We are provided with a website where you can download a rom file and submit a rom file to be run in a simulator. The simulator runs the provided firmware to perform a mars landing through several stages. The unmodified firmware works fine until the point where the lander has about 40 meters remaining at which point it shuts down the engine and crashes to the surface. The goal is to patch the firmware and perform a correct landing.
Looking at the firmware we see that it is MIPS 32-bit little endian code. We try to open it in Binary Ninja and disassemble the code at address 0x0
. This turns out to be a jump to 0xfc00400
which suggests that 0xfc00400
so we re-open the firmware with the new base address and try to disassemble again which gives a somewhat better result. However, looking further through the code we can find the initialization routine which, among other things, copies data from 0xbfc05efc to an address which probably is RAM. This suggests