-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnotes.txt
104 lines (76 loc) · 6.98 KB
/
notes.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
00 = breakpoint
memory:
0000-00ff = all 58 (= 'X')
1000-dfff = all 0
e000-ffff = used by monitor; dumped
console startup = f000
crashes = ['14', '15', '16', '17', '18', '19', '1a', '1b', '1c', '1d', '1e', '1f', '98', '99', '9c', 'a0', 'c0', 'c1', 'c2', 'c3', 'c4', 'c6', 'ca', 'cc', 'e4', 'e5', 'e6', 'e7', 'e8', 'e9', 'ea', 'eb', 'ec', 'ed', 'ee', 'ef', 'f0', 'f1', 'f2', 'f3', 'f4', 'f5', 'f6', 'f7', 'f8', 'f9', 'fa', 'fb', 'fc', 'fd', 'fe', 'ff']
pcs = {'1': '2003', '2': '2001', '3': '2001', '4': '2001', '5': '2001', '6': '2001', '7': '2001', '8': '2001', '9': '2001', 'a':2001, 'b': '2003', 'c':2001, 'd': '2001', 'e': '2003', 'f':2001, '10': '2003', '11': '2003', '12': '2003', '13': '2003', '20': '2001', '21': '2001', '22': '2001', '23': '2001', '24': '2001', '25': '2001', '26': '2001', '27': '2001', '28': '2001', '29': '2001', '2a': '2001', '2b': '2001', '2c': '2001', '2d': '2001', '2e': '2001', '2f': '2001', '30': '2001', '31': '2001', '32': '2001', '33': '2001', '34': '2001', '35': '2001', '36': '2001', '37': '2001', '38': '2001', '39': '2001', '3a': '2001', '3b': '2001', '3c': '2001', '3d': '2001', '3e': '2001', '3f': '2001', '40': '2001', '41': '2001', '42': '2001', '43': '2001', '44': '2001', '45': '2001', '46': '2001', '47': '2001', '48': '2001', '49': '2001', '4a': '2001', '4b': '2001', '4c': '2001', '4d': '2001', '4e': '2001', '4f': '2001', '50': '2001', '51': '2001', '52': '2001', '53': '2001', '54': '2001', '55': '2001', '56': '2001', '57': '2001', '58': '2001', '59': '2001', '5a': '2001', '5b': '2001', '5c': '2001', '5d': '2001', '5e': '2001', '5f': '2001', '60': '2001', '61': '2001', '62': '2001', '63': '2001', '64': '2001', '65': '2001', '66': '2001', '67': '2001', '68': '2001', '69': '2001', '6a': '2001', '6b': '2001', '6c': '2001', '6d': '2001', '6e': '2001', '6f': '2001', '70': '2001', '71': '2001', '72': '2001', '73': '2001', '74': '2001', '75': '2001', '76': '2001', '77': '2001', '78': '2001', '79': '2001', '7a': '2001', '7b': '2001', '7c': '2001', '7d': '2001', '7e': '2004', '7f': '2002', '80': '2001', '81': '2001', '82': '2001', '83': '2001', '84': '2001', '85': '2001', '86': '2001', '87': '2001', '88': '2001', '89': '2001', '8a': '2001', '8b': '2001', '8c': '2001', '8d': '2001', '8e': '2001', '8f': '2001', '90': '2001', '91': '2001', '92': '2001', '93': '2001', '94': '2001', '95': '2001', '96': '2001', '97': '2001', '9a': '2003', '9b': '2003', '9d': '2003', '9e': '2003', '9f': '2003', 'a1': '2003', 'a2': '2003', 'a3': '2003', 'a4': '2003', 'a5': '2003', 'a6': '2001', 'a7': '2001', 'a8': '2001', 'a9': '2001', 'aa': '2001', 'ab': '2001', 'ac': '2001', 'ad': '2001', 'ae': '2001', 'af': '2001', 'b0': '2003', 'b1': '2003', 'b2': '2003', 'b3': '2003', 'b4': '2003', 'b5': '2003', 'b6': '2003', 'b7': '2003', 'b8': '2003', 'b9': '2003', 'ba': '2003', 'bb': '2003', 'bc': '2003', 'bd': '2003', 'be': '2003', 'bf': '2003', 'c5': '0079', 'c7': 'E002', 'c9': '0079', 'cb': 'E002', 'cd': '2003', 'ce': '2003', 'cf': '2003', 'd0': '2001', 'd1': '2001', 'd2': '2001', 'd3': '2001', 'd4': '2001', 'd5': '2001', 'd6': '2001', 'd7': '2001', 'd8': '2001', 'd9': '2001', 'da': '2001', 'db': '2001', 'dc': '2001', 'dd': '2001', 'de': '2001', 'df': '2001', 'e0': '2003', 'e1': '2003', 'e2': '2003', 'e3': '2003'}
