Finito server per polictf

This reverts commit 0ac0e08c9e.

INSTRUCTION_SET.md

@@ -0,0 +1,333 @@
+# Architecture
+
+Pasticciotto uses the Harvard Architecture meaning its code is separated from its data and also from its stack. This allowed me to materialize my idea for the **PoliCTF** challenge: I could run the code the partecipants assembled without any hassle!
+![Structure]
+
+There are 8 general purpose registers (`R0` to `S3`) with `S0 -> S3` being "scratch" ones. There is a `RP` register (Return Pointer) and obviously the `IP` (Instruction Pointer).
+
+# Opcode encryption
+
+The VM needs a decryption key to run: the opcodes are "encrypted" with the key by the assembler. The encryption algorithm is the `RC4` key scheduling shuffle. Once the values are shuffled, the `opcodes` are assigned according to their definition order.
+
+```python
+key_ba = bytearray(key, 'utf-8')
+# RC4 KSA! :-P
+arr = [i for i in range(256)]
+j = 0
+for i in range(len(arr)):
+    j = (j + arr[i] + key_ba[i % len(key)]) % len(arr)
+    arr[i], arr[j] = arr[j], arr[i]
+
+for i, o in enumerate(ops):
+    o.set_value(arr[i])
+```
+
+# Instruction set
+The instruction set I come out wants to be "RISC"-oriented but I have to admit that it is more "CISC"-oriented *(Confusing Instruction Set Computer)*.
+Also, since I decided that every instruction had to be 4 chars long, some name adaptation may have encountered some quality issue... (yes, `POP`, I'm looking at you)
+
+**The syntax used is the Intel one!**
+
+There **three types** of instructions:
+1. with 2 operands (*imm2reg*, *reg2imm*, *byt2reg*, *reg2reg*)
+2. with 1 operand
+3. with no operand at all (*single*)
+
+![Instruction]
+## MOVI
+```
+Full name: MOVe Immediate to register
+Usage: MOVI R0, 0x00
+Effect: R0 contains the value 0x00
+```
+## MOVR
+```
+Full name: MOVe Register to register
+Usage: MOVR R1, R0
+Effect: R0 is copied into R1
+```
+## LODI
+```
+Full name: LOaD Immediate offset @ data section to register
+Usage: LODI R0, 0x0
+Effect: R0 contains data[0x0]
+```
+## LODR
+```
+Full name: LOaD offset in Register @ data section to register
+Usage: LODR R1, R0
+Effect: R1 contains data[R1]
+```
+## STRI
+```
+Full name: SToRe @ immediate offset in data section from register
+Usage: STRI 0x0, R0
+Effect: data[0x0] contains R0
+```
+## STRR
+```
+Full name: SToRe @ offset of Register in data section from register
+Usage: STRR R1, R0
+Effect: data[R1] contains R0
+```
+## ADDI
+```
+Full name: ADD Immediate to register
+Usage: ADDI R0, 0x1
+Effect: R0 is incremented by 0x1
+```
+## ADDR
+```
+Full name: ADD Register to register
+Usage: ADDR R1, R0
+Effect: R1 is incremented by R0
+```
+## SUBI
+```
+Full name: SUBstract Immediate from register
+Usage: SUBI R0, 0x1
+Effect: R0 is decremented by 0x1
+```
+## SUBR
+```
+Full name: SUBstract Register from register
+Usage: SUBR R1, R0
+Effect: R1 is decremented by R0
+```
+## ANDB
+```
+Full name:
+Usage:
+Effect: 
+```
+## ANDW
+```
+Full name:
+Usage:
+Effect: 
+```
+## ANDR
+```
