Cambiata key

Revert "Sistemate grandezze + unused imports"
This reverts commit 0ac0e08c9e.
2017-05-26 12:04:11 +02:00 · 2017-05-26 11:55:21 +02:00 · 2017-05-26 11:54:47 +02:00
12 changed files with 12 additions and 473 deletions
--- a/INSTRUCTION_SET.md
+++ b/INSTRUCTION_SET.md
@ -1,333 +0,0 @@
 # Architecture
 Pasticciotto uses the Harvard Architecture meaning its code is separated from its data and also from its stack. This allowed me to materialize my idea for the **PoliCTF** challenge: I could run the code the partecipants assembled without any hassle!
 ![Structure]
 There are 8 general purpose registers (`R0` to `S3`) with `S0 -> S3` being "scratch" ones. There is a `RP` register (Return Pointer) and obviously the `IP` (Instruction Pointer).
 # Opcode encryption
 The VM needs a decryption key to run: the opcodes are "encrypted" with the key by the assembler. The encryption algorithm is the `RC4` key scheduling shuffle. Once the values are shuffled, the `opcodes` are assigned according to their definition order.
 ```python
 key_ba = bytearray(key, 'utf-8')
 # RC4 KSA! :-P
 arr = [i for i in range(256)]
 j = 0
 for i in range(len(arr)):
    j = (j + arr[i] + key_ba[i % len(key)]) % len(arr)
    arr[i], arr[j] = arr[j], arr[i]
 for i, o in enumerate(ops):
    o.set_value(arr[i])
 ```
 # Instruction set
 The instruction set I come out wants to be "RISC"-oriented but I have to admit that it is more "CISC"-oriented *(Confusing Instruction Set Computer)*.
 Also, since I decided that every instruction had to be 4 chars long, some name adaptation may have encountered some quality issue... (yes, `POP`, I'm looking at you)
 **The syntax used is the Intel one!**
 There **three types** of instructions:
 1. with 2 operands (*imm2reg*, *reg2imm*, *byt2reg*, *reg2reg*)
 2. with 1 operand
 3. with no operand at all (*single*)
 ![Instruction]
 ## MOVI
 ```
 Full name: MOVe Immediate to register
 Usage: MOVI R0, 0x00
 Effect: R0 contains the value 0x00
 ```
 ## MOVR
 ```
 Full name: MOVe Register to register
 Usage: MOVR R1, R0
 Effect: R0 is copied into R1
 ```
 ## LODI
 ```
 Full name: LOaD Immediate offset @ data section to register
 Usage: LODI R0, 0x0
 Effect: R0 contains data[0x0]
 ```
 ## LODR
 ```
 Full name: LOaD offset in Register @ data section to register
 Usage: LODR R1, R0
 Effect: R1 contains data[R1]
 ```
 ## STRI
 ```
 Full name: SToRe @ immediate offset in data section from register
 Usage: STRI 0x0, R0
 Effect: data[0x0] contains R0
 ```
 ## STRR
 ```
 Full name: SToRe @ offset of Register in data section from register
 Usage: STRR R1, R0
 Effect: data[R1] contains R0
 ```
 ## ADDI
 ```
 Full name: ADD Immediate to register
 Usage: ADDI R0, 0x1
 Effect: R0 is incremented by 0x1
 ```
 ## ADDR
 ```
 Full name: ADD Register to register
 Usage: ADDR R1, R0
 Effect: R1 is incremented by R0
 ```
 ## SUBI
 ```
 Full name: SUBstract Immediate from register
 Usage: SUBI R0, 0x1
 Effect: R0 is decremented by 0x1
 ```
 ## SUBR
 ```
 Full name: SUBstract Register from register
 Usage: SUBR R1, R0
 Effect: R1 is decremented by R0
 ```
 ## ANDB
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## ANDW
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## ANDR
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## YORB
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## YORW
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## YORR
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## XORB
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## XORW
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## XORR
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## NOTR
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## MULI
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## MULR
