rt,@mc_sdx 是对的,密码是在test area区域,但是,最坑的一点坑了我好久,就是输入密码一定要最后一个输入0x45的位,写入0x45就好像我们输入密码按下回车一样,并且整个输密码途中不能有其它指令
我被坑了好久也不得其法,现在试出来了
密码是 pwrite(0x4a, 0x3137); pwrite(0x4b, 0x4143); pwrite(0x4c, 0x4753); pwrite(0x4d, 0x5961); pwrite(0x4e, 0x6771); pwrite(0x4f, 0x7379); pwrite(0x44, 0x2307); pwrite(0x46, 0x1719); pwrite(0x47, 0x2329); pwrite(0x45, 0x1113);
我的test area区域的数据是0xfde0:37 31 43 41 53 47 61 59 71 67 79 73 ff ff ff ff 07 23 13 11 19 17 29 23 ff ff ff ff ff ff ff ff
附赠verc提取这段rom的rop:
fd 20 30 3030 30 30 30 30 30 30 30 fe 01 d8 91 30 30 8c 92 30 301093 30 30d6 22 32 30 a4 23 32 30 3030 30 30 30 30 64 d5 06 23 32 30 31 32 33 34 31 32 33 34 35 36 37 3839 30 31 32 33 34 35 36 30 30 30 30 30 30 30 30 22 d5 48 d2 30 30 30 30 c8 03 3230 7c 23 32 30 b8 d2 30 30 30 30 2e d5 31 32 fe ff 3536 37 38 22 8f 30 30 30 30 fe fd 70 0d 32 30
转换用python代码:
data=[0x118b,0x118b,0x118b,0x118b,0x118b,0xee61,0xd747,0xc633,0xa32b,0xa32b,0xa32b,0x2fb1,0xc83f,0x6edd,0x2789,0xe645,0xb50d,0xb50d,0xb50d,0xb50d] for i in range(len(data)-1): print(hex((data[i]+0xffff-data[i+1])&0xffff))
要逆序阅读
我被坑了好久也不得其法,现在试出来了
密码是 pwrite(0x4a, 0x3137); pwrite(0x4b, 0x4143); pwrite(0x4c, 0x4753); pwrite(0x4d, 0x5961); pwrite(0x4e, 0x6771); pwrite(0x4f, 0x7379); pwrite(0x44, 0x2307); pwrite(0x46, 0x1719); pwrite(0x47, 0x2329); pwrite(0x45, 0x1113);
我的test area区域的数据是0xfde0:37 31 43 41 53 47 61 59 71 67 79 73 ff ff ff ff 07 23 13 11 19 17 29 23 ff ff ff ff ff ff ff ff
附赠verc提取这段rom的rop:
fd 20 30 3030 30 30 30 30 30 30 30 fe 01 d8 91 30 30 8c 92 30 301093 30 30d6 22 32 30 a4 23 32 30 3030 30 30 30 30 64 d5 06 23 32 30 31 32 33 34 31 32 33 34 35 36 37 3839 30 31 32 33 34 35 36 30 30 30 30 30 30 30 30 22 d5 48 d2 30 30 30 30 c8 03 3230 7c 23 32 30 b8 d2 30 30 30 30 2e d5 31 32 fe ff 3536 37 38 22 8f 30 30 30 30 fe fd 70 0d 32 30
转换用python代码:
data=[0x118b,0x118b,0x118b,0x118b,0x118b,0xee61,0xd747,0xc633,0xa32b,0xa32b,0xa32b,0x2fb1,0xc83f,0x6edd,0x2789,0xe645,0xb50d,0xb50d,0xb50d,0xb50d] for i in range(len(data)-1): print(hex((data[i]+0xffff-data[i+1])&0xffff))
要逆序阅读