from binascii import hexlify

from pwn import *

MSP430_EMU = args['MSP430_EMU']
MSP430_GDB = 'msp430-gdb'
BINARY = sys.argv[1]
PROMPT = b'gdb> '

emu = process([MSP430_EMU, '-g', BINARY])
dbg = process([MSP430_GDB, '-ex', 'target remote localhost:3713',
               '-ex', f'set prompt {PROMPT.decode("utf-8")}'])

# password is stored in a memory region

# 447e <create_password>
# 447e:  3f40 0024      mov	#0x2400, r15
# 4482:  ff40 2800 0000 mov.b	#0x28, 0x0(r15)
# 4488:  ff40 7400 0100 mov.b	#0x74, 0x1(r15)
# 448e:  ff40 6800 0200 mov.b	#0x68, 0x2(r15)
# 4494:  ff40 5900 0300 mov.b	#0x59, 0x3(r15)
# 449a:  ff40 7300 0400 mov.b	#0x73, 0x4(r15)
# 44a0:  ff40 6c00 0500 mov.b	#0x6c, 0x5(r15)
# 44a6:  ff40 6c00 0600 mov.b	#0x6c, 0x6(r15)
# 44ac:  cf43 0700      mov.b	#0x0, 0x7(r15)
# 44b0:  3041           ret


def hardcoded_exploit():
    dbg.sendline(b'continue')
    print(emu.recvregex(b'> $').decode('utf-8'))
    emu.sendline(b':28746859736c6c')

    print(emu.recvall().decode('utf-8'))


def gdb_output(output):
    return output.removesuffix(PROMPT).decode('utf-8').strip().split('\n')


def exploit():
    dbg.sendlinethen(PROMPT, b'break *0x44b0')
    dbg.sendlinethen(PROMPT, b'continue')  # continue to first breakpoint

    # output = gdb_output(dbg.sendlinethen(PROMPT, b'x/8xb $r15'))[0]
    output = gdb_output(dbg.sendlinethen(PROMPT, b'x/8xb 0x2400'))[0]
    mem = output.split(':')[1]
    password = bytes([int(byte, 16) for byte in mem.split()])

    dbg.sendline(b'continue')  # continue until prompt
    print(emu.recvregex(b'> $').decode('utf-8'))
    emu.sendline(b':' + hexlify(password))

    print(emu.recvall().decode('utf-8'))


dbg.recvuntil(PROMPT)  # receive initial prompt
# hardcoded_exploit()
exploit()