tl;dr

• The VM takes a custom binary as input
• Binary contains function table, code and bss sections
• Code can overlap with bss and be modified at runtime
• The JIT compiler assumes that a function is safe since it ran many times
• Functions modified right before JIT bypass security checks

tl;dr

• LOAD and S_TYPE opcodes lead to OOB when addr > DRAM_BASE+DRAM_SIZE
• Get libc and stack pointers and offset to obtain RIP offset and base
• Write ropchain on stack using libc gadgets
• Perform ORW on flag file

tl;dr

• Giving custom array size of NaN, passes checks while allowing OOB r/w
• Use OOB r/w to get libc, stack (environ) addresses
• Craft fake chunk on array and overwrite fastbin fd
• Reset machine to allocate register context on fake chunk
• Overwrite VM sp with real stack
• Push ropchain onto stack and halt VM to execute ropchain

tl;dr

• This challenge is a JIT VM
• The VM logic implements modular equations

tl;dr

• This is a simple stack based VM
• 25-27 opcodes and 8 different constraints
• Extract the constraints
• Use z3 to find a satisfying model

Intended solution of Wannavmbe challenge from InCTF Internationals 2019

tl;dr

• Challenge is a VM.
• Reverse Instruction types and implementation.
• Understand that it has a fucntion which takes the base64 of CWD (Current working directory).
• Find the corrcect directory where it needs to be placed.

tl;dr

• Challenge is a VM implemented over signals and ptrace
• Reverse Instruction types and implementation
• Use gdb scripting to find the executed code and get the pseudo VM code
• Find out the algorithm (Max triangle sum) from VM instructions
• Find an more optimized way to solve the problem (Or lazy solve it!).

tl;dr

• Challenge is a VM implemented over signals and ptrace
• Reverse Instruction types and implementation
• Use gdb scripting to find the executed code and get the pseudo VM code
• Reverse the VM functionality (Hill cipher) for flag and profit