Cambiata key

Revert "Sistemate grandezze + unused imports"
This reverts commit 0ac0e08c9e.
2017-05-26 12:04:11 +02:00 · 2017-05-26 11:55:21 +02:00 · 2017-05-26 11:54:47 +02:00
12 changed files with 43 additions and 420 deletions
--- a/INSTRUCTION_SET.md
+++ b/INSTRUCTION_SET.md
@ -1,333 +0,0 @@
 # Architecture
 Pasticciotto uses the Harvard Architecture meaning its code is separated from its data and also from its stack. This allowed me to materialize my idea for the **PoliCTF** challenge: I could run the code the partecipants assembled without any hassle!
 ![Structure]
 There are 8 general purpose registers (`R0` to `S3`) with `S0 -> S3` being "scratch" ones. There is a `RP` register (Return Pointer) and obviously the `IP` (Instruction Pointer).
 # Opcode encryption
 The VM needs a decryption key to run: the opcodes are "encrypted" with the key by the assembler. The encryption algorithm is the `RC4` key scheduling shuffle. Once the values are shuffled, the `opcodes` are assigned according to their definition order.
 ```python
 key_ba = bytearray(key, 'utf-8')
 # RC4 KSA! :-P
 arr = [i for i in range(256)]
 j = 0
 for i in range(len(arr)):
    j = (j + arr[i] + key_ba[i % len(key)]) % len(arr)
    arr[i], arr[j] = arr[j], arr[i]
 for i, o in enumerate(ops):
    o.set_value(arr[i])
 ```
 # Instruction set
 The instruction set I come out wants to be "RISC"-oriented but I have to admit that it is more "CISC"-oriented *(Confusing Instruction Set Computer)*.
 Also, since I decided that every instruction had to be 4 chars long, some name adaptation may have encountered some quality issue... (yes, `POP`, I'm looking at you)
 **The syntax used is the Intel one!**
 There **three types** of instructions:
 1. with 2 operands (*imm2reg*, *reg2imm*, *byt2reg*, *reg2reg*)
 2. with 1 operand
 3. with no operand at all (*single*)
 ![Instruction]
 ## MOVI
 ```
 Full name: MOVe Immediate to register
 Usage: MOVI R0, 0x00
 Effect: R0 contains the value 0x00
 ```
 ## MOVR
 ```
 Full name: MOVe Register to register
 Usage: MOVR R1, R0
 Effect: R0 is copied into R1
 ```
 ## LODI
 ```
 Full name: LOaD Immediate offset @ data section to register
 Usage: LODI R0, 0x0
 Effect: R0 contains data[0x0]
 ```
 ## LODR
 ```
 Full name: LOaD offset in Register @ data section to register
 Usage: LODR R1, R0
 Effect: R1 contains data[R1]
 ```
 ## STRI
 ```
 Full name: SToRe @ immediate offset in data section from register
 Usage: STRI 0x0, R0
 Effect: data[0x0] contains R0
 ```
 ## STRR
 ```
 Full name: SToRe @ offset of Register in data section from register
 Usage: STRR R1, R0
 Effect: data[R1] contains R0
 ```
 ## ADDI
 ```
 Full name: ADD Immediate to register
 Usage: ADDI R0, 0x1
 Effect: R0 is incremented by 0x1
 ```
 ## ADDR
 ```
 Full name: ADD Register to register
 Usage: ADDR R1, R0
 Effect: R1 is incremented by R0
 ```
 ## SUBI
 ```
 Full name: SUBstract Immediate from register
 Usage: SUBI R0, 0x1
 Effect: R0 is decremented by 0x1
 ```
 ## SUBR
 ```
 Full name: SUBstract Register from register
 Usage: SUBR R1, R0
 Effect: R1 is decremented by R0
 ```
 ## ANDB
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## ANDW
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## ANDR
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## YORB
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## YORW
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## YORR
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## XORB
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## XORW
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## XORR
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## NOTR
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## MULI
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## MULR
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## DIVI
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## DIVR
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## SHLI
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## SHLR
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## SHRI
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## SHRR
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## PUSH
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## POOP
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## CMPB
