radare2中文版
  • 介绍
  • 历史
  • 框架
  • 下载 radare2
  • 编译和可移植性
  • 在Windows上编译
  • 用户界面
  • 第一步
    • 命令行标志
    • 命令格式
    • 表达式
    • 基本调试器会话
    • 对radare2的贡献
  • 配置
    • 颜色
    • 配置变量
    • Files
  • 基本命令
    • Seeking(寻求)
    • Block Size(区块大小)
    • Sections(分节)
    • Mapping Files(映射文件)
    • Print Modes(打印模式)
    • Flags(标志)
    • Write(写)
    • Zoom(缩放)
    • Yank/Paste(拉伸/粘贴)
    • Comparing Bytes(比较字节)
    • SDB
    • Dietline
  • 视图模式
    • 反汇编
    • 汇编
    • 配置编辑器
    • 面板
  • 搜索字节
    • 基本搜索
    • 配置搜索
    • 正则搜索
    • 自动化
    • 向后搜索
    • 在程序集中搜索
    • 搜索AES密钥
  • 反汇编
    • 添加元数据
    • ESIL
  • 分析
    • 代码分析
    • 变量
    • 类型
    • 调用约定
    • 虚拟表
    • 系统调用
    • 模拟
    • 符号信息
    • 签名
    • 图形命令
  • 脚本
    • 循环
    • 宏
    • R2pipe
  • 调试器
    • 入门
    • 迁移自ida, GDB or WinDBG
    • 寄存器
    • 内存映射
    • 堆
    • Files
    • 反向调试
  • 远程访问
    • 远程GDB
    • 远程WinDbg
  • 命令行工具
    • Rax2(数值转换)
    • Rafind2(查找)
    • Rarun2
    • Rabin2(文件格式)
      • 文件标识
      • 入口
      • 导入
      • 导出
      • 符号 (导出)
      • 库
      • 字符串
      • 程序节
    • Radiff2(比较)
      • Binary Diffing
    • Rasm2(反汇编)
      • 汇编
      • 反汇编
      • 配置
    • Ragg2(C编译器)
      • Language
    • Rahash2(加密算法)
      • Rahash Tool
  • 插件
    • IO 插件
    • 汇编插件
    • 分析插件
    • 二进制插件
    • 其他插件
    • Python插件
    • 调试
    • 测试
    • Packaging
  • Crackmes
    • IOLI
      • IOLI 0x00
      • IOLI 0x01
    • Avatao R3v3rs3 4
      • .radare2
      • .first_steps
      • .main
      • .vmloop
      • .instructionset
      • .bytecode
      • .outro
  • 参考卡
  • 致谢
由 GitBook 提供支持
在本页

这有帮助吗?

  1. Crackmes
  2. Avatao R3v3rs3 4

.bytecode

Well, we did the reverse engineering part, now we have to write a program for the VM with the instruction set described in the previous paragraph. Here is the program's functional specification:

  • the program must return "*"

  • sym.memory has to contain the string "Such VM! MuCH reV3rse!" after

    execution

  • all 9 instructions have to be used at least once

  • sym.good_if_ne_zero should not be zero

  • instr_P is not allowed to be used more than 9 times

Since this document is about reversing, I'll leave the programming part to the fellow reader :) But I'm not going to leave you empty-handed, I'll give you one advice: Except for "J", all of the instructions are simple, easy to use, and it should not be a problem to construct the "Such VM! MuCH reV3rse!" using them. "J" however is a bit complicated compared to the others. One should realize that its sole purpose is to make sym.good_if_ne_zero bigger than zero, which is a requirement to access the flag. In order to increment sym.good_if_ne_zero, three conditions should be met:

  • arg1 should be a negative number, otherwise we would return early

  • sym.written_by_instr_C should not be 0 when "J" is called. This means that

    "C", "AC", or "SC" instructions should be used before calling "J".

  • arg1_and_0x3f should be negative when checked. Since 0x3f's sign bit is

    zero, no matter what arg1 is, the result of arg1 & 0x3f will always be

    non-negative. But remember that "J" negates arg1_and_0x3f if arg1 & 0x40

    is not zero. This basically means that arg1's 6th bit should be 1

    (0x40 = 01000000b). Also, because arg1_and_0x3f can't be 0 either, at least

    one of arg1's 0th, 1st, 2nd, 3rd, 4th or 5th bits should be 1 (0x3f =

    00111111b).

I think this is enough information, you can go now and write that program. Or, you could just reverse engineer the quick'n'dirty one I've used during the CTF:

\x90\x00PSAMuAP\x01AMcAP\x01AMhAP\x01AM AP\x01AMVAP\x01AMMAP\x01AM!AP\x01AM AP\x01AMMAP\x01AMuAP\x01AMCAP\x01AMHAP\x01AM AP\x01AMrAP\x01AMeAP\x01AMVAP\x01AM3AP\x01AMrAP\x01AMsAP\x01AMeIPAM!X\x00CAJ\xc1SC\x00DCR*

Keep in mind though, that it was written on-the-fly, parallel to the reversing phase - for example there are parts that was written without the knowledge of all possible instructions. This means that the code is ugly and unefficient.

上一页.instructionset下一页.outro

最后更新于4年前

这有帮助吗?