c4 <INT>
36+
4452: 2153 incd sp
37+
4454: 3041 ret
38+
4456 <test_username_and_password_valid>
39+
4456: 0412 push r4
40+
4458: 0441 mov sp, r4
41+
445a: 2453 incd r4
42+
445c: 2183 decd sp
43+
445e: c443 fcff mov.b #0x0, -0x4(r4)
44+
4462: 3d40 fcff mov #0xfffc, r13
45+
4466: 0d54 add r4, r13
46+
4468: 0d12 push r13
47+
446a: 0e12 push r14
48+
446c: 0f12 push r15
49+
446e: 3012 7d00 push #0x7d
50+
4472: b012 c446 call #0x46c4 <INT>
51+
4476: 5f44 fcff mov.b -0x4(r4), r15
52+
447a: 8f11 sxt r15
53+
447c: 3150 0a00 add #0xa, sp
54+
4480: 3441 pop r4
55+
4482: 3041 ret
56+
4484 .strings:
57+
4484: "Authentication now requires a username and password."
58+
44b9: "Remember: both are between 8 and 16 characters."
59+
44e9: "Please enter your username:"
60+
4505: "Please enter your password:"
61+
4521: "Access granted."
62+
4531: "That password is not correct."
63+
454f: ""
64+
4550 <login>
65+
4550: 0b12 push r11
66+
4552: 0412 push r4
67+
4554: 0441 mov sp, r4
68+
4556: 2452 add #0x4, r4
69+
4558: 3150 d8ff add #0xffd8, sp
70+
455c: c443 faff mov.b #0x0, -0x6(r4)
71+
4560: f442 e7ff mov.b #0x8, -0x19(r4)
72+
4564: f440 1000 e8ff mov.b #0x10, -0x18(r4)
73+
456a: 3f40 8444 mov #0x4484 "Authentication now requires a username and password.", r15
74+
456e: b012 2847 call #0x4728 <puts>
75+
4572: 3f40 b944 mov #0x44b9 "Remember: both are between 8 and 16 characters.", r15
76+
4576: b012 2847 call #0x4728 <puts>
77+
457a: 3f40 e944 mov #0x44e9 "Please enter your username:", r15
78+
457e: b012 2847 call #0x4728 <puts>
79+
4582: 3e40 6300 mov #0x63, r14
80+
4586: 3f40 0424 mov #0x2404, r15
81+
458a: b012 1847 call #0x4718 <getsn>
82+
458e: 3f40 0424 mov #0x2404, r15
83+
4592: b012 2847 call #0x4728 <puts>
84+
4596: 3e40 0424 mov #0x2404, r14
85+
459a: 0f44 mov r4, r15
86+
459c: 3f50 d6ff add #0xffd6, r15
87+
45a0: b012 5447 call #0x4754 <strcpy>
88+
45a4: 3f40 0545 mov #0x4505 "Please enter your password:", r15
89+
45a8: b012 2847 call #0x4728 <puts>
90+
45ac: 3e40 6300 mov #0x63, r14
91+
45b0: 3f40 0424 mov #0x2404, r15
92+
45b4: b012 1847 call #0x4718 <getsn>
93+
45b8: 3f40 0424 mov #0x2404, r15
94+
45bc: b012 2847 call #0x4728 <puts>
95+
45c0: 0b44 mov r4, r11
96+
45c2: 3b50 e9ff add #0xffe9, r11
97+
45c6: 3e40 0424 mov #0x2404, r14
98+
45ca: 0f4b mov r11, r15
99+
45cc: b012 5447 call #0x4754 <strcpy>
100+
45d0: 0f4b mov r11, r15
101+
45d2: 0e44 mov r4, r14
102+
45d4: 3e50 e8ff add #0xffe8, r14
103+
45d8: 1e53 inc r14
104+
45da: ce93 0000 tst.b 0x0(r14)
105+
45de: fc23 jnz #0x45d8 <login+0x88>
106+
45e0: 0b4e mov r14, r11
107+
45e2: 0b8f sub r15, r11
108+
45e4: 5f44 e8ff mov.b -0x18(r4), r15
109+
45e8: 8f11 sxt r15
110+
45ea: 0b9f cmp r15, r11
111+
45ec: 0628 jnc #0x45fa <login+0xaa>
112+
45ee: 1f42 0024 mov &0x2400, r15
113+
45f2: b012 2847 call #0x4728 <puts>
114+
