peperunas/gipu
1
0
Fork 0
Code Issues 3 Pull Requests Releases Wiki Activity

Revert "Stub documentazione"

Browse Source 
This reverts commit 7cae011023.
This commit is contained in:
Giulio De Pasquale 2017-05-26 11:54:47 +02:00
parent f19958331d
commit d92de8ad9e
7 changed files with 3 additions and 384 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

333
INSTRUCTION_SET.md
View File

@ -1,333 +0,0 @@
# Architecture
Pasticciotto uses the Harvard Architecture meaning its code is separated from its data and also from its stack. This allowed me to materialize my idea for the **PoliCTF** challenge: I could run the code the partecipants assembled without any hassle!
![Structure]
There are 8 general purpose registers (`R0` to `S3`) with `S0 -> S3` being "scratch" ones. There is a `RP` register (Return Pointer) and obviously the `IP` (Instruction Pointer).
# Opcode encryption
The VM needs a decryption key to run: the opcodes are "encrypted" with the key by the assembler. The encryption algorithm is the `RC4` key scheduling shuffle. Once the values are shuffled, the `opcodes` are assigned according to their definition order.
```python
key_ba = bytearray(key, 'utf-8')
# RC4 KSA! :-P
arr = [i for i in range(256)]
j = 0
for i in range(len(arr)):
j = (j + arr[i] + key_ba[i % len(key)]) % len(arr)
arr[i], arr[j] = arr[j], arr[i]
for i, o in enumerate(ops):
o.set_value(arr[i])
```
# Instruction set
The instruction set I come out wants to be "RISC"-oriented but I have to admit that it is more "CISC"-oriented *(Confusing Instruction Set Computer)*.
Also, since I decided that every instruction had to be 4 chars long, some name adaptation may have encountered some quality issue... (yes, `POP`, I'm looking at you)
**The syntax used is the Intel one!**
There **three types** of instructions:
1. with 2 operands (*imm2reg*, *reg2imm*, *byt2reg*, *reg2reg*)
2. with 1 operand
3. with no operand at all (*single*)
![Instruction]
## MOVI
```
Full name: MOVe Immediate to register
Usage: MOVI R0, 0x00
Effect: R0 contains the value 0x00
```
## MOVR
```
Full name: MOVe Register to register
Usage: MOVR R1, R0
Effect: R0 is copied into R1
```
## LODI
```
Full name: LOaD Immediate offset @ data section to register
Usage: LODI R0, 0x0
Effect: R0 contains data[0x0]
```
## LODR
```
Full name: LOaD offset in Register @ data section to register
Usage: LODR R1, R0
Effect: R1 contains data[R1]
```
## STRI
```
Full name: SToRe @ immediate offset in data section from register
Usage: STRI 0x0, R0
Effect: data[0x0] contains R0
```
## STRR
```
Full name: SToRe @ offset of Register in data section from register
Usage: STRR R1, R0
Effect: data[R1] contains R0
```
## ADDI
```
Full name: ADD Immediate to register
Usage: ADDI R0, 0x1
Effect: R0 is incremented by 0x1
```
## ADDR
```
Full name: ADD Register to register
Usage: ADDR R1, R0
Effect: R1 is incremented by R0
```
## SUBI
```
Full name: SUBstract Immediate from register
Usage: SUBI R0, 0x1
Effect: R0 is decremented by 0x1
```
## SUBR
```
Full name: SUBstract Register from register
Usage: SUBR R1, R0
Effect: R1 is decremented by R0
```
## ANDB
```
Full name:
Usage:
Effect:
```
## ANDW
```
Full name:
Usage:
Effect:
```
## ANDR
```
Full name:
Usage:
Effect:
```
## YORB
```
Full name:
Usage:
Effect:
```
## YORW
```
Full name:
Usage:
Effect:
```
## YORR
```
Full name:
Usage:
Effect:
```
## XORB
```
Full name:
Usage:
Effect:
```
## XORW
```
Full name:
Usage:
Effect:
```
## XORR
```
Full name:
Usage:
Effect:
```
## NOTR
```
Full name:
Usage:
Effect:
```
## MULI
```
Full name:
Usage:
Effect:
```
## MULR
```
Full name:
Usage:
Effect:
```
## DIVI
```
Full name:
Usage:
Effect:
```
## DIVR
```
Full name:
Usage:
Effect:
```
## SHLI
```
Full name:
Usage:
Effect:
```
## SHLR
```
Full name:
Usage:
Effect:
```
## SHRI
```
Full name:
Usage:
Effect:
```
## SHRR
```
Full name:
Usage:
Effect:
```
## PUSH
```
Full name:
Usage:
Effect:
```
## POOP
```
Full name:
Usage:
Effect:
```
## CMPB
```
Full name:
Usage:
Effect:
```
## CMPW
```
Full name:
Usage:
Effect:
```
## CMPR
```
Full name:
Usage:
Effect:
```
## JMPI
```
Full name: JuMP to Immediate
Usage: JMPI 0x00
Effect: Unconditional jump to 0x00
```
## JMPR
```
Full name: JuMP to Register
Usage: JMPR R0
Effect: Unconditional jump to R0
```
## JPAI
```
Full name: JumP if Above to Immediate
Usage: JPAI 0x00
Effect: Jumps to code[0x00] according to last comparison
```
## JPAR
```
Full name: JumP if Above to Register
Usage: JPAR R0
Effect: Jumps to code[R0] according to last comparison
```
## JPBI
```
Full name: JumP if Below or equal to Immediate
Usage: JPBI 0x00
Effect: Jumps to code[0x00] according to last comparison
```
## JPBR
```
Full name: JumP if Below or equal to Register
Usage: JPBR R0
Effect: Jumps to code[R0] according to last comparison
```
## JPEI
```
Full name: JumP if Equal to Immediate
Usage: JPEI 0x00
Effect: Jumps to code[0x00] according to last comparison
```
## JPER
```
Full name: JumP if Equal to Register
Usage: JPER R0
Effect: Jumps to code[R0] according to last comparison
```
## JPNI
```
Full name: JumP if Not equal to Immediate
Usage: JPNI 0x00
Effect: Jumps to code[0x00] according to last comparison
```
## JPNR
```
Full name: JumP if Not equal to Register
Usage: JPNR R0
Effect: Jumps to code[R0] according to last comparison
```
## CALL
```
Full name: CALL function
Usage: CALL *function*
Effect: Saves the next instruction address into RP and jumps to the start of the function
```
## RETN
```
Full name: RETurN
Usage: RETN
Effect: Restores the RP into the IP and jumps to the IP
```
## SHIT
```
Full name: Well...
Usage: SHIT
Effect: Halts the execution
```
## NOPE
```
Full name: NOP(e)
Usage: NOPE
Effect: Does nothing for an instruction
```
## GRMN
```
Full name: GeRMaNo
Usage: GRMN
Effect: Sets every register (excluding IP and RP) to GG
```
## DEBG
```
Full name: DEBuG
Usage: DEBG
Effect: Prints the status of every register and the flags
```
[Instruction]: ./res/instruction.png
[Structure]: ./res/structure.png