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## DIVI
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## DIVR
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## SHLI
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## SHLR
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## SHRI
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## SHRR
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## PUSH
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## POOP
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## CMPB
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## CMPW
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## CMPR
 ```
 Full name:
 Usage:
 Effect: 
 ```
 ## JMPI
 ```
 Full name: JuMP to Immediate
 Usage: JMPI 0x00
 Effect: Unconditional jump to 0x00
 ```
 ## JMPR
 ```
 Full name: JuMP to Register
 Usage: JMPR R0
 Effect: Unconditional jump to R0
 ```
 ## JPAI
 ```
 Full name: JumP if Above to Immediate
 Usage: JPAI 0x00
 Effect: Jumps to code[0x00] according to last comparison
 ```
 ## JPAR
 ```
 Full name: JumP if Above to Register
 Usage: JPAR R0
 Effect: Jumps to code[R0] according to last comparison
 ```
 ## JPBI
 ```
 Full name: JumP if Below or equal to Immediate
 Usage: JPBI 0x00
 Effect: Jumps to code[0x00] according to last comparison
 ```
 ## JPBR
 ```
 Full name: JumP if Below or equal to Register
 Usage: JPBR R0
 Effect: Jumps to code[R0] according to last comparison
 ```
 ## JPEI
 ```
 Full name: JumP if Equal to Immediate
 Usage: JPEI 0x00
 Effect: Jumps to code[0x00] according to last comparison
 ```
 ## JPER
 ```
 Full name: JumP if Equal to Register
 Usage: JPER R0
 Effect: Jumps to code[R0] according to last comparison
 ```
 ## JPNI
 ```
 Full name: JumP if Not equal to Immediate
 Usage: JPNI 0x00
 Effect: Jumps to code[0x00] according to last comparison
 ```
 ## JPNR
 ```
 Full name: JumP if Not equal to Register
 Usage: JPNR R0
 Effect: Jumps to code[R0] according to last comparison
 ```
 ## CALL
 ```
 Full name: CALL function
 Usage: CALL *function*
 Effect: Saves the next instruction address into RP and jumps to the start of the function
 ```
 ## RETN
 ```
 Full name: RETurN
 Usage: RETN
 Effect: Restores the RP into the IP and jumps to the IP 
 ```
 ## SHIT
 ```
 Full name: Well...
 Usage: SHIT
 Effect: Halts the execution
 ```
 ## NOPE
 ```
 Full name: NOP(e)
 Usage: NOPE
 Effect: Does nothing for an instruction
 ```
 ## GRMN
 ```
 Full name: GeRMaNo
 Usage: GRMN
 Effect: Sets every register (excluding IP and RP) to GG
 ```
 ## DEBG
 ```
 Full name: DEBuG
 Usage: DEBG
 Effect: Prints the status of every register and the flags
 ```
 [Instruction]: ./res/instruction.png
 [Structure]: ./res/structure.png
--- a/README.md
+++ b/README.md
@ -1,47 +1 @@
-![Pasticciotto]
+VM con ISA diversi e bytecode generati casualmente.
 # What is this?
 Pasticciotto is a virtual machine which can be used to obfuscate code. It was developed for the **PoliCTF 17** as a reversing challenge.
 I wanted to experiment with VM obfuscation since it was a topic that caught my attention while reversing challenges for various CTFs. So, I decided to write one **from scratch** in order to understand better how instruction set architectures are implemented! 
 The design and the implementation behind Pasticciotto are not state-of-the-art but hey, it works!
 # What about the challenge?
 I do not want to spoil the challenge for those that haven't completed it yet. Check out some write-up online!
 # Instruction set
 Check out the file [INSTRUCTION_SET.MD](IS) to understand how the VM works and which operations it can do! Watch out for some spoilers if you haven't completed the challenge though!
 # Why "Pasticciotto"?
 In Italian, "Pasticciotto" has two meanings! 