45f6: 3040 4044 br #0x4440 <__stop_progExec__>
115+
45fa: 5f44 e7ff mov.b -0x19(r4), r15
116+
45fe: 8f11 sxt r15
117+
4600: 0b9f cmp r15, r11
118+
4602: 062c jc #0x4610 <login+0xc0>
119+
4604: 1f42 0224 mov &0x2402, r15
120+
4608: b012 2847 call #0x4728 <puts>
121+
460c: 3040 4044 br #0x4440 <__stop_progExec__>
122+
4610: c443 d4ff mov.b #0x0, -0x2c(r4)
123+
4614: 3f40 d4ff mov #0xffd4, r15
124+
4618: 0f54 add r4, r15
125+
461a: 0f12 push r15
126+
461c: 0f44 mov r4, r15
127+
461e: 3f50 e9ff add #0xffe9, r15
128+
4622: 0f12 push r15
129+
4624: 3f50 edff add #0xffed, r15
130+
4628: 0f12 push r15
131+
462a: 3012 7d00 push #0x7d
132+
462e: b012 c446 call #0x46c4 <INT>
133+
4632: 3152 add #0x8, sp
134+
4634: c493 d4ff tst.b -0x2c(r4)
135+
4638: 0524 jz #0x4644 <login+0xf4>
136+
463a: b012 4a44 call #0x444a <unlock_door>
137+
463e: 3f40 2145 mov #0x4521 "Access granted.", r15
138+
4642: 023c jmp #0x4648 <login+0xf8>
139+
4644: 3f40 3145 mov #0x4531 "That password is not correct.", r15
140+
4648: b012 2847 call #0x4728 <puts>
141+
464c: c493 faff tst.b -0x6(r4)
142+
4650: 0624 jz #0x465e <login+0x10e>
143+
4652: 1f42 0024 mov &0x2400, r15
144+
4656: b012 2847 call #0x4728 <puts>
145+
465a: 3040 4044 br #0x4440 <__stop_progExec__>
146+
465e: 3150 2800 add #0x28, sp
147+
4662: 3441 pop r4
148+
4664: 3b41 pop r11
149+
4666: 3041 ret
150+
4668 <__do_nothing>
151+
4668: 3041 ret
152+
466a: 496e addc.b r14, r9
153+
466c: 7661 addc.b @sp+, r6
154+
466e: 6c69 addc.b @r9, r12
155+
4670: 6420 jnz #0x473a <puts+0x12>
156+
4672: 5061 7373 addc.b 0x7373(sp), pc
157+
4676: 776f addc.b @r15+, r7
158+
4678: 7264 addc.b @r4+, sr
159+
467a: 204c br @r12
160+
467c: 656e addc.b @r14, r5
161+
467e: 6774 subc.b @r4, r7
162+
4680: 683a jl #0x4352 <__none__+0x4352>
163+
4682: 2070 subc @pc, pc
164+
4684: 6173 subc.b #0x2, sp
165+
4686: 7377 .word 0x7773
166+
4688: 6f72 subc.b #0x4, r15
167+
468a: 6420 jnz #0x4754 <strcpy+0x0>
168+
468c: 746f addc.b @r15+, r4
169+
468e: 6f20 jnz #0x476e <_unexpected_+0x6>
170+
4690: 6c6f addc.b @r15, r12
171+
4692: 6e67 addc.b @r7, r14
172+
4694: 2e00 .word 0x002e
173+
4696: 496e addc.b r14, r9
174+
4698: 7661 addc.b @sp+, r6
175+
469a: 6c69 addc.b @r9, r12
176+
469c: 6420 jnz #0x4766 <strcpy+0x12>
177+
469e: 5061 7373 addc.b 0x7373(sp), pc
178+
46a2: 776f addc.b @r15+, r7
179+
46a4: 7264 addc.b @r4+, sr
180+
46a6: 204c br @r12
181+
46a8: 656e addc.b @r14, r5
182+
46aa: 6774 subc.b @r4, r7
183+
46ac: 683a jl #0x437e <__none__+0x437e>
184+
46ae: 2070 subc @pc, pc
185+
46b0: 6173 subc.b #0x2, sp
186+
46b2: 7377 .word 0x7773
187+
46b4: 6f72 subc.b #0x4, r15
188+
46b6: 6420 jnz #0x4780 <_unexpected_+0x18>
189+
46b8: 746f addc.b @r15+, r4
190+
46ba: 6f20 jnz #0x479a <_unexpected_+0x32>
191+
46bc: 7368 .word 0x6873
192+
46be: 6f72 subc.b #0x4, r15
193+
46c0: 742e jc #0x43aa <__none__+0x43aa>
194+
...
