HAI DOMO. This post is for 武蔵野 Advent Calendar 2017 and also for CTF Advent Calendar 2017.

# Introduction

In May this year, I participated in DEF CON CTF Qualifier 2017 as a member of a certain 武蔵野-related team. Actually, I’m not a top-tier CTF player, but I did my best and solved 4 challenges:

• crackme1
• beatmeonthedl
• enlightenment
• Pepperidge Farm

Write-ups already exist except for Pepperidge Farm. So I decided to write about it. FYI: The binaries are available at legitbs/quals-2017.

# Pepperidge Farm

Pepperidge Farm is categorized into Reverse Engineering. The problem statement is below:

Remember when the first CTF was run with a custom architecture? Pepperidge Farm remembers:
https://github.com/JonathanSalwan/VMNDH-2k12

It seems like a keygenning challenge on the custom virtual machine–VMNDH-2k12.

# VMNDH-2k12

VMNDH-2k12 is the VM built for Nuit du Hack CTF Quals 2012 as its name suggests. The architecture is described in shell-storm | Useless emulator for fun (VMNDH-2k12). This VM parses given serialized binary and repeats fetch, decode and execution.

Writing IDA loader/processor module is a common way to analyze VM-based obfuscated binary. The modules for VMNDH-2k12 and for modified version VMNDH-2k13 already exist:

Note that when you try to solve this challenge with above-mentioned processor modules with IDA Pro 7.0, the backward-compatibility issue will occur. For example, you have to change self.regFirstSreg toself.reg_first_sreg in a module.

Also, the Binary Ninja plugin has been released after quals:

But in this post, I describe a solution without both IDA Pro and Binary Ninja. Because VMNDH-2k12 is open-sourced and easy to modify.

# Surface Analysis

Yes, the VM has own debugger and disassembler.

# Modifying the Disassembler

However, there are pitfalls here.

Because it is a unique architecture, the destination of the control flow instructions are different from it shown on the disassembly dump. For example, take a look at src_vm/op_call.c:

Acording to this, I modified the dissassembler in src_vm/disass.c:

This makes it possible to correctly display the address of the call destination in the disassembly dump. In addition, jump instructions need to be modified. In the case of jnz:

Herewith,

becomes:

Good.

Also, after 0x8759 it looks like a data section.

However, parts such as 0x87e8 are misinterpreted as codes.

The data section was not obfuscated.

So I gave first aid to src_vm/disass.c:

Awful… who cares?

# First Attempt With KLEE

This is a failure case.

As we have seen so far, VMNDH-2k12 is open-sourced. So I tried to solve the challenge with source code-based symbolic execution tool–KLEE.

I modified src_vm/syscall_write.c for assertion:

Here is a modified Makefile:

I’d left all of it to KLEE and get to bed…

… It’s not going to be easy.

I also wrote solver with angr. Which symbolizes stdin, but… let’s not talk about it.

An example of insufficient SMTLIB2 representations is:

# Solution With Z3

Since there is no choice, I read all the disassembly. After some twists and turn, I realized that:

• Pepperidge Farm checks character codes against transformed 0x20 bytes values.
• 0x8247(x, y) returns x * 100 + y.

Now Z3 time. For example, subroutine 0x8269:

becomes:

This is satisfiable. But not enough. We need to add rest of constraints.

Even with halfway constraints, the process proceeds. So inscount with Pin or other dynamic binary instrumentation tools might be helpful.

Finally I got:

The conclusive SMTLIB2 representation is:

# Final Words

I enjoyed this challenge. It seems to be easy or medium-easy difficulty rating. If only I could have solved more difficult Reverse Engineering challenges during quals–liberty, godzilla, and so on.

Recently I read T. Blazytko et al. USENIX Security’17. The paper says the system named Syntia automatically deobfuscate binaries with program synthesis. Program synthesis is a method to synthesize some pieces of program from given I/O samples and possible operators–like this:

This is just a simple example. In practical, program slicing and path pruning will be needed. Both symbolic execution and program synthesis depend on SMT solver, but according to the paper, program synthesis is more suitable for deobfuscation tasks… really? I’ll investigate further.

# Introduction

As you know, IDAPython is quite useful. And Triton concolic execution engine has python binding. Then… why not integrate them? I tried to stand on the shoulders of giants.

# Backward Program Slicing

Roughly speaking, program slicing is a method to extract subset of program which is relevant to given statement. Here is an excerpt from M. Weiser. ICSE’81:

Starting from a subset of a program’s behavior, slicing reduces that program to a minimal form which still produces that behavior. The reduced program, called a “slice”, is an independent program guaranteed to faithfully represent the original program within the domain of the specified subset of behavior.

