Posts

[HITCON19] EmojiVM-reverse writeup

A simple virtual machine with some basic opcodes. Using IDA and setup some python breakpoints to obtain the following log file. https://gist.github.com/l0stb1t/06b1d443f3168d5aeecc989411d1ee36 Looking through the log file for `cmp` opcode we can clearly see some obvious patterns. ``` cmp 1 < 18=1 mul a*7=46 mul a*46=2bc mul a*2bc=1b58 mul a*1=a mul a*a=64 mul a*1=a add 8+a=12 add 12+64=76 add 76+1b58=1bce jmp 1bce 1!=0  ``` 0x18 here is the key's length. These `mul` and `add` in between construct the address for `jmp` opcode because the VM doesn't allow `push`ing large number. Similarly we some compares of our input with 0x2d.  ``` push TBL(1, 4)==2d == 2d==2d=1 ... push TBL(1, 9)==2d == 2d==2d=1 ``` TBL(x, y): x is storage index, y is index into our input. We got the flag format as follow xxxx-xxxx-xxxx-xxxx-xxxx. Our input after some computations is stored into TBL(3, y) ``` push TBL(1, 0)==31 mul...
Post a Comment
Read more

About me

Image
Hi ! I'm bit a CTF player/security researcher from MeePwn team. MeePwn is a group of infosec students and security enthusiasts in Vietnam. Our https://ctf.meepwn.team/ is coming soon. Come and join us. Achievement unlocked https://hackerone.com/b1t CVE-2018-1000120 https://curl.haxx.se/docs/adv_2018-9cd6.html Me and add discover Bkav Antivirus privilege escalation: http://releasenotes.bkav.com.vn/bkav-release/-/blogs/bkav-pro/normal HDBank's thanks letter: Help fix many critical vulnerabilities in Foxit's softwares https://www.foxitsoftware.com/support/security-bulletins.php
Post a Comment
Read more

How did we bypass Meganet's anti-hotspoting protection

We are not networking expert but at least we can understand this properly. http://l4rzy.blogspot.com/2017/10/how-did-we-bypass-meganets-anti.html
Post a Comment
Read more