+Full name:
+Usage:
+Effect: 
+```
+## YORB
+```
+Full name:
+Usage:
+Effect: 
+```
+## YORW
+```
+Full name:
+Usage:
+Effect: 
+```
+## YORR
+```
+Full name:
+Usage:
+Effect: 
+```
+## XORB
+```
+Full name:
+Usage:
+Effect: 
+```
+## XORW
+```
+Full name:
+Usage:
+Effect: 
+```
+## XORR
+```
+Full name:
+Usage:
+Effect: 
+```
+## NOTR
+```
+Full name:
+Usage:
+Effect: 
+```
+## MULI
+```
+Full name:
+Usage:
+Effect: 
+```
+## MULR
+```
+Full name:
+Usage:
+Effect: 
+```
+## DIVI
+```
+Full name:
+Usage:
+Effect: 
+```
+## DIVR
+```
+Full name:
+Usage:
+Effect: 
+```
+## SHLI
+```
+Full name:
+Usage:
+Effect: 
+```
+## SHLR
+```
+Full name:
+Usage:
+Effect: 
+```
+## SHRI
+```
+Full name:
+Usage:
+Effect: 
+```
+## SHRR
+```
+Full name:
+Usage:
+Effect: 
+```
+## PUSH
+```
+Full name:
+Usage:
+Effect: 
+```
+## POOP
+```
+Full name:
+Usage:
+Effect: 
+```
+## CMPB
+```
+Full name:
+Usage:
+Effect: 
+```
+## CMPW
+```
+Full name:
+Usage:
+Effect: 
+```
+## CMPR
+```
+Full name:
+Usage:
+Effect: 
+```
+## JMPI
+```
+Full name: JuMP to Immediate
+Usage: JMPI 0x00
+Effect: Unconditional jump to 0x00
+```
+## JMPR
+```
+Full name: JuMP to Register
+Usage: JMPR R0
+Effect: Unconditional jump to R0
+```
+## JPAI
+```
+Full name: JumP if Above to Immediate
+Usage: JPAI 0x00
+Effect: Jumps to code[0x00] according to last comparison
+```
+## JPAR
+```
+Full name: JumP if Above to Register
+Usage: JPAR R0
+Effect: Jumps to code[R0] according to last comparison
+```
+## JPBI
+```
+Full name: JumP if Below or equal to Immediate
+Usage: JPBI 0x00
+Effect: Jumps to code[0x00] according to last comparison
+```
+## JPBR
+```
+Full name: JumP if Below or equal to Register
+Usage: JPBR R0
+Effect: Jumps to code[R0] according to last comparison
+```
+## JPEI
+```
+Full name: JumP if Equal to Immediate
+Usage: JPEI 0x00
+Effect: Jumps to code[0x00] according to last comparison
+```
+## JPER
+```
+Full name: JumP if Equal to Register
+Usage: JPER R0
+Effect: Jumps to code[R0] according to last comparison
+```
+## JPNI
+```
+Full name: JumP if Not equal to Immediate
+Usage: JPNI 0x00
+Effect: Jumps to code[0x00] according to last comparison
+```
+## JPNR
+```
+Full name: JumP if Not equal to Register
+Usage: JPNR R0
+Effect: Jumps to code[R0] according to last comparison
+```
+## CALL
+```
+Full name: CALL function
+Usage: CALL *function*
+Effect: Saves the next instruction address into RP and jumps to the start of the function
+```
+## RETN
+```
+Full name: RETurN
+Usage: RETN
+Effect: Restores the RP into the IP and jumps to the IP 
+```
+## SHIT
+```
+Full name: Well...
+Usage: SHIT
+Effect: Halts the execution
+```
+## NOPE
+```
+Full name: NOP(e)
+Usage: NOPE
+Effect: Does nothing for an instruction
+```
+## GRMN
+```
+Full name: GeRMaNo
+Usage: GRMN
+Effect: Sets every register (excluding IP and RP) to GG
+```
+## DEBG
+```
+Full name: DEBuG
+Usage: DEBG
+Effect: Prints the status of every register and the flags
+```
+
+[Instruction]: ./res/instruction.png
+[Structure]: ./res/structure.png