195+
46c4 <INT>
196+
46c4: 1e41 0200 mov 0x2(sp), r14
197+
46c8: 0212 push sr
198+
46ca: 0f4e mov r14, r15
199+
46cc: 8f10 swpb r15
200+
46ce: 024f mov r15, sr
201+
46d0: 32d0 0080 bis #0x8000, sr
202+
46d4: b012 1000 call #0x10
203+
46d8: 3241 pop sr
204+
46da: 3041 ret
205+
46dc <putchar>
206+
46dc: 2183 decd sp
207+
46de: 0f12 push r15
208+
46e0: 0312 push #0x0
209+
46e2: 814f 0400 mov r15, 0x4(sp)
210+
46e6: b012 c446 call #0x46c4 <INT>
211+
46ea: 1f41 0400 mov 0x4(sp), r15
212+
46ee: 3150 0600 add #0x6, sp
213+
46f2: 3041 ret
214+
46f4 <getchar>
215+
46f4: 0412 push r4
216+
46f6: 0441 mov sp, r4
217+
46f8: 2453 incd r4
218+
46fa: 2183 decd sp
219+
46fc: 3f40 fcff mov #0xfffc, r15
220+
4700: 0f54 add r4, r15
221+
4702: 0f12 push r15
222+
4704: 1312 push #0x1
223+
4706: b012 c446 call #0x46c4 <INT>
224+
470a: 5f44 fcff mov.b -0x4(r4), r15
225+
470e: 8f11 sxt r15
226+
4710: 3150 0600 add #0x6, sp
227+
4714: 3441 pop r4
228+
4716: 3041 ret
229+
4718 <getsn>
230+
4718: 0e12 push r14
231+
471a: 0f12 push r15
232+
471c: 2312 push #0x2
233+
471e: b012 c446 call #0x46c4 <INT>
234+
4722: 3150 0600 add #0x6, sp
235+
4726: 3041 ret
236+
4728 <puts>
237+
4728: 0b12 push r11
238+
472a: 0b4f mov r15, r11
239+
472c: 073c jmp #0x473c <puts+0x14>
240+
472e: 1b53 inc r11
241+
4730: 8f11 sxt r15
242+
4732: 0f12 push r15
243+
4734: 0312 push #0x0
244+
4736: b012 c446 call #0x46c4 <INT>
245+
473a: 2152 add #0x4, sp
246+
473c: 6f4b mov.b @r11, r15
247+
473e: 4f93 tst.b r15
248+
4740: f623 jnz #0x472e <puts+0x6>
249+
4742: 3012 0a00 push #0xa
250+
4746: 0312 push #0x0
251+
4748: b012 c446 call #0x46c4 <INT>
252+
474c: 2152 add #0x4, sp
253+
474e: 0f43 clr r15
254+
4750: 3b41 pop r11
255+
4752: 3041 ret
256+
4754 <strcpy>
257+
4754: 0d4f mov r15, r13
258+
4756: 023c jmp #0x475c <strcpy+0x8>
259+
4758: 1e53 inc r14
260+
475a: 1d53 inc r13
261+
475c: 6c4e mov.b @r14, r12
262+
475e: cd4c 0000 mov.b r12, 0x0(r13)
263+
4762: 4c93 tst.b r12
264+
4764: f923 jnz #0x4758 <strcpy+0x4>
265+
4766: 3041 ret
266+
4768 <_unexpected_>
267+
4768: 0013 reti pc

santa_cruz/notes.md

+13
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
# Santa Cruz
2+
---
3+
4+
- `strcpy`, `r14` is is source ptr, `r15` is destination ptr
5+
- `getsn` `r14` is length, `15` is buffer ptr
6+
7+
- username copied to buffer starting at 43a2
8+
- password copied to buffer string at 43b5
9+
10+
plan: use username input to overflow and overwrite the return address
11+
use password input to set address 43c6 to 00
12+
13+
`main` reserves stack space, for some reason, not sure why.

0 commit comments

Comments
 (0)