You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

73 lines
1.3 KiB

2 years ago
.include "instr.inc"
.text
# Failed techniques:
# - reading with stack pointer
# - using a function stored in bios (memcpy, readstr+text_ram_byte)
# - using undocumented copr commands
# - inspecting the stack and calling different code in the bios
# Approach used:
# - Load REPORT03.PRG into bios area
# - Call some of its code to exfiltrate data
.global _start
_start:
jp simple
# Full approach relying on REPORT03.PRG
ld_r0 0x8
ld_r1 0xf00
copr_readblk
ld_r2 0
ld_r3 0x1000
loop:
# Read the byte
push_r3
call get_byte
pop_r3
# Store the byte
push_r2
ld_r2_r3
str_r0_r2
pop_r2
# Increment the pointer
inc_r3
inc_r3
cp_r3 0x2000
jp_ne loop
# Hexdump the retrieved data
pop_r3
ld_r2 0x1000
ld_r3 (32 * 0x10)
jp 0xf12d # cmd_read_loop
get_byte:
# Load byte from r2 into r0, trash all regs
ld_r0 0
ld_r3 0
jp 0xf66
.fill 0x63 - (. - _start), 1, 0
# Code at 0xf66 jumps here after completion
ret
# Simpler approach learned after dumping the bios
simple:
ld_r1 0x1000
ld_r2 0x1000
ld_r3 0
simple_loop:
call 0x1e8
cp_r1 0
jp_ne simple_loop
pop_r3
ld_r2 0x1000
ld_r3 (32 * 0x10)
jp 0xf12d # cmd_read_loop
#jp 0xf48a # GRLTS02 monitor