trupples/_breakingin-1.md

## _breakingin-1.md

      
    Raw
  

              _breakingin-1.md
            
          
    breakingin 1

Reverse engineering a custom VM architecture

This gist contains all the scripts written in the first video of the series.

breakingin-add.py sends the first program we wrote: a simple addition.
breakingin-good-bf.py implements the more efficient opcode search.
breakingin-syscall-search.py tries all syscall numbers.
breakingin-write.py demonstrates syscall call convention with the write (1) syscall.


## breakingin-add.py
from pwn import *

ADD = 1
SUB = 2

program = [6, 12, 34, 0, 0, 4, ADD, 1, 2, 3, SUB, 4, 5, 0]

program = ''.join(map(p32, program))

r = remote("breakingin.wpictf.xyz", 31337)

r.recvuntil("Enter a size for the binary (max 262144):\n")
r.sendline(str(len(program)))
r.recvuntil("bytes:\n")
r.send(program)

print hexdump(r.recvall())

## breakingin-good-bf.py
from pwn import *
import sys

context.log_level = 'error'

def run(start_opcode):
	NOOP = 0
	ADD = 1
	SUB = 2
	MUL = 3
	DIV = 4
	MOD = 5
	AND = 6
	OR = 7
	XOR = 8
	NOT = 9
	BNOT = 10
	SHL = 11
	SHR = 12
	SHA = 13
	ISGREATER = 14
	ISEQUAL = 15

	program = p32(9) + "Heyo" + "Lmao" + "XYZW" + "XYZW" + p32(0) + p32(4) + p32(0) + p32(5) + \
		p32(start_opcode) + p32(1) + p32(2) + p32(3) + \
		p32(ISEQUAL) + p32(3) + p32(4) + p32(5) + \
		p32(MUL) + p32(5) + p32(6) + p32(5) + \
		p32(ADD) + p32(5) + p32(0) + p32(0) + \
		p32(SUB) + p32(7) + p32(6) + p32(0) + \
		p32(ADD) + p32(9) + p32(10) + p32(9) + \
		p32(ADD) + p32(7) + p32(8) + p32(0)

	r = remote("breakingin.wpictf.xyz", 31337)

	r.recvuntil("Enter a size for the binary (max 262144):\n")
	r.sendline(str(len(program)))
	r.recvuntil("bytes:\n")
	r.send(program)

	print "Output: ", r.recvuntil("Executed ", drop=True)
	r.recvuntil("nulls)\n")
	dump = r.recvall()

	r.close()

	return dump

if len(sys.argv) == 3 and sys.argv[1] == "--starting-from":
	start_opcode = int(sys.argv[2])
	run(start_opcode)
else:
	print "Trying all opcodes..."
	start_opcode = 0
	while True:
		print("Going from {} onwards: ".format(start_opcode))
		dump = run(start_opcode)
		if dump[12:16] == "XYZW":
			print "Nothing found"
		else:
			print "Opcode {} changed the memory!!!!".format(u32(dump[0x24:0x28]))
		start_opcode = u32(dump[0x24:0x28]) + 1

## breakingin-syscall-search.py
from pwn import *
import sys

context.log_level = 'error'

def run(syscall_number):
	NOOP = 0
	ADD = 1
	SUB = 2
	MUL = 3
	DIV = 4
	MOD = 5
	AND = 6
	OR = 7
	XOR = 8
	NOT = 9
	BNOT = 10
	SHL = 11
	SHR = 12
	SHA = 13
	ISGREATER = 14
	ISEQUAL = 15

	SYSCALL = 0x133769

	program = p32(6) + p32(syscall_number) + p32(0) + p32(0) + p32(0) + p32(4) + \
		p32(SYSCALL) + p32(1) + p32(2) + p32(3) + \
		p32(SUB) + p32(4) + p32(5) + p32(0)

	r = remote("breakingin.wpictf.xyz", 31337)

	r.recvuntil("Enter a size for the binary (max 262144):\n")
	r.sendline(str(len(program)))
	r.recvuntil("bytes:\n")
	r.send(program)

	r.recvuntil("teread 0\n")

	print r.recvuntil("Executed ", drop=True)
	r.recvuntil("nulls)\n")
	dump = r.recvall()

	r.close()

	return dump

go_from = 0
if len(sys.argv) == 3:
	assert(sys.argv[1] == "--start-from")
	go_from = int(sys.argv[2])

for i in range(go_from, 200):
	print "Syscall #{}".format(i)
	run(i)

