.bytecode
Well, we did the reverse engineering part, now we have to write a program for the VM with the instruction set described in the previous paragraph. Here is the program’s functional specification:
- the program must return “*“
- sym.memory has to contain the string “Such VM! MuCH reV3rse!” after execution
- all 9 instructions have to be used at least once
- sym.good_if_ne_zero should not be zero
- instr_P is not allowed to be used more than 9 times
Since this document is about reversing, I’ll leave the programming part to the fellow reader :) But I’m not going to leave you empty-handed, I’ll give you one advice: Except for “J”, all of the instructions are simple, easy to use, and it should not be a problem to construct the “Such VM! MuCH reV3rse!” using them. “J” however is a bit complicated compared to the others. One should realize that its sole purpose is to make sym.good_if_ne_zero bigger than zero, which is a requirement to access the flag. In order to increment sym.good_if_ne_zero, three conditions should be met:
- arg1 should be a negative number, otherwise we would return early
- sym.written_by_instr_C should not be 0 when “J” is called. This means that “C”, “AC”, or “SC” instructions should be used before calling “J”.
- arg1_and_0x3f should be negative when checked. Since 0x3f’s sign bit is zero, no matter what arg1 is, the result of arg1 & 0x3f will always be non-negative. But remember that “J” negates arg1_and_0x3f if arg1 & 0x40 is not zero. This basically means that arg1‘s 6th bit should be 1 (0x40 = 01000000b). Also, because arg1_and_0x3f can’t be 0 either, at least one of arg1‘s 0th, 1st, 2nd, 3rd, 4th or 5th bits should be 1 (0x3f = 00111111b).
I think this is enough information, you can go now and write that program. Or, you could just reverse engineer the quick’n’dirty one I’ve used during the CTF:
\x90\x00PSAMuAP\x01AMcAP\x01AMhAP\x01AM AP\x01AMVAP\x01AMMAP\x01AM!AP\x01AM AP\x01AMMAP\x01AMuAP\x01AMCAP\x01AMHAP\x01AM AP\x01AMrAP\x01AMeAP\x01AMVAP\x01AM3AP\x01AMrAP\x01AMsAP\x01AMeIPAM!X\x00CAJ\xc1SC\x00DCR*
Keep in mind though, that it was written on-the-fly, parallel to the reversing phase - for example there are parts that was written without the knowledge of all possible instructions. This means that the code is ugly and unefficient.