# .bytecode Well, we did the reverse engineering part, now we have to write a program for the VM with the instruction set described in the previous paragraph. Here is the program's functional specification: * the program must return "\*" * *sym.memory* has to contain the string "Such VM! MuCH reV3rse!" after execution * all 9 instructions have to be used at least once * *sym.good\_if\_ne\_zero* should not be zero * instr\_P is not allowed to be used more than 9 times Since this document is about reversing, I'll leave the programming part to the fellow reader :) But I'm not going to leave you empty-handed, I'll give you one advice: Except for "J", all of the instructions are simple, easy to use, and it should not be a problem to construct the "Such VM! MuCH reV3rse!" using them. "J" however is a bit complicated compared to the others. One should realize that its sole purpose is to make *sym.good\_if\_ne\_zero* bigger than zero, which is a requirement to access the flag. In order to increment *sym.good\_if\_ne\_zero*, three conditions should be met: * *arg1* should be a negative number, otherwise we would return early * *sym.written\_by\_instr\_C* should not be 0 when "J" is called. This means that "C", "AC", or "SC" instructions should be used before calling "J". * *arg1\_and\_0x3f* should be negative when checked. Since 0x3f's sign bit is zero, no matter what *arg1* is, the result of *arg1* & 0x3f will always be non-negative. But remember that "J" negates *arg1\_and\_0x3f* if *arg1* & 0x40 is not zero. This basically means that *arg1*'s 6th bit should be 1 (0x40 = 01000000b). Also, because *arg1\_and\_0x3f* can't be 0 either, at least one of *arg1*'s 0th, 1st, 2nd, 3rd, 4th or 5th bits should be 1 (0x3f = 00111111b). I think this is enough information, you can go now and write that program. Or, you could just reverse engineer the quick'n'dirty one I've used during the CTF: ``` \x90\x00PSAMuAP\x01AMcAP\x01AMhAP\x01AM AP\x01AMVAP\x01AMMAP\x01AM!AP\x01AM AP\x01AMMAP\x01AMuAP\x01AMCAP\x01AMHAP\x01AM AP\x01AMrAP\x01AMeAP\x01AMVAP\x01AM3AP\x01AMrAP\x01AMsAP\x01AMeIPAM!X\x00CAJ\xc1SC\x00DCR* ``` Keep in mind though, that it was written on-the-fly, parallel to the reversing phase - for example there are parts that was written without the knowledge of all possible instructions. This means that the code is ugly and unefficient. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://vxerlee.gitbook.io/radare2/intro-11/intro-1/bytecode.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.