 The first one is **"little mess"** which perfectly describes how I put up this project. The second one is a typical dessert from Southern Italy, Salento! It's filled with cream! Yum!
 # Contributions
 Any contribution is **very** welcome! Feel free to open issues and pull requests!
 # License
 ```
 Copyright 2017 Giulio De Pasquale
 Permission is hereby granted, free of charge, to any person obtaining a copy of this 
 software and associated documentation files (the "Software"), to deal in the Software 
 without restriction, including without limitation the rights to use, copy, modify, merge, 
 publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons 
 to whom the Software is furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all copies or 
 substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, 
 INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 
 PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE 
 FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR 
 OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 
 DEALINGS IN THE SOFTWARE.
 ```
 [Pasticciotto]: ./res/pasticciotto.png
 [IS]: ./INSTRUCTION_SET.md
--- a/assembler/assembler.py
+++ b/assembler/assembler.py
@ -55,7 +55,7 @@ class VMAssembler:
        self.data = data
        self.assembled_code = bytearray()
        self.functions = []
-        self.encrypt_ops(key)
+        self.decrypt_ops(key)
        self.parse_functions()
        self.resolve_functions_offsets()
        self.resolve_symbols()
@ -252,7 +252,7 @@ class VMAssembler:
        self.assembled_code += opcode.uint8()
        return
-    def encrypt_ops(self, key):
+    def decrypt_ops(self, key):
        key_ba = bytearray(key, 'utf-8')
        olds = copy.deepcopy(ops)
--- a/polictf/pasticciotto_server.cpp
+++ b/polictf/pasticciotto_server.cpp
@ -1,81 +0,0 @@
 #include "../vm/vm.h"
 #include "../vm/debug.h"
 #include <fstream>
 #include <iostream>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <time.h>
 #include <unistd.h>
 #define KEYLEN 15
 #define CODESIZE 0x300
 #define DATAKEYLEN 30
 void gen_random(uint8_t *s, const int len) {
  srand(time(NULL));
  static const char alphanum[] = "0123456789"
                                 "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
                                 "abcdefghijklmnopqrstuvwxyz";
  for (int i = 0; i < len; ++i) {
    s[i] = alphanum[rand() % (sizeof(alphanum) - 1)];
  }
  s[len] = 0;
 }
 unsigned char encrypted_data[] = {
    0xcc, 0x8d, 0x5a, 0xcc, 0x73, 0xb5, 0xf2, 0xa3, 0xf3, 0x92,
    0xa8, 0x8f, 0x2f, 0xf1, 0x3e, 0xf4, 0x69, 0x00, 0x4a, 0xcb,
    0xed, 0xc4, 0x57, 0x9b, 0xf6, 0x9a, 0x78, 0x46, 0x83, 0xe9};
 unsigned int encrypted_data_len = 30;
 int main(int argc, char *argv[]) {
  uint8_t *key = new uint8_t[KEYLEN], *decdatasec = new uint8_t[DATAKEYLEN],
          *flag = new uint8_t[DATAKEYLEN];
  uint8_t *clientcode;
  uint8_t i;
  uint32_t clientcodesize, bytesread;
  FILE *datap, *flagp;
  gen_random(key, KEYLEN);
  printf("Use this: \"%s\"\n", key);
  printf("How much data are you sending me?\n");
  scanf("%d", &clientcodesize);
  printf("Go ahead then!\n");
