search

Hackchain / hackchain

Continuous bitcoin-inspired capture-the-flag challenge. (Alpha)
https://api.hackcha.in/help
56 stars 9 forks source link

Output can write to 0x2000 range #1

Closed TACIXAT closed 8 years ago

TACIXAT commented 8 years ago

Transaction: 44ba0e6556a12229a1f52e608b9720ffe35c66cc15be98867d489f3effad9b84

I believe the output chooses a randomish location (maybe based off of hash at 0x0?). It has overwritten my input script though and on another run it was executing in 0x2100 range.

<TX: 44ba0e6556a12229a1f52e608b9720ffe35c66cc15be98867d489f3effad9b84
  v=1
  inputs: [
    0: <Input hash: ae0c384410ef38e42e7fd0a2eabd9064ad14add65ca02b49f5eee96a7db82680
      index: 0
      script: <Script len: 14
        opcodes: [
          lui r1, 0x2000
          addi r1, r1, 0x6
          lui r2, 0x3000
          addi r2, r2, 0x1
          sw r1, r2, 0x0
          beq r0, r0, -0x3
          irq success]>>]
  outputs: [
    0: <Output value: 1500000000
      script: <Script len: 246
        opcodes: [
          lw r6, r0, 0x0
          sw r0, r0, 0x0
          lui r1, 0x1000
          addi r1, r1, 0xf
          sw r6, r1, 0x0
          lw r6, r0, 0x1
          sw r0, r0, 0x1
          lui r1, 0x1000
          addi r1, r1, 0x10
          sw r6, r1, 0x0
          sw r6, r1, 0x0
          lui r7, 0x1000
          addi r7, r7, 0xf
          addi r1, r7, 0x3
          jalr r0, r1
          add r0, r0, r0
          add r0, r0, r0
          add r0, r2, r0
          addi r6, r7, 0x0
          lw r5, r7, 0x0
          addi r1, r5, 0x0
          add r1, r1, r1
          add r1, r1, r1
          add r1, r1, r1
          nand r2, r1, r6
          nand r3, r2, r1
          nand r2, r2, r6
          nand r6, r2, r3
          lw r5, r7, 0x1
          nand r2, r6, r5
          nand r3, r2, r6
          nand r2, r2, r5
          nand r5, r2, r3
          addi r1, r5, 0x0
          add r1, r1, r1
          add r1, r1, r1
          add r1, r1, r1
          add r1, r1, r1
          add r1, r1, r1
          nand r2, r1, r6
          nand r3, r2, r1
          nand r2, r2, r6
          nand r6, r2, r3
          addi r1, r7, 0x0
          add r1, r1, r1
          add r1, r1, r1
          add r1, r1, r1
          add r1, r1, r1
          add r1, r1, r1
          nand r2, r1, r6
          nand r3, r2, r1
          nand r2, r2, r6
          nand r6, r2, r3
          addi r2, r6, 0x0
          lui r1, 0xf000
          addi r1, r1, 0x0
          nand r2, r2, r1
          nand r2, r2, r2
          lui r1, 0x1fc0
          addi r1, r1, 0x3f
          nand r1, r1, r1
          add r1, r2, r1
          beq r0, r0, 0x9
          add r0, r0, r0
          add r0, r0, r0
          add r0, r0, r0
          add r0, r0, r0
          add r0, r0, r0
          add r0, r0, r0
          add r0, r0, r0
          lui r1, 0x1000
          addi r1, r1, 0x0
          add r6, r6, r1
          lui r5, 0x1040
          addi r5, r5, 0x3b
          lui r1, 0x1000
          addi r1, r1, 0xf
          nand r1, r1, r1
          add r5, r5, r1
          addi r5, r5, 0x1
          addi r1, r6, 0x0
          add r1, r1, r5
          addi r2, r7, 0x0
          nand r2, r2, r2
          addi r2, r2, 0x1
          add r1, r1, r2
          lui r2, 0x8000
          addi r2, r2, 0x0
          nand r1, r1, r2
          nand r1, r1, r1
          beq r0, r1, 0x1
          beq r0, r0, 0xe
          addi r1, r7, 0x0
          add r1, r1, r5
          addi r2, r6, 0x0
          nand r2, r2, r2
          addi r2, r2, 0x1
          add r1, r1, r2
          lui r2, 0x8000
          addi r2, r2, 0x0
          nand r1, r1, r2
          nand r1, r1, r1
          beq r0, r1, -0xb
          beq r0, r0, 0x2
          addi r6, r6, 0x3f
          beq r0, r0, -0x35
          lw r2, r7, 0x2
          sw r0, r7, 0x2
          add r6, r6, r5
          add r5, r7, r5
          lw r1, r5, 0x0
          sw r1, r6, 0x0
          addi r5, r5, -0x1
          addi r6, r6, -0x1
          lw r1, r5, 0x0
          sw r1, r6, 0x0
          beq r5, r7, 0x1
          beq r0, r0, -0x6
          beq r0, r2, 0x1
          irq yield
          addi r7, r6, 0x0
          addi r1, r7, 0x3
          jalr r0, r1]>>]>

Here is a screenshot of it executing (its copied code, not input code) in the forbidden address range.

indutny commented 8 years ago

@douggard You're absolutely right. I have recently removed the protected page and made behaviour a bit more tricky. The documentation on this is a bit stale.

Basically, there is no protected page anymore and the threads' writes are applied after executing instructions. So that the output thread can't overwrite input before it will run.

I'll update docs in a bit.

Thank you!

indutny commented 8 years ago

Should be fixed now.