Sixology source code and some related ugly scripts on 0CTF/TCTF 2019 Quals
This is a vm reversing challenge, but without simulator.
Tested on 7.0 and 7.2
$ cd sixology/IDA $ mkdir build $ cd build # for debug $ cmake -DIDA_SDK_DIR="/path/to/your/idasdk" .. # for release $ cmake -DIDA_SDK_DIR="/path/to/your/idasdk" -DCMAKE_BUILD_TYPE=Release ..
If you are told that missing some files, find them in IDASDK.
- Have some basic knowledge on IDA processor development.
LPHin processor from export table
- find out
- locate key functions in
notifyvia event_code (ev_ana_insn, ev_emu_insn, etc.)
- Figure out instruction encoding and decoding from
- Understand vm instructions semantic in all emu analysis handlers, I've try to explain all the instructions in this vm. Follow the emu data flow and other api used at this stage (set_switch_info, add_crefs, get_dword, trace_sp, etc.), you could understand all of them.
HINTin source code means that here is the hint of one vm instruction.
- You could find most of enum value and struct definition through IDA official online documents.
- Be careful about
exchangevm instruction, without
lexcmp, it's another problem.
- Understand what's the program doing and optimize the algorithm.
- Run it and Get flag.