parent
f19958331d
commit
d92de8ad9e
@ -1,333 +0,0 @@
|
||||
# Architecture
|
||||
|
||||
Pasticciotto uses the Harvard Architecture meaning its code is separated from its data and also from its stack. This allowed me to materialize my idea for the **PoliCTF** challenge: I could run the code the partecipants assembled without any hassle!
|
||||
![Structure]
|
||||
|
||||
There are 8 general purpose registers (`R0` to `S3`) with `S0 -> S3` being "scratch" ones. There is a `RP` register (Return Pointer) and obviously the `IP` (Instruction Pointer).
|
||||
|
||||
# Opcode encryption
|
||||
|
||||
The VM needs a decryption key to run: the opcodes are "encrypted" with the key by the assembler. The encryption algorithm is the `RC4` key scheduling shuffle. Once the values are shuffled, the `opcodes` are assigned according to their definition order.
|
||||
|
||||
```python
|
||||
key_ba = bytearray(key, 'utf-8')
|
||||
# RC4 KSA! :-P
|
||||
arr = [i for i in range(256)]
|
||||
j = 0
|
||||
for i in range(len(arr)):
|
||||
j = (j + arr[i] + key_ba[i % len(key)]) % len(arr)
|
||||
arr[i], arr[j] = arr[j], arr[i]
|
||||
|
||||
for i, o in enumerate(ops):
|
||||
o.set_value(arr[i])
|
||||
```
|
||||
|
||||
# Instruction set
|
||||
The instruction set I come out wants to be "RISC"-oriented but I have to admit that it is more "CISC"-oriented *(Confusing Instruction Set Computer)*.
|
||||
Also, since I decided that every instruction had to be 4 chars long, some name adaptation may have encountered some quality issue... (yes, `POP`, I'm looking at you)
|
||||
|
||||
**The syntax used is the Intel one!**
|
||||
|
||||
There **three types** of instructions:
|
||||
1. with 2 operands (*imm2reg*, *reg2imm*, *byt2reg*, *reg2reg*)
|
||||
2. with 1 operand
|
||||
3. with no operand at all (*single*)
|
||||
|
||||
![Instruction]
|
||||
## MOVI
|
||||
```
|
||||
Full name: MOVe Immediate to register
|
||||
Usage: MOVI R0, 0x00
|
||||
Effect: R0 contains the value 0x00
|
||||
```
|
||||
## MOVR
|
||||
```
|
||||
Full name: MOVe Register to register
|
||||
Usage: MOVR R1, R0
|
||||
Effect: R0 is copied into R1
|
||||
```
|
||||
## LODI
|
||||
```
|
||||
Full name: LOaD Immediate offset @ data section to register
|
||||
Usage: LODI R0, 0x0
|
||||
Effect: R0 contains data[0x0]
|
||||
```
|
||||
## LODR
|
||||
```
|
||||
Full name: LOaD offset in Register @ data section to register
|
||||
Usage: LODR R1, R0
|
||||
Effect: R1 contains data[R1]
|
||||
```
|
||||
## STRI
|
||||
```
|
||||
Full name: SToRe @ immediate offset in data section from register
|
||||
Usage: STRI 0x0, R0
|
||||
Effect: data[0x0] contains R0
|
||||
```
|
||||
## STRR
|
||||
```
|
||||
Full name: SToRe @ offset of Register in data section from register
|
||||
Usage: STRR R1, R0
|
||||
Effect: data[R1] contains R0
|
||||
```
|
||||
## ADDI
|
||||
```
|
||||
Full name: ADD Immediate to register
|
||||
Usage: ADDI R0, 0x1
|
||||
Effect: R0 is incremented by 0x1
|
||||
```
|
||||
## ADDR
|
||||
```
|
||||
Full name: ADD Register to register
|
||||
Usage: ADDR R1, R0
|
||||
Effect: R1 is incremented by R0
|
||||
```
|
||||
## SUBI
|
||||
```
|
||||
Full name: SUBstract Immediate from register
|
||||
Usage: SUBI R0, 0x1
|
||||
Effect: R0 is decremented by 0x1
|
||||
```
|
||||
## SUBR
|
||||
```
|
||||
Full name: SUBstract Register from register
|
||||
Usage: SUBR R1, R0
|
||||
Effect: R1 is decremented by R0
|
||||
```
|
||||