README.md

@@ -1 +1,47 @@
-VM con ISA diversi e bytecode generati casualmente.
+![Pasticciotto]
+
+# What is this?
+Pasticciotto is a virtual machine which can be used to obfuscate code. It was developed for the **PoliCTF 17** as a reversing challenge.
+
+I wanted to experiment with VM obfuscation since it was a topic that caught my attention while reversing challenges for various CTFs. So, I decided to write one **from scratch** in order to understand better how instruction set architectures are implemented! 
+
+The design and the implementation behind Pasticciotto are not state-of-the-art but hey, it works!
+
+# What about the challenge?
+I do not want to spoil the challenge for those that haven't completed it yet. Check out some write-up online!
+
+# Instruction set
+Check out the file [INSTRUCTION_SET.MD](IS) to understand how the VM works and which operations it can do! Watch out for some spoilers if you haven't completed the challenge though!
+
+# Why "Pasticciotto"?
+In Italian, "Pasticciotto" has two meanings! 
+
+The first one is **"little mess"** which perfectly describes how I put up this project. The second one is a typical dessert from Southern Italy, Salento! It's filled with cream! Yum!
+
+# Contributions
+
+Any contribution is **very** welcome! Feel free to open issues and pull requests!
+
+
+# License
+```
+Copyright 2017 Giulio De Pasquale
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this 
+software and associated documentation files (the "Software"), to deal in the Software 
+without restriction, including without limitation the rights to use, copy, modify, merge, 
+publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons 
+to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or 
+substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, 
+INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 
+PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE 
+FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR 
+OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 
+DEALINGS IN THE SOFTWARE.
+```
+[Pasticciotto]: ./res/pasticciotto.png
+[IS]: ./INSTRUCTION_SET.md

assembler/assembler.py

@@ -55,7 +55,7 @@ class VMAssembler:
         self.data = data
         self.assembled_code = bytearray()
         self.functions = []
-        self.decrypt_ops(key)
+        self.encrypt_ops(key)
         self.parse_functions()
         self.resolve_functions_offsets()
         self.resolve_symbols()
@@ -252,7 +252,7 @@ class VMAssembler:
         self.assembled_code += opcode.uint8()
         return
 
-    def decrypt_ops(self, key):
+    def encrypt_ops(self, key):
         key_ba = bytearray(key, 'utf-8')
         olds = copy.deepcopy(ops)
 

