Micro Corruption II: Sydney

In this post we solve the second level of Micro Corruption, an embedded security CTF. First lets check the main function:

We take a look at the check_password function that is being called in the main function:

1. The first line of the check_password function compares 0x5a48 to the password the user enters. If the values don't match, the jump takes us to #44ac. 
2. When the values match, there is another comparison of 0x7166 to 0x2 in r15. Similarly, if the values match we are taken to the next step else we jump to #44ac which clears r14 and then r15 is set to 0. 
3. The third comparison of 0x3664 and 0x4 in r15 is also similar to previous comparisons. 
4. After the fourth comparison of 0x256c with 0x6 in r15, if the comparison matches, then value 1 is moved to r15 from r14. 
5. If the comparisons don't match then the value 0 is moved from r14 to r15. And we finally return to the main function.

This final value written to r15 is very important as it is used to test in the main function and if it is 0, the access is not granted. If the value is 1 or not 0, then access is granted, solving this level. So, the password must be 0x5a48, 0x7166, 0x3664 and 0x256c concatenated together? We could decode the hex value or directly input the hex value by using the check box.

But there is a final very interesting twist in the puzzle.

When we enter the password as (5a48 + 7166 + 3664 + 256c), we are not given access. So, we must consider the endianness and enter the password in little endian format (485a + 6671 + 6436 + 6c25).

And we are greeted with the message that the door is unlocked and we have solved this level.