  clientcode = new uint8_t[clientcodesize];
  bytesread = read(0, clientcode, clientcodesize);
  if (bytesread != clientcodesize) {
    printf("ERROR! Couldn't read everything!\n");
    exit(1);
  }
  VM vm(key, clientcode, clientcodesize);
  vm.as.insData(encrypted_data, encrypted_data_len);
  vm.run();
  datap = fopen("./res/decrypteddatasection.txt", "r");
  if (datap == NULL) {
      printf("Couldn't open decrypteddatasection.txt!\n");
      exit(1);
  }
  fscanf(datap, "%s", decdatasec);
  fclose(datap);
  for (i = 0; i < DATAKEYLEN; i++) {
    if (vm.as.data[i] != decdatasec[i]) {
        DBG_INFO(("Checking data[%d]..\n", i));
      printf("Nope!\n");
      exit(1);
    }
  }
  flagp = fopen("./res/flag.txt", "r");
  if (flagp == NULL) {
      printf("Couldn't open flag.txt!\n");
      exit(1);
  }
  fscanf(flagp, "%s", flag);
  fclose(flagp);
  printf("Congratulations!\nThe flag is: %s\n", flag);
  return 0;
 }
--- a/polictf/res/decrypteddatasection.txt
+++ b/polictf/res/decrypteddatasection.txt
@ -1 +0,0 @@
 TheDataSectionHasBeenEncrypted
--- a/polictf/res/flag.txt
+++ b/polictf/res/flag.txt
@ -1 +0,0 @@
 PoliCTF17{DajeFunziona}
--- a/res/instruction.png
+++ b/res/instruction.png
--- a/res/pasticciotto.png
+++ b/res/pasticciotto.png
--- a/res/structure.png
+++ b/res/structure.png
--- a/res/structure.svg
+++ b/res/structure.svg
--- a/test/tea-encrypt.c
+++ b/test/tea-encrypt.c
@ -11,15 +11,15 @@ void encrypt(uint16_t *v) {
  uint16_t k1 = 0x7065; // "pe"
  uint16_t k2 = 0x7275; // "ru"
  uint16_t k3 = 0x6e73; // "ns"
-  // printf("v0: 0x%x, v1: 0x%x\n", v0, v1);
+  printf("v0: 0x%x, v1: 0x%x\n", v0, v1);
  for (i = 0; i < 128; i++) {
    sum += delta;
    v0 += ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
    v1 += ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
-    // printf("Intermediate v0: 0x%x | v1: 0x%x\n", v0, v1);
+    //printf("Intermediate v0: 0x%x | v1: 0x%x\n", v0, v1);
  }
-  // printf("SUM: 0x%x\n", sum);
+  printf("SUM: 0x%x\n", sum);
-  // printf("v0: 0x%x, v1: 0x%x\n", v0, v1);
+  printf("v0: 0x%x, v1: 0x%x\n", v0, v1);
  v[0] = v0;
  v[1] = v1;
 }
@ -35,10 +35,13 @@ int main(int argc, char *argv[]) {
  buf = (uint8_t *)malloc(buflen);
  memcpy(buf, argv[1], buflen);
  for (i = 0; i < buflen; i++) {
    printf("----\n");
    encrypt((uint16_t *)&buf[i]);
  }
  printf("Result:\n");
  for (i = 0; i < buflen; i++) {
-    printf("%c", buf[i]);
+    printf("%02x", buf[i]);
  }
  printf("\n");
  return 0;
 }
--- a/vm/vm.h
+++ b/vm/vm.h
@ -18,6 +18,7 @@ private:
  uint16_t regs[0xb];
  flags_t flags;
  VMAddrSpace as;
  ////////////////////////
  // FUNCTIONS
  ///////////////////////
@ -81,7 +82,6 @@ private:
 public:
  VM(uint8_t *key);
  VM(uint8_t *key, uint8_t *code, uint32_t codesize);
  VMAddrSpace as;
  void status(void);
  void run();
 };
Author	SHA1	Message	Date
Giulio De Pasquale	bd731786d3	Cambiata key	2017-05-26 12:04:11 +02:00
Giulio De Pasquale	40e93ae508	Revert "Sistemate grandezze + unused imports" This reverts commit `0ac0e08c9e`.	2017-05-26 11:55:21 +02:00
Giulio De Pasquale	d92de8ad9e	Revert "Stub documentazione" This reverts commit `7cae011023`.	2017-05-26 11:54:47 +02:00