[HITCON19] EmojiVM-reverse writeup
A simple virtual machine with some basic opcodes. Using IDA and setup some python breakpoints to obtain the following log file. https://gist.github.com/l0stb1t/06b1d443f3168d5aeecc989411d1ee36 Looking through the log file for `cmp` opcode we can clearly see some obvious patterns. ``` cmp 1 < 18=1 mul a*7=46 mul a*46=2bc mul a*2bc=1b58 mul a*1=a mul a*a=64 mul a*1=a add 8+a=12 add 12+64=76 add 76+1b58=1bce jmp 1bce 1!=0 ``` 0x18 here is the key's length. These `mul` and `add` in between construct the address for `jmp` opcode because the VM doesn't allow `push`ing large number. Similarly we some compares of our input with 0x2d. ``` push TBL(1, 4)==2d == 2d==2d=1 ... push TBL(1, 9)==2d == 2d==2d=1 ``` TBL(x, y): x is storage index, y is index into our input. We got the flag format as follow xxxx-xxxx-xxxx-xxxx-xxxx. Our input after some computations is stored into TBL(3, y) ``` push TBL(1, 0)==31 mul...