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## CMPW
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## CMPR
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## JMPI
 ```
 Full name: JuMP to Immediate
 Usage: JMPI 0x00
 Effect: Unconditional jump to 0x00
 ```
 ## JMPR
 ```
 Full name: JuMP to Register
 Usage: JMPR R0
 Effect: Unconditional jump to R0
 ```
 ## JPAI
 ```
 Full name: JumP if Above to Immediate
 Usage: JPAI 0x00
 Effect: Jumps to code[0x00] according to last comparison
 ```
 ## JPAR
 ```
 Full name: JumP if Above to Register
 Usage: JPAR R0
 Effect: Jumps to code[R0] according to last comparison
 ```
 ## JPBI
 ```
 Full name: JumP if Below or equal to Immediate
 Usage: JPBI 0x00
 Effect: Jumps to code[0x00] according to last comparison
 ```
 ## JPBR
 ```
 Full name: JumP if Below or equal to Register
 Usage: JPBR R0
 Effect: Jumps to code[R0] according to last comparison
 ```
 ## JPEI
 ```
 Full name: JumP if Equal to Immediate
 Usage: JPEI 0x00
 Effect: Jumps to code[0x00] according to last comparison
 ```
 ## JPER
 ```
 Full name: JumP if Equal to Register
 Usage: JPER R0
 Effect: Jumps to code[R0] according to last comparison
 ```
 ## JPNI
 ```
 Full name: JumP if Not equal to Immediate
 Usage: JPNI 0x00
 Effect: Jumps to code[0x00] according to last comparison
 ```
 ## JPNR
 ```
 Full name: JumP if Not equal to Register
 Usage: JPNR R0
 Effect: Jumps to code[R0] according to last comparison
 ```
 ## CALL
 ```
 Full name: CALL function
 Usage: CALL *function*
 Effect: Saves the next instruction address into RP and jumps to the start of the function
 ```
 ## RETN
 ```
 Full name: RETurN
 Usage: RETN
 Effect: Restores the RP into the IP and jumps to the IP 
 ```
 ## SHIT
 ```
 Full name: Well...
 Usage: SHIT
 Effect: Halts the execution
 ```
 ## NOPE
 ```
 Full name: NOP(e)
 Usage: NOPE
 Effect: Does nothing for an instruction
 ```
 ## GRMN
 ```
 Full name: GeRMaNo
 Usage: GRMN
 Effect: Sets every register (excluding IP and RP) to GG
 ```
 ## DEBG
 ```
 Full name: DEBuG
 Usage: DEBG
 Effect: Prints the status of every register and the flags
 ```
 [Instruction]: ./res/instruction.png
 [Structure]: ./res/structure.png
--- a/README.md
+++ b/README.md
@ -1,47 +1 @@
-![Pasticciotto]
+VM con ISA diversi e bytecode generati casualmente.
 # What is this?
 Pasticciotto is a virtual machine which can be used to obfuscate code. It was developed for the **PoliCTF 17** as a reversing challenge.
 I wanted to experiment with VM obfuscation since it was a topic that caught my attention while reversing challenges for various CTFs. So, I decided to write one **from scratch** in order to understand better how instruction set architectures are implemented! 
 The design and the implementation behind Pasticciotto are not state-of-the-art but hey, it works!
 # What about the challenge?
 I do not want to spoil the challenge for those that haven't completed it yet. Check out some write-up online!
 # Instruction set
 Check out the file [INSTRUCTION_SET.MD](IS) to understand how the VM works and which operations it can do! Watch out for some spoilers if you haven't completed the challenge though!
 # Why "Pasticciotto"?
 In Italian, "Pasticciotto" has two meanings! 
 The first one is **"little mess"** which perfectly describes how I put up this project. The second one is a typical dessert from Southern Italy, Salento! It's filled with cream! Yum!
 # Contributions
 Any contribution is **very** welcome! Feel free to open issues and pull requests!
 # License
 ```
 Copyright 2017 Giulio De Pasquale
 Permission is hereby granted, free of charge, to any person obtaining a copy of this 
 software and associated documentation files (the "Software"), to deal in the Software 
 without restriction, including without limitation the rights to use, copy, modify, merge, 
 publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons 
 to whom the Software is furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all copies or 
 substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, 
 INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 
 PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE 
 FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR 
 OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 
 DEALINGS IN THE SOFTWARE.
