[HITCON19] EmojiVM-reverse writeup

A simple virtual machine with some basic opcodes.

Using IDA and setup some python breakpoints to obtain the following log file.

https://gist.github.com/l0stb1t/06b1d443f3168d5aeecc989411d1ee36

Looking through the log file for `cmp` opcode we can clearly see some obvious patterns.

```

cmp 1 < 18=1

mul a*7=46

mul a*46=2bc

mul a*2bc=1b58

mul a*1=a

mul a*a=64

mul a*1=a

add 8+a=12

add 12+64=76

add 76+1b58=1bce

jmp 1bce 1!=0 

```

0x18 here is the key's length. These `mul` and `add` in between construct the address for `jmp` opcode because the VM doesn't allow `push`ing large number. Similarly we some compares of our input with 0x2d. 

```

push TBL(1, 4)==2d

== 2d==2d=1

...

push TBL(1, 9)==2d

== 2d==2d=1

```

TBL(x, y): x is storage index, y is index into our input.

We got the flag format as follow xxxx-xxxx-xxxx-xxxx-xxxx.

Our input after some computations is stored into TBL(3, y)

```

push TBL(1, 0)==31

mul a*3=1e

add 0+1e=1e

add 1e+31=4f

push TBL(5, 1)==0

TBL(3, 0)=4f

...

```

This is equivalent to TBL(3, 0) = input[0] + 0x1e.

There are 3 more similar functions we need to find all of them.

TBL(3, x) later is compared with a hard code value in TBL(4, x).

```

push TBL(3, 0)==4f

push TBL(5, 1)==0

push TBL(4, 0)==8e

== ffffff8e==4f=0

```

We got all the pieces we need for the key.

https://gist.github.com/l0stb1t/ca649b6f6159d972edc96f0953ccd350