polictf/pasticciotto_server.cpp

@@ -0,0 +1,81 @@
+#include "../vm/vm.h"
+#include "../vm/debug.h"
+#include <fstream>
+#include <iostream>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <unistd.h>
+
+#define KEYLEN 15
+#define CODESIZE 0x300
+#define DATAKEYLEN 30
+
+void gen_random(uint8_t *s, const int len) {
+  srand(time(NULL));
+  static const char alphanum[] = "0123456789"
+                                 "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+                                 "abcdefghijklmnopqrstuvwxyz";
+  for (int i = 0; i < len; ++i) {
+    s[i] = alphanum[rand() % (sizeof(alphanum) - 1)];
+  }
+
+  s[len] = 0;
+}
+
+unsigned char encrypted_data[] = {
+    0xcc, 0x8d, 0x5a, 0xcc, 0x73, 0xb5, 0xf2, 0xa3, 0xf3, 0x92,
+    0xa8, 0x8f, 0x2f, 0xf1, 0x3e, 0xf4, 0x69, 0x00, 0x4a, 0xcb,
+    0xed, 0xc4, 0x57, 0x9b, 0xf6, 0x9a, 0x78, 0x46, 0x83, 0xe9};
+unsigned int encrypted_data_len = 30;
+
+int main(int argc, char *argv[]) {
+  uint8_t *key = new uint8_t[KEYLEN], *decdatasec = new uint8_t[DATAKEYLEN],
+          *flag = new uint8_t[DATAKEYLEN];
+  uint8_t *clientcode;
+  uint8_t i;
+  uint32_t clientcodesize, bytesread;
+  FILE *datap, *flagp;
+
+  gen_random(key, KEYLEN);
+  printf("Use this: \"%s\"\n", key);
+  printf("How much data are you sending me?\n");
+  scanf("%d", &clientcodesize);
+  printf("Go ahead then!\n");
+  clientcode = new uint8_t[clientcodesize];
+  bytesread = read(0, clientcode, clientcodesize);
+  if (bytesread != clientcodesize) {
+    printf("ERROR! Couldn't read everything!\n");
+    exit(1);
+  }
+  VM vm(key, clientcode, clientcodesize);
+  vm.as.insData(encrypted_data, encrypted_data_len);
+  vm.run();
+
+  datap = fopen("./res/decrypteddatasection.txt", "r");
+  if (datap == NULL) {
+      printf("Couldn't open decrypteddatasection.txt!\n");
+      exit(1);
+  }
+  fscanf(datap, "%s", decdatasec);
+  fclose(datap);
+
+  for (i = 0; i < DATAKEYLEN; i++) {
+    if (vm.as.data[i] != decdatasec[i]) {
+        DBG_INFO(("Checking data[%d]..\n", i));
+      printf("Nope!\n");
+      exit(1);
+    }
+  }
+
+  flagp = fopen("./res/flag.txt", "r");
+  if (flagp == NULL) {
+      printf("Couldn't open flag.txt!\n");
+      exit(1);
+  }
+  fscanf(flagp, "%s", flag);
+  fclose(flagp);
+  printf("Congratulations!\nThe flag is: %s\n", flag);
+  return 0;
+}

polictf/res/decrypteddatasection.txt

@@ -0,0 +1 @@
+TheDataSectionHasBeenEncrypted

polictf/res/flag.txt

@@ -0,0 +1 @@
+PoliCTF17{DajeFunziona}

test/tea-encrypt.c

@@ -11,15 +11,15 @@ void encrypt(uint16_t *v) {
   uint16_t k1 = 0x7065; // "pe"
   uint16_t k2 = 0x7275; // "ru"
   uint16_t k3 = 0x6e73; // "ns"
-  printf("v0: 0x%x, v1: 0x%x\n", v0, v1);
+  // printf("v0: 0x%x, v1: 0x%x\n", v0, v1);
   for (i = 0; i < 128; i++) {
     sum += delta;
     v0 += ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
     v1 += ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
-    //printf("Intermediate v0: 0x%x | v1: 0x%x\n", v0, v1);
+    // printf("Intermediate v0: 0x%x | v1: 0x%x\n", v0, v1);
   }
-  printf("SUM: 0x%x\n", sum);
+  // printf("SUM: 0x%x\n", sum);
-  printf("v0: 0x%x, v1: 0x%x\n", v0, v1);
+  // printf("v0: 0x%x, v1: 0x%x\n", v0, v1);
   v[0] = v0;
   v[1] = v1;
 }
@@ -35,13 +35,10 @@ int main(int argc, char *argv[]) {
   buf = (uint8_t *)malloc(buflen);
   memcpy(buf, argv[1], buflen);
   for (i = 0; i < buflen; i++) {
-    printf("----\n");
     encrypt((uint16_t *)&buf[i]);
   }
-  printf("Result:\n");
   for (i = 0; i < buflen; i++) {
-    printf("%02x", buf[i]);
+    printf("%c", buf[i]);
   }
-  printf("\n");
   return 0;
 }

vm/vm.h

@@ -18,7 +18,6 @@ private:
   uint16_t regs[0xb];
   flags_t flags;
 
-  VMAddrSpace as;
   ////////////////////////
   // FUNCTIONS
   ///////////////////////
@@ -82,6 +81,7 @@ private:
 public:
   VM(uint8_t *key);
   VM(uint8_t *key, uint8_t *code, uint32_t codesize);
+  VMAddrSpace as;
   void status(void);
   void run();
 };