 ```
 [Pasticciotto]: ./res/pasticciotto.png
 [IS]: ./INSTRUCTION_SET.md
--- a/assembler/assembler.py
+++ b/assembler/assembler.py
@ -55,7 +55,7 @@ class VMAssembler:
        self.data = data
        self.assembled_code = bytearray()
        self.functions = []
-        self.encrypt_ops(key)
+        self.decrypt_ops(key)
        self.parse_functions()
        self.resolve_functions_offsets()
        self.resolve_symbols()
@ -252,7 +252,7 @@ class VMAssembler:
        self.assembled_code += opcode.uint8()
        return
-    def encrypt_ops(self, key):
+    def decrypt_ops(self, key):
        key_ba = bytearray(key, 'utf-8')
        olds = copy.deepcopy(ops)
--- a/polictf/pasticciotto_local.cpp
+++ b/polictf/pasticciotto_local.cpp
@ -78,44 +78,38 @@ int main(int argc, char *argv[]) {
      0x2f, 0x2f, 0x5c, 0x2f, 0x2f, 0x5c, 0x2f, 0x2f, 0x5c, 0x2f, 0x2f, 0x5c,
      0x2f, 0x2f, 0x5c, 0x2f, 0x2f, 0x5c, 0x2f, 0x2f, 0x5c, 0x2f, 0x2f, 0x5c,
      0x2f, 0x2f, 0x5c, 0x2f, 0x20, 0x20, 0x20};
  uint8_t a[] = {0x24, 0x00, 0x38, 0x08, 0x2f, 0x18,
                 0x3f, 0x40, 0x51, 0x5f, 0x53, 0x4e};
  uint8_t b[] = "totallyrandom";
  uint8_t *c = new uint8_t[12]; // PoLiCtF2017!
  unsigned char bc[] = {
-      0x50, 0x00, 0xde, 0xad, 0x50, 0x01, 0xb0, 0x0b, 0xc1, 0x00, 0x00, 0x00,
+      0x48, 0x00, 0xde, 0xad, 0x48, 0x01, 0xb0, 0x0b, 0xd4, 0x00, 0x00, 0x00,
-      0xc1, 0x02, 0x00, 0x01, 0x50, 0x00, 0xb0, 0x0b, 0x50, 0x01, 0xfa, 0xce,
+      0xd4, 0x02, 0x00, 0x01, 0x48, 0x00, 0xb0, 0x0b, 0x48, 0x01, 0xfa, 0xce,
-      0xc1, 0x04, 0x00, 0x00, 0xc1, 0x06, 0x00, 0x01, 0x50, 0x00, 0x00, 0x00,
+      0xd4, 0x04, 0x00, 0x00, 0xd4, 0x06, 0x00, 0x01, 0x48, 0x00, 0x00, 0x00,
-      0x4d, 0xda, 0x00, 0xd4, 0x20, 0x50, 0x04, 0x00, 0x00, 0x53, 0x04, 0x50,
+      0xd8, 0xd9, 0x00, 0xcb, 0x20, 0x48, 0x04, 0x00, 0x00, 0xde, 0x04, 0x48,
-      0x00, 0x00, 0x00, 0x50, 0x01, 0x02, 0x00, 0xd5, 0x04, 0xd5, 0x14, 0x4d,
+      0x00, 0x00, 0x00, 0x48, 0x01, 0x02, 0x00, 0x39, 0x04, 0x39, 0x14, 0xd8,
-      0x5b, 0x00, 0x87, 0x04, 0x86, 0x04, 0x01, 0x00, 0x8c, 0x42, 0x79, 0x2d,
+      0x5a, 0x00, 0x5c, 0x04, 0x05, 0x04, 0x01, 0x00, 0xd7, 0x42, 0x93, 0x2d,
-      0x00, 0x0e, 0x00, 0x00, 0x00, 0x0e, 0x01, 0x02, 0x00, 0x0e, 0x02, 0x04,
+      0x00, 0x22, 0x00, 0x00, 0x00, 0x22, 0x01, 0x02, 0x00, 0x22, 0x02, 0x04,
-      0x00, 0x0e, 0x03, 0x06, 0x00, 0xcd, 0x0a, 0x53, 0x01, 0x53, 0x02, 0x53,
+      0x00, 0x22, 0x03, 0x06, 0x00, 0x5d, 0xde, 0x01, 0xde, 0x02, 0xde, 0x03,
-      0x03, 0x83, 0x20, 0x83, 0x31, 0x50, 0x04, 0x00, 0x00, 0x50, 0x05, 0x00,
+      0x12, 0x20, 0x12, 0x31, 0x48, 0x04, 0x00, 0x00, 0x48, 0x05, 0x00, 0x00,
