NCTF 2024

飞书用户2590

飞书用户2242

5月9日修改

https://github.com/X1cT34m/NCTF2024/tree/main

50%

https://drive.google.com/file/d/1PipONHU7-k44x9wKPcBHrgG9qu43FA5s/view?usp=sharing

Official writeup

50%

gogo

Input 40Bytes and create two ccoroutine (coroutVM), processing 20Bytes respectively​

What we need: hash table; bytecodes

代码块

aaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbb

代码块

00000000 struct main_coroutVM // sizeof=0x158​
00000000 {​
00000000     _16_uint32 reg;​
00000040     _256_uint8 mem;​
00000140     _chan_left_chan__4_uint8 instr;​
00000148     chan_bool checkres;​
00000150     map_uint8_main_handler instrSet;​
00000158 };​

Method 1 - Static Analysis

Find bytecode and hash table, then write a script to disassemble

Bytecode

common.docs_name - LarkCCM_Docs_Menu_Image

Map1

Map2

Disassembly

Based on the handler function for each opcode, we know:

•
Both VM emulate ARM32 instruction set​

•
Both use the same set of handler functions​

•
The bytecodes of two VM are mixed together, only the opcodes that match the respective VM will be executed​

Info on hand:

1.
Hash tables for different VM​

2.
Instruction structure: Opcode + Oprand * 3, total 4Bytes​

3.
Dumped bytecode (DumpedByteCodes.bin)​

VM_1

{​
    0x11: "main_LDR",​
    0x12: "main_LDRI",​
    0x15: "main_STR",​
    0x16: "main_STRI",​
    0x2A: "main_MOV",​
    0x41: "main_ADD",​
    0x42: "main_SUB",​
    0x47: "main_MUL",​
    0x71: "main_LSL",​
    0x73: "main_LSR",​
    0x7A: "main_XOR",​
    0x7B: "main_AND",​
    0xFE: "main_RET",​
    0xFF: "main_HLT"​
}​

50%

VM_2

{​
    0x13: main_LDR,​
    0x14: main_LDRI,​
    0x17: main_STR,​
    0x18: main_STRI,​
    0x2B: main_MOV,​
    0x91: main_ADD,​
    0x92: main_SUB,​
    0x97: main_MUL,​
    0xC1: main_LSL,​
    0xC3: main_LSR,​
    0xCA: main_XOR,​
    0xCB: main_AND,​
    0xFE: main_RET,​
    0xFF: main_HLT​
}​

50%

NCTF 2024​

NCTF 2024