48
README.md
View File

@ -1,47 +1 @@
![Pasticciotto]
# What is this?
Pasticciotto is a virtual machine which can be used to obfuscate code. It was developed for the **PoliCTF 17** as a reversing challenge.
I wanted to experiment with VM obfuscation since it was a topic that caught my attention while reversing challenges for various CTFs. So, I decided to write one **from scratch** in order to understand better how instruction set architectures are implemented!
The design and the implementation behind Pasticciotto are not state-of-the-art but hey, it works!
# What about the challenge?
I do not want to spoil the challenge for those that haven't completed it yet. Check out some write-up online!
# Instruction set
Check out the file [INSTRUCTION_SET.MD](IS) to understand how the VM works and which operations it can do! Watch out for some spoilers if you haven't completed the challenge though!
# Why "Pasticciotto"?
In Italian, "Pasticciotto" has two meanings!
The first one is **"little mess"** which perfectly describes how I put up this project. The second one is a typical dessert from Southern Italy, Salento! It's filled with cream! Yum!
# Contributions
Any contribution is **very** welcome! Feel free to open issues and pull requests!
# License
```
Copyright 2017 Giulio De Pasquale
Permission is hereby granted, free of charge, to any person obtaining a copy of this
software and associated documentation files (the "Software"), to deal in the Software
without restriction, including without limitation the rights to use, copy, modify, merge,
publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons
to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or
substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.
```
[Pasticciotto]: ./res/pasticciotto.png
[IS]: ./INSTRUCTION_SET.md
VM con ISA diversi e bytecode generati casualmente.

4
assembler/assembler.py
View File

@ -55,7 +55,7 @@ class VMAssembler:
self.data = data
self.assembled_code = bytearray()
self.functions = []
self.encrypt_ops(key)
self.decrypt_ops(key)
self.parse_functions()
self.resolve_functions_offsets()
self.resolve_symbols()
@ -252,7 +252,7 @@ class VMAssembler:
self.assembled_code += opcode.uint8()
return
def encrypt_ops(self, key):
def decrypt_ops(self, key):
key_ba = bytearray(key, 'utf-8')
olds = copy.deepcopy(ops)

BIN
res/instruction.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 18 KiB

BIN
res/pasticciotto.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 186 KiB

BIN
res/structure.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 23 KiB

2
res/structure.svg
View File

File diff suppressed because one or more lines are too long
Side by Side

Before

Width:  |  Height:  |  Size: 19 KiB