from binascii import hexlify

from pwn import *

MSP430_EMU = args['MSP430_EMU']
MSP430_GDB = 'msp430-gdb'
BINARY = sys.argv[1]
PROMPT = b'gdb> '

context.endian = 'little'
emu = process([MSP430_EMU, '-g', BINARY])
dbg = process([MSP430_GDB, '-ex', 'target remote localhost:3713',
               '-ex', f'set prompt {PROMPT.decode("utf-8")}'])

# password is compared against four 16-bit constants, little-endian

# 448a <check_password>
# 448a:  bf90 7c24 0000 cmp	#0x247c, 0x0(r15)
# 4490:  0d20           jnz	$+0x1c
# 4492:  bf90 722e 0200 cmp	#0x2e72, 0x2(r15)
# 4498:  0920           jnz	$+0x14
# 449a:  bf90 794d 0400 cmp	#0x4d79, 0x4(r15)
# 44a0:  0520           jne	#0x44ac <check_password+0x22>
# 44a2:  1e43           mov	#0x1, r14
# 44a4:  bf90 6c41 0600 cmp	#0x416c, 0x6(r15)
# 44aa:  0124           jeq	#0x44ae <check_password+0x24>
# 44ac:  0e43           clr	r14
# 44ae:  0f4e           mov	r14, r15
# 44b0:  3041           ret

password = p16(0x247c) + p16(0x2e72) + p16(0x4d79) + p16(0x416c)

dbg.sendline(b'continue')
print(emu.recvregex(b'> $').decode('utf-8'))
emu.sendline(b':' + hexlify(password))

print(emu.recvall().decode('utf-8'))