Tags: emulation code emulator 

Rating:

# Challenge
Attached is some some never-before-seen assembly code routine that we pulled off a processor which is responsible for string decryption. An input string is put
into TRX register, then the routine is run, which decrypts the string.

For example, when putting UL\x03d\x1c'G\x0b'l0kmm_ string in TRX and executing this code, the resulting string in TRX is decrypted as 'tenable.ctfd.io'.

A few things we know about this assembly:

There are only two registers, DRX and TRX. These are used to hold variables throughout the runtime.

Operand order is similar to the AT&T syntax ,which has destination operand first and source operand 2nd ie: MOV DRX, "dogs", puts the string "dogs" into DRX
register/variable. XOR TRX, DRX, xors the string held in DRX with the string in TRX and stores the result in TRX register/variable.

There are only three instructions that this processor supports:

XOR - XORs the destination string against a source string and stores the result in the destination string operand. The source string operand can be either
literal string or string held in a register/variable. Destination operand is always register. XORs all characters against target string characters starting
with beginning chars. Below is an example.

DRX = "dogs"
TRX = "shadow"

XOR TRX, DRX
TRX would become \x17\x07\x06\x17ow

MOV - Simply copies the string from a source operand to the destination operand, the source string operand can be either literal or in another register as a
variable.
REVERSE - This only takes one operand, and simply reverses the string. ie: if DRX holds "hotdog" then "REVERSE DRX" turns DRX into "godtoh". The operand for
this can only be a register.
What we need We need an emulator that can execute the code in the attached file in order to decrypt this string...

GED\x03hG\x15&Ka =;\x0c\x1a31o*5M

If you successfully develop an emulator for this assembly and initialize TRX with this string, execution should yield a final result in the TRX register.

# crypto.asm file
```
MOV DRX "LemonS"
XOR TRX DRX
MOV DRX "caviar"
REVERSE DRX
XOR TRX DRX
REVERSE TRX
MOV DRX "vaniLla"
XOR TRX DRX
REVERSE TRX
XOR TRX DRX
REVERSE TRX
MOV DRX "tortillas"
XOR TRX DRX
MOV DRX "applEs"
XOR TRX DRX
MOV DRX "miLK"
REVERSE DRX
XOR TRX DRX
REVERSE TRX
XOR TRX DRX
REVERSE TRX
REVERSE TRX
REVERSE TRX
XOR DRX DRX
XOR TRX DRX
MOV DRX "OaTmeAL"
XOR TRX DRX
REVERSE TRX
REVERSE TRX
REVERSE TRX
XOR DRX DRX
XOR TRX DRX
MOV DRX "cereal"
XOR TRX DRX
MOV DRX "ICE"
REVERSE DRX
XOR TRX DRX
MOV DRX "cHerries"
XOR TRX DRX
REVERSE TRX
XOR TRX DRX
REVERSE TRX
MOV DRX "salmon"
XOR TRX DRX
MOV DRX "chicken"
XOR TRX DRX
MOV DRX "Grapes"
REVERSE DRX
XOR TRX DRX
REVERSE TRX
XOR TRX DRX
REVERSE TRX
MOV DRX "caviar"
REVERSE DRX
XOR TRX DRX
REVERSE TRX
MOV DRX "vaniLla"
XOR TRX DRX
REVERSE TