![Pasticciotto] # What is this? Pasticciotto is a virtual machine which can be used to obfuscate code. It was developed for the **PoliCTF 17** as a reversing challenge. I wanted to experiment with VM obfuscation since it was a topic that caught my attention while reversing challenges for various CTFs. So, I decided to write one **from scratch** in order to understand better how instruction set architectures are implemented! The design and the implementation behind Pasticciotto are not state-of-the-art but hey, it works! :D # Why "Pasticciotto"? In Italian, "Pasticciotto" has two meanings! The first one is **"little mess"** which perfectly describes how I put up this project. The second one is a typical dessert from Southern Italy, Salento! It's filled with cream! Yum! # Quick start You can use `pasticciotto` in your own binary! It's easy to do! ## Assemble! Let's say you want to run this `C` code into `pasticciotto`: ```c void main() { uint16_t i, a, b; a = 0; b = 0x10; for (i = 0; i < b; i++) { a += b; } return; } ``` It can be translated into this `pasticciotto`'s assembly snippet: ``` $ cat example.pstc def main: movi r0, 0x0 # a movi r1, 0x10 # b movi s1, 0x0 # i loop: addr r0, r1 addi s1, 1 cmpr s1, r1 jpbi loop shit ``` Let's assemble it with key `HelloWorld`: ``` $ python3 assembler.py HelloWorld example.pstc example_assembled.pstc ``` Now we are ready to embed the VM in a `.c` program: ```c++ #include "vm/vm.h" #include #include #include #include int main(int argc, char *argv[]) { */ In order to create the bytecode for pasticciotto, you can use the assembler in the assembler/ directory. You can include it with `xxd -i example_assembled.pstc` */ unsigned char example_assembled_pstc[] = { 0x32, 0x00, 0x00, 0x00, 0x32, 0x01, 0x10, 0x00, 0x32, 0x05, 0x00, 0x00, 0xaf, 0x01, 0xcf, 0x05, 0x01, 0x00, 0x8b, 0x51, 0xc5, 0x0c, 0x00, 0x0c }; unsigned int example_assembled_pstc_len = 24; unsigned char key[] = { 0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x57, 0x6f, 0x72, 0x6c, 0x64, 0x0a }; puts("I should try to eat a pasticciotto...\n"); VM vm(key, example_assembled_pstc, example_assembled_pstc_len); vm.run(); return 0; } ``` That's it! ## Accessing to the VM's sections and registers The VM **data / code / stack sections** are represented through the `VMAddrSpace` object. It is defined [here](vm/vmas.h). The **registers** are in a `uint16_t` array in the `VM` object defined [here](vm/vm.h). ```c++ void foo() { // creating the VM with some code VM vm(key, code, codelen); // accessing the data section printf("First data byte: 0x%x", VM.as.data[0]); // accessing the code section printf("First code byte: 0x%x", VM.as.code[0]); // accessing the stack section printf("First stack byte: 0x%x", VM.as.stack[0]); // accessing the IP register printf("The IP is: 0x%x", VM.regs[IP]); return; } ``` # What about the challenge? You can find the client and the server under the `polictf/` directory. I have also written a small writeup. Check it out! # Implementation details Check out the file [IMPLEMENTATION.MD](IMPL) to understand how the VM works and which operations it can do! Watch out for some spoilers if you haven't completed the challenge though! # Contributions I wanted to polish the VM even more but I haven't got the time to do it. There are rough edges for sure! Any contribution is **very** welcome! Feel free to open issues and pull requests! # License ``` Copyright 2017 Giulio De Pasquale Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ``` [Pasticciotto]: ./res/pasticciotto.png [IMPL]: ./IMPLEMENTATION.md