no_args = ['2', '3', '4', '5', '6', '7', '8', '9', 'a', 'c', 'd', 'f', '20', '21', '22', '23', '24', '25', '26', '27', '28', '29', '2a', '2b', '2c', '2d', '2e', '2f', '30', '31', '32', '33', '34', '35', '36', '37', '38', '39', '3a', '3b', '3c', '3d', '3e', '3f', '40', '41', '42', '43', '44', '45', '46', '47', '48', '49', '4a', '4b', '4c', '4d', '4e', '4f', '50', '51', '52', '53', '54', '55', '56', '57', '58', '59', '5a', '5b', '5c', '5d', '5e', '5f', '60', '61', '62', '63', '64', '65', '66', '67', '68', '69', '6a', '6b', '6c', '6d', '6e', '6f', '70', '71', '72', '73', '74', '75', '76', '77', '78', '79', '7a', '7b', '7c', '7d', '80', '81', '82', '83', '84', '85', '86', '87', '88', '89', '8a', '8b', '8c', '8d', '8e', '8f', '90', '91', '92', '93', '94', '95', '96', '97', 'a6', 'a7', 'a8', 'a9', 'aa', 'ab', 'ac', 'ad', 'ae', 'af', 'd0', 'd1', 'd2', 'd3', 'd4', 'd5', 'd6', 'd7', 'd8', 'd9', 'da', 'db', 'dc', 'dd', 'de', 'df']
one_args = ['7f']
two_args = ['1', 'b', 'e', '10', '11', '12', '13', '9a', '9b', '9d', '9e', '9f', 'a1', 'a2', 'a3', 'a4', 'a5', 'b0', 'b1', 'b2', 'b3', 'b4', 'b5', 'b6', 'b7', 'b8', 'b9', 'ba', 'bb', 'bc', 'bd', 'be', 'bf', 'cd', 'ce', 'cf', 'e0', 'e1', 'e2', 'e3']
three_args = ['7e']
special = ['c5', 'c7', 'c9', 'cb']
no_info = ['c8']
weird things:
b seems to hang when run from fresh state; didn't before?
a, c, and f crashed on first run, but don't on clean run. a solved.
8 is fine; 9 seems to now take 2 args even though it took 1 on first runthrough; running 8 after running 9 crashes?
09 = set stack pointer - that explains why it made others crash - and why '0a' was thought to be crashing before (9 was run before it)
e seems to now take no args but took 2 before?
06 = syscall?
0603 = halt (maybe)
0602 = read input byte into r0
0601 = write byte r0
seen: 0666, 0664, 0665 - in math
04 used in ls command and rf command. interacts with filesystem?
functions in protected memory:
All have protections before reading or writing to attempt to avoid protected memory
0x0008: PrintStr R2 (addr) -> R2 (points to ending null) R0=0
prints up to null terminator, F0{$addr} outputs hex words, F1{$addr} outputs hex bytes
0x0010: StrCmp R2(str) , R3(str) -> flags)
flags set at first unequal character (or null terminator), R2,R3 point there,
R0,R1 hold the values of those chacacters
0x0018: FindIndex R2(tableAddr) , R3(val) -> R2(addr of val), R0(index of val)
finds val in table starting at R2, terminated by FF
return -1 (FFFF) in R0 if not found
0x0020: ConvertHex R2(addr) -> R0 (result),R3 , clobbers R1,R2
decodes mixed case hex string terminated by '\x00' or '\n'
0x0028: MemCpy R3(source),R2(dest) -> clobbers all
0x0030: ReadStr R2 (dest), R3 (maxlen) ->
read terminated by '\n', writes string terminated by '\0',
writes at most maxlen+1 bytes including '\0'
0x0038: StrTrim
0x0040: MemSet
just seems to be `ret`?
decrypted thing:
REPORT: MARCH
Fight Simulation Program - BLOCKED
Still debating what the exact premise of the project should be; bimonthly curated box of snacks is currently winning
Buffer overflow on Information Server - PENDING
Stack cookies were implemented, which should mitigate the issue while we work on its resolution
Missingno in Fight Simulation - PENDING
Skill issues are preventing progression. We are able to reach Super Glitch, but haven't figured out the correct movement yet
FOOLS2023_{XXXXXXXXX}
buffer overflow, you say? hmmm...
flags:
- text file - 50
- undoc cmd - 50
- mathtest - 150
- decrypt - 100
- hidden file - 150
- rom - 150
- serv3 mem - 150
- serv3 exploit - 187
- server2 - 100
- server2 pw - 100
- mixtest - 150
total: 1337
$ send("ls\n")
bash: syntax error near unexpected token `"ls\n"'
In [581]: git commit --amend
Cell In[581], line 1
git commit --amend
^
SyntaxError: invalid syntax
lol