171229 Reverse-webassembly Reverse (1) _CTF

1625-5 Prince Ang summed up the "December 29, 2017" "The No. 455 consecutive day of summary"
A. 34c3ctf-wasm
B.
Search the topic and get webassembly's key words

Webassembly mainly tries to solve some of the problems of existing technology:

JavaScript: Performance is not ideal, and the language itself a lot of holes (this everyone knows)
Flash: Private technology (and a bunch of bugs) and is a pure binary format
Silverlight: Private technology, and is a pure binary format
Various plug-ins (Plug-in): Security issues, platform compatibility issues

Because of the shortcomings of JS as a compiled language, browser vendors have decided to unite to become idols to develop a new fast and easy to use standard
It's webassembly.
It can compile any language into a binary intermediate byte code, and then execute in the browser

In simple terms, C + + write Web page is not dream 233

So I downloaded it from the developer tool to Flag.wasm.
At this stage of the webassembly also need a JS file to do the middle link to call, you can see is called the check function in Wasm

The authorities provided the tools to wasm the Wasm2wat
Wat is a human-readable code, though it's still as obscure as the assembly.

800 rows found after locking to check function Otz

This line of business is not going to kill you.

Check it out. Found in chrome can be dynamically debugged, down-load and reload found OK

But this debugger is very food ... Although you can see the values of each variable and memory, it is extremely inconvenient

For example, the value in the figure arg0 is a pointer that holds the input string in the address
However, to see the value of the pointer, you need to search the list slowly


And both view type and width support decimal/byte

In the assembly code, the pointer is frequently manipulated, the value of the pointer looks too cumbersome, and the console does not find a way to output ... Otz

Just try it twice and find out that it has other functions to call, and this is killing me. =a=

So now there are only two ways left.
Write the disassembler, turn 800 lines of wat into pseudo code to read
Dynamic debugging, patience and slowly with

The disassembler probably has a little thought, because the wat is the stack type code, the call instruction is directly to the stack operation, but does not have the source operand and the goal operation number, such execution and the recognition is quicker, the reverse compiles the words to feel also will be more convenient

Because the resulting wat is the code of the S-expression type, it is only necessary to put the instruction in a stack according to parentheses, then take out the execution, and provide the simulated memory and stack area when executing.
The main difficulty is the code block and jump between the instructions, such as while/if, and so on, these I do not know the compiler, not to mention the wat in unfamiliar block and other directives

The day after tomorrow to try -0-hope that the platform does not shut too fast

C. Plan for Tomorrow
Anti-compiler/dynamic debugging Wasm