Kudos to Jonathan Salwan, we can easily apply backward program slicing to binary analysis process with minor modification of backward_slicing.py and proving_opaque_predicates.py. I wrote a simple, tiny glue between Triton and IDA Pro:

# Showcase

The snippet extracts subset of program which is relevant to branch condition. We can run this from File -> Script file in IDA Pro menu.

becomes:

becomes:

Looks nice.

# Last Words

Triton’s emulation iteration is compatible to IDAPython manner. Therefore, The combination of IDA Pro and Triton is pretty good.

Cheers,

# Introduction

IDAPython is a powerful feature of IDA Pro, and there are many open-sourced IDAPython projects. However, we cannot use every GUI-based IDAPython script due to some Qt-related breaking changes between IDA Pro 6.8 and 6.9 or later. The main problem is about migrating no longer supported PySide code to PyQt5.

Recently I ported PySide code within idasec–one of the most sophisticated deobfuscation frameworks, which tackles opaque predicates and call stack tampering in terms of infeasibility questions, by utilizing Backward-Bounded Dynamic Symbolic Execution proposed in the remarkably well written paper S. Bardin et al. IEEE S&P’17–to PyQt5.

That’s why I decided to write this blog post for a note to self and for someone trying to do similar thing.

# Related Work

There are 2 guidances to migrate PySide code to PyQt5:

# How to Migrate

Now let’s get started.

## Change QtGui methods to QtWidgets

Most methods in QtGui migrated to QtWidgets. Therefore,

becomes:

As an example, QTextEdit described in Hex Blog. In additions, the methods to be rewritten are as follows:

• QtWidgets.QLayout
• QtWidgets.QVBoxLayout
• QtWidgets.QHBoxLayout
• QtWidgets.QWidget
• QtWidgets.QTableWidget
• QtWidgets.QListWidget
• QtWidgets.QTabWidget
• QtWidgets.QDockWidget
• QtWidgets.QTreeWidget
• QtWidgets.QTreeWidgetItem
• QtWidgets.QPushButton
• QtWidgets.QRadioButton
• QtWidgets.QToolButton
• QtWidgets.QButtonGroup
• QtWidgets.QGroupBox
• QtWidgets.QSpinBox
• QtWidgets.QCheckBox
• QtWidgets.QComboBox
• QtWidgets.QTextEdit
• QtWidgets.QLineEdit
• QtWidgets.QApplication
• QtWidgets.QLabel
• QtWidgets.QSizePolicy
• QtWidgets.QMenu
• QtWidgets.QFrame
• QtWidgets.QProgressBar
• QtWidgets.QStyle
• QtWidgets.QSpacerItem
• QtWidgets.QScrollArea
• QtWidgets.QSplitter
• There might be more…

My experience says that other than the following 3 methods may be rewritten:

• QtGui.QPixmap
• QtGui.QIcon
• QtGui.QFont

idacute may overwrite all of QtGui methods, so I think there still needs to be manual works.

## Overwrite _fromUtf8

We also need to overwrite _fromUtf8.

## Others

These issues are described by predecessors:

• Handling SIGNAL
• Change FormToPySideWidget to FormToPyQtWidget
• Change setResizeMode to setSectionResizeMode

# Conclusion

This time, I was able to run idasec on IDA Pro 7.0 with some bug fixes and dirty patches – like this cool video:

If you are an IDA Pro 7.0 user, note that other backward-compatibility issue described in IDA: IDAPython backward-compatibility with 6.95 APIs will occur.

Enjoy!

HAI DOMO VIRTUAL YOUTUBER KIZUNA AI DESU. I’m still working on my English.

# Xming

XmingはWindows向けX Window System実装で，WindowsでX11 Forwardingをする場合のデファクトスタンダード．さて，日本語版のWindowsでXmingを利用していると，時折勝手に入力言語が英語に変わってしまうことがある．でまあOSSなのでソースコードを書き換えればいいんだけど，バイナリを読んだほうが早そう，ということでそのようにした．

# 原因

IDA Proでキーボード関連のAPIの呼び出し元を眺めると，LoadKeyboardLayoutのロケールID引数を英語 (0x0409) に設定していることがわかる．これを日本語 (0x0411) にすればよい．

素直に.rdataセクションに載っているので，そのまま書き換えられる．

紀元前のバイナリパッチ方式で書くと下記の通り：

はい．

# 追記 (2016.11.07)

XmingのバージョンはPublic Domain Releases 6.9.0.31で，より新しい有償版で修正されているのかどうかは知らない．で，6.9.0.31の当該ソースコード (xc/programs/Xserver/hw/xwin/winconfig.c) にはなにやら不吉なコメントが記されているが，見なかったことにする．うちの環境では，レジストリ設定でCaps LockをCtrlに入れ替えてるし．

ご自身の責任でやっていってください．