You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
72 lines
1.3 KiB
72 lines
1.3 KiB
.include "instr.inc"
|
|
.text
|
|
|
|
# Failed techniques:
|
|
# - reading with stack pointer
|
|
# - using a function stored in bios (memcpy, readstr+text_ram_byte)
|
|
# - using undocumented copr commands
|
|
# - inspecting the stack and calling different code in the bios
|
|
|
|
# Approach used:
|
|
# - Load REPORT03.PRG into bios area
|
|
# - Call some of its code to exfiltrate data
|
|
|
|
.global _start
|
|
_start:
|
|
jp simple
|
|
|
|
# Full approach relying on REPORT03.PRG
|
|
ld_r0 0x8
|
|
ld_r1 0xf00
|
|
copr_readblk
|
|
|
|
ld_r2 0
|
|
ld_r3 0x1000
|
|
loop:
|
|
# Read the byte
|
|
push_r3
|
|
call get_byte
|
|
pop_r3
|
|
|
|
# Store the byte
|
|
push_r2
|
|
ld_r2_r3
|
|
str_r0_r2
|
|
pop_r2
|
|
|
|
# Increment the pointer
|
|
inc_r3
|
|
inc_r3
|
|
cp_r3 0x2000
|
|
jp_ne loop
|
|
|
|
# Hexdump the retrieved data
|
|
pop_r3
|
|
ld_r2 0x1000
|
|
ld_r3 (32 * 0x10)
|
|
jp 0xf12d # cmd_read_loop
|
|
|
|
get_byte:
|
|
# Load byte from r2 into r0, trash all regs
|
|
ld_r0 0
|
|
ld_r3 0
|
|
jp 0xf66
|
|
.fill 0x63 - (. - _start), 1, 0
|
|
# Code at 0xf66 jumps here after completion
|
|
ret
|
|
|
|
# Simpler approach learned after dumping the bios
|
|
simple:
|
|
ld_r1 0x1000
|
|
ld_r2 0x1000
|
|
ld_r3 0
|
|
simple_loop:
|
|
call 0x1e8
|
|
cp_r1 0
|
|
jp_ne simple_loop
|
|
|
|
pop_r3
|
|
ld_r2 0x1000
|
|
ld_r3 (32 * 0x10)
|
|
jp 0xf12d # cmd_read_loop
|
|
#jp 0xf48a # GRLTS02 monitor
|
|
|