## ANDB
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## ANDW
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## ANDR
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## YORB
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## YORW
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## YORR
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## XORB
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## XORW
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## XORR
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## NOTR
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## MULI
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## MULR
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## DIVI
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## DIVR
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## SHLI
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## SHLR
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## SHRI
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## SHRR
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## PUSH
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## POOP
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## CMPB
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## CMPW
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## CMPR
|
||||
```
|
||||
Full name:
|
||||
Usage:
|
||||
Effect:
|
||||
```
|
||||
## JMPI
|
||||
```
|
||||
Full name: JuMP to Immediate
|
||||
Usage: JMPI 0x00
|
||||
Effect: Unconditional jump to 0x00
|
||||
```
|
||||
## JMPR
|
||||
```
|
||||
Full name: JuMP to Register
|
||||
Usage: JMPR R0
|
||||
Effect: Unconditional jump to R0
|
||||
```
|
||||
## JPAI
|
||||
```
|
||||
Full name: JumP if Above to Immediate
|
||||
Usage: JPAI 0x00
|
||||
Effect: Jumps to code[0x00] according to last comparison
|
||||
```
|
||||
## JPAR
|
||||
```
|
||||
Full name: JumP if Above to Register
|
||||
Usage: JPAR R0
|
||||
Effect: Jumps to code[R0] according to last comparison
|
||||
```
|
||||
## JPBI
|
||||
```
|
||||
Full name: JumP if Below or equal to Immediate
|
||||
Usage: JPBI 0x00
|
||||
Effect: Jumps to code[0x00] according to last comparison
|
||||
```
|
||||
## JPBR
|
||||
```
|
||||
Full name: JumP if Below or equal to Register
|
||||
Usage: JPBR R0
|
||||
Effect: Jumps to code[R0] according to last comparison
|
||||
```
|
||||
## JPEI
|
||||
```
|
||||
Full name: JumP if Equal to Immediate
|
||||
Usage: JPEI 0x00
|
||||
Effect: Jumps to code[0x00] according to last comparison
|
||||
```
|
||||
## JPER
|
||||
```
|
||||
Full name: JumP if Equal to Register
|
||||
Usage: JPER R0
|
||||
Effect: Jumps to code[R0] according to last comparison
|
||||
```
|
||||
## JPNI
|
||||
```
|
||||
Full name: JumP if Not equal to Immediate
|
||||
Usage: JPNI 0x00
|
||||
Effect: Jumps to code[0x00] according to last comparison
|
||||
```
|
||||
## JPNR
|
||||
```
|
||||
Full name: JumP if Not equal to Register
|
||||
Usage: JPNR R0
|
||||
Effect: Jumps to code[R0] according to last comparison
|
||||
```
|
||||
## CALL
|
||||
```
|
||||
Full name: CALL function
|
||||
Usage: CALL *function*
|
||||
Effect: Saves the next instruction address into RP and jumps to the start of the function
|
||||
```
|
||||
## RETN
|
||||
```
|
||||
Full name: RETurN
|
||||
Usage: RETN
|
||||
Effect: Restores the RP into the IP and jumps to the IP
|
||||
```
|
||||
## SHIT
|
||||
```
|
||||
Full name: Well...