## breakingin-write.py
from pwn import *
import sys

context.log_level = 'error'

def run():
	NOOP = 0
	ADD = 1
	SUB = 2
	MUL = 3
	DIV = 4
	MOD = 5
	AND = 6
	OR = 7
	XOR = 8
	NOT = 9
	BNOT = 10
	SHL = 11
	SHR = 12
	SHA = 13
	ISGREATER = 14
	ISEQUAL = 15

	SYSCALL = 0x133769

	program = p32(10) + "Hello!xx" + p32(1) + p32(1) + p32(5) + p32(0) + p32(4) + p32(1) + p32(0) + \
		p32(SYSCALL) + p32(8) + p32(3) + p32(9) + \
		p32(SUB) + p32(6) + p32(7) + p32(0)

	r = remote("breakingin.wpictf.xyz", 31337)

	r.recvuntil("Enter a size for the binary (max 262144):\n")
	r.sendline(str(len(program)))
	r.recvuntil("bytes:\n")
	r.send(program)

	print "Output: ", r.recvuntil("Executed ", drop=True)
	r.recvuntil("nulls)\n")
	dump = r.recvall()
	r.close()

	return dump

run()
	from pwn import *

	ADD = 1
	SUB = 2

	program = [6, 12, 34, 0, 0, 4, ADD, 1, 2, 3, SUB, 4, 5, 0]

	program = ''.join(map(p32, program))

	r = remote("breakingin.wpictf.xyz", 31337)

	r.recvuntil("Enter a size for the binary (max 262144):\n")
	r.sendline(str(len(program)))
	r.recvuntil("bytes:\n")
	r.send(program)

	print hexdump(r.recvall())
	from pwn import *
	import sys

	context.log_level = 'error'

	def run(start_opcode):
	NOOP = 0
	ADD = 1
	SUB = 2
	MUL = 3
	DIV = 4
	MOD = 5
	AND = 6
	OR = 7
	XOR = 8
	NOT = 9
	BNOT = 10
	SHL = 11
	SHR = 12
	SHA = 13
	ISGREATER = 14
	ISEQUAL = 15

	program = p32(9) + "Heyo" + "Lmao" + "XYZW" + "XYZW" + p32(0) + p32(4) + p32(0) + p32(5) + \
	p32(start_opcode) + p32(1) + p32(2) + p32(3) + \
	p32(ISEQUAL) + p32(3) + p32(4) + p32(5) + \
	p32(MUL) + p32(5) + p32(6) + p32(5) + \
	p32(ADD) + p32(5) + p32(0) + p32(0) + \
	p32(SUB) + p32(7) + p32(6) + p32(0) + \
	p32(ADD) + p32(9) + p32(10) + p32(9) + \
	p32(ADD) + p32(7) + p32(8) + p32(0)

	r = remote("breakingin.wpictf.xyz", 31337)

	r.recvuntil("Enter a size for the binary (max 262144):\n")
	r.sendline(str(len(program)))
	r.recvuntil("bytes:\n")
	r.send(program)

	print "Output: ", r.recvuntil("Executed ", drop=True)
	r.recvuntil("nulls)\n")
	dump = r.recvall()

	r.close()

	return dump

	if len(sys.argv) == 3 and sys.argv[1] == "--starting-from":
	start_opcode = int(sys.argv[2])
	run(start_opcode)
	else:
	print "Trying all opcodes..."
	start_opcode = 0
	while True:
	print("Going from {} onwards: ".format(start_opcode))
	dump = run(start_opcode)
	if dump[12:16] == "XYZW":
	print "Nothing found"
	else:
	print "Opcode {} changed the memory!!!!".format(u32(dump[0x24:0x28]))
	start_opcode = u32(dump[0x24:0x28]) + 1