-      0x00, 0x53, 0x04, 0x86, 0x05, 0x6f, 0x62, 0x53, 0x05, 0xd4, 0x43, 0x25,
+      0xde, 0x04, 0x05, 0x05, 0x6f, 0x62, 0xde, 0x05, 0xcb, 0x43, 0x20, 0x04,
-      0x04, 0x04, 0x00, 0x86, 0x04, 0x65, 0x70, 0xd4, 0x53, 0x87, 0x07, 0xd5,
+      0x04, 0x00, 0x05, 0x04, 0x65, 0x70, 0xcb, 0x53, 0x5c, 0x07, 0x39, 0x57,
-      0x57, 0x53, 0x07, 0x6c, 0x45, 0x53, 0x04, 0xd4, 0x43, 0xb1, 0x04, 0x05,
+      0xde, 0x07, 0xb1, 0x45, 0xde, 0x04, 0xcb, 0x43, 0x36, 0x04, 0x05, 0x00,
-      0x00, 0x86, 0x04, 0x65, 0x70, 0x87, 0x05, 0x6c, 0x45, 0xd5, 0x24, 0xd4,
+      0x05, 0x04, 0x65, 0x70, 0x5c, 0x05, 0xb1, 0x45, 0x39, 0x24, 0xcb, 0x42,
-      0x42, 0x25, 0x04, 0x04, 0x00, 0x86, 0x04, 0x75, 0x72, 0xd4, 0x52, 0x87,
+      0x20, 0x04, 0x04, 0x00, 0x05, 0x04, 0x75, 0x72, 0xcb, 0x52, 0x5c, 0x07,
-      0x07, 0xd5, 0x57, 0x53, 0x07, 0x6c, 0x45, 0x53, 0x04, 0xd4, 0x42, 0xb1,
+      0x39, 0x57, 0xde, 0x07, 0xb1, 0x45, 0xde, 0x04, 0xcb, 0x42, 0x36, 0x04,
-      0x04, 0x05, 0x00, 0x86, 0x04, 0x73, 0x6e, 0x87, 0x05, 0x6c, 0x45, 0xd5,
+      0x05, 0x00, 0x05, 0x04, 0x73, 0x6e, 0x5c, 0x05, 0xb1, 0x45, 0x39, 0x34,
-      0x34, 0x87, 0x05, 0x87, 0x04, 0x86, 0x04, 0x01, 0x00, 0x2b, 0x04, 0x7f,
+      0x5c, 0x05, 0x5c, 0x04, 0x05, 0x04, 0x01, 0x00, 0xf4, 0x04, 0x7f, 0x93,
-      0x79, 0x6d, 0x00, 0x81, 0x02, 0x81, 0x13, 0x87, 0x03, 0x87, 0x02, 0x87,
+      0x6c, 0x00, 0x4e, 0x02, 0x4e, 0x13, 0x5c, 0x03, 0x5c, 0x02, 0x5c, 0x01,
-      0x01, 0xa9, 0x53, 0x01, 0x53, 0x02, 0x53, 0x03, 0xd4, 0x60, 0x50, 0x05,
+      0xbb, 0xde, 0x01, 0xde, 0x02, 0xde, 0x03, 0xcb, 0x60, 0x48, 0x05, 0x00,
-      0x00, 0x00, 0x83, 0x46, 0x2b, 0x04, 0x00, 0x78, 0x01, 0x01, 0x50, 0x06,
+      0x00, 0x12, 0x46, 0xf4, 0x04, 0x00, 0x38, 0xff, 0x00, 0x48, 0x06, 0x00,
-      0x00, 0x00, 0x86, 0x05, 0x01, 0x00, 0xd5, 0x65, 0x83, 0x46, 0x2b, 0x04,
+      0x00, 0x05, 0x05, 0x01, 0x00, 0x39, 0x65, 0x12, 0x46, 0xf4, 0x04, 0x00,
-      0x00, 0xcd, 0x80, 0xee, 0x00, 0xd4, 0x05, 0x87, 0x03, 0x87, 0x02, 0x87,
+      0xae, 0xed, 0x00, 0xcb, 0x05, 0x5c, 0x03, 0x5c, 0x02, 0x5c, 0x01, 0xbb};
-      0x01, 0xa9};
+  unsigned int bclen = 264;
  unsigned int bclen = 266;
-  for (uint8_t i = 0; i < 12; i++) {
+  unsigned char opcode_key[] = {0x48, 0x61, 0x76, 0x65, 0x46, 0x75, 0x6e,
-    c[i] = a[i] ^ b[i % 13];
+                                0x21, 0x50, 0x6f, 0x6c, 0x69, 0x43, 0x54,
-  }
+                                0x46, 0x32, 0x30, 0x31, 0x37, 0x21};
  printf("%s", banner);
  printf("\nHmmm...\n");
-  VM vm(c, bc, bclen);
+  VM vm(opcode_key, bc, bclen);
  vm.run();
  return 0;
 }
--- a/polictf/res/client_opcode_key.txt
+++ b/polictf/res/client_opcode_key.txt
@ -0,0 +1 @@
 HaveFun!PoliCTF2017!