|
||||
Usage: SHIT
|
||||
Effect: Halts the execution
|
||||
```
|
||||
## NOPE
|
||||
```
|
||||
Full name: NOP(e)
|
||||
Usage: NOPE
|
||||
Effect: Does nothing for an instruction
|
||||
```
|
||||
## GRMN
|
||||
```
|
||||
Full name: GeRMaNo
|
||||
Usage: GRMN
|
||||
Effect: Sets every register (excluding IP and RP) to GG
|
||||
```
|
||||
## DEBG
|
||||
```
|
||||
Full name: DEBuG
|
||||
Usage: DEBG
|
||||
Effect: Prints the status of every register and the flags
|
||||
```
|
||||
|
||||
[Instruction]: ./res/instruction.png
|
||||
[Structure]: ./res/structure.png
|
48
README.md
48
README.md
@ -1,47 +1 @@
|
||||
![Pasticciotto]
|
||||
|
||||
# What is this?
|
||||
Pasticciotto is a virtual machine which can be used to obfuscate code. It was developed for the **PoliCTF 17** as a reversing challenge.
|
||||
|
||||
I wanted to experiment with VM obfuscation since it was a topic that caught my attention while reversing challenges for various CTFs. So, I decided to write one **from scratch** in order to understand better how instruction set architectures are implemented!
|
||||
|
||||
The design and the implementation behind Pasticciotto are not state-of-the-art but hey, it works!
|
||||
|
||||
# What about the challenge?
|
||||
I do not want to spoil the challenge for those that haven't completed it yet. Check out some write-up online!
|
||||
|
||||
# Instruction set
|
||||
Check out the file [INSTRUCTION_SET.MD](IS) to understand how the VM works and which operations it can do! Watch out for some spoilers if you haven't completed the challenge though!
|
||||
|
||||
# Why "Pasticciotto"?
|
||||
In Italian, "Pasticciotto" has two meanings!
|
||||
|
||||
The first one is **"little mess"** which perfectly describes how I put up this project. The second one is a typical dessert from Southern Italy, Salento! It's filled with cream! Yum!
|
||||
|
||||
# Contributions
|
||||
|
||||
Any contribution is **very** welcome! Feel free to open issues and pull requests!
|
||||
|
||||
|
||||
# License
|
||||
```
|
||||
Copyright 2017 Giulio De Pasquale
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy of this
|
||||
software and associated documentation files (the "Software"), to deal in the Software
|
||||
without restriction, including without limitation the rights to use, copy, modify, merge,
|
||||
publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons
|
||||
to whom the Software is furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all copies or
|
||||
substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
|
||||
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
|
||||
PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
|
||||
FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
|
||||
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
|
||||
DEALINGS IN THE SOFTWARE.
|
||||
```
|
||||
[Pasticciotto]: ./res/pasticciotto.png
|
||||
[IS]: ./INSTRUCTION_SET.md
|
||||
VM con ISA diversi e bytecode generati casualmente.
|
@ -55,7 +55,7 @@ class VMAssembler:
|
||||
self.data = data
|
||||
self.assembled_code = bytearray()
|
||||
self.functions = []
|
||||
self.encrypt_ops(key)
|
||||
self.decrypt_ops(key)
|
||||
self.parse_functions()
|
||||
self.resolve_functions_offsets()
|
||||
self.resolve_symbols()
|
||||
@ -252,7 +252,7 @@ class VMAssembler:
|
||||
self.assembled_code += opcode.uint8()
|
||||
return
|
||||
|
||||
def encrypt_ops(self, key):
|
||||
def decrypt_ops(self, key):
|
||||
key_ba = bytearray(key, 'utf-8')
|
||||
olds = copy.deepcopy(ops)
|
||||
|
||||
|
Binary file not shown.
Before Width: | Height: | Size: 18 KiB |
Binary file not shown.
Before Width: | Height: | Size: 186 KiB |
Binary file not shown.
Before Width: | Height: | Size: 23 KiB |
File diff suppressed because one or more lines are too long
Before Width: | Height: | Size: 19 KiB |
Loading…
Reference in New Issue
Block a user