--- a/res/instruction.png
+++ b/res/instruction.png
--- a/res/pasticciotto.png
+++ b/res/pasticciotto.png
--- a/res/structure.png
+++ b/res/structure.png
--- a/res/structure.svg
+++ b/res/structure.svg
--- a/vm/opcodes.h
+++ b/vm/opcodes.h
@ -114,6 +114,7 @@ INSTRUCTION SIZE TYPES
 */
 #define REG2REG 2
 #define IMM2REG 4
 #define REG2IMM 4
 #define BYT2REG 3
 #define REGONLY 2
 #define IMMONLY 3
@ -155,6 +156,8 @@ INSTRUCTION SIZES
 #define CMPB_SIZE BYT2REG
 #define CMPW_SIZE IMM2REG
 #define CMPR_SIZE REG2REG
 #define JMPI_SIZE IMMONLY
 #define JMPR_SIZE REGONLY
 #define JPAI_SIZE IMMONLY
 #define JPAR_SIZE REGONLY
 #define JPBI_SIZE IMMONLY
@ -163,6 +166,8 @@ INSTRUCTION SIZES
 #define JPER_SIZE REGONLY
 #define JPNI_SIZE IMMONLY
 #define JPNR_SIZE REGONLY
 #define RETN_SIZE SINGLE
 #define SHIT_SIZE SINGLE
 #define NOPE_SIZE SINGLE
 #define GRMN_SIZE SINGLE
 #define DEBG_SIZE SINGLE
--- a/vm/vm.cpp
+++ b/vm/vm.cpp
@ -1,11 +1,13 @@
 #include "vm.h"
 #include "debug.h"
 #include "opcodes.h"
 #include "vmas.h"
 #include <string.h>
 #include <unistd.h>
 void VM::encryptOpcodes(uint8_t *key) {
-  uint8_t arr[256], i, j;
+  uint8_t arr[256];
-  uint32_t tmp, keysize;
+  uint32_t i, j, tmp, keysize;
  keysize = strlen((char *)key);
  /*
@ -25,6 +27,7 @@ void VM::encryptOpcodes(uint8_t *key) {
    OPS[i] = arr[i];
  }
 #ifdef DBG
  //#TODO ASSEGNARE I NOMI AGLI OPCODES
  DBG_INFO(("~~~~~~~~~~\nOPCODES:\n"));
  for (i = 0; i < NUM_OPS; i++) {
    DBG_INFO(("0x%x: 0x%x\n", i, OPS[i]));
@ -149,7 +152,7 @@ VM::VM(uint8_t *key, uint8_t *code, uint32_t codesize) {
 }
 void VM::initVariables(void) {
-  uint8_t i;
+  uint32_t i;
  for (i = R0; i < NUM_REGS; i++) {
    this->regs[i] = 0;
--- a/vm/vm.h
+++ b/vm/vm.h
@ -33,6 +33,7 @@ private:
  */
  bool execMOVI(void);
  bool execMOVR(void);
  bool execMOVM(void);
  bool execLODI(void);
  bool execLODR(void);
  bool execSTRI(void);
Author	SHA1	Message	Date
Giulio De Pasquale	bd731786d3	Cambiata key	2017-05-26 12:04:11 +02:00
Giulio De Pasquale	40e93ae508	Revert "Sistemate grandezze + unused imports" This reverts commit `0ac0e08c9e`.	2017-05-26 11:55:21 +02:00
Giulio De Pasquale	d92de8ad9e	Revert "Stub documentazione" This reverts commit `7cae011023`.	2017-05-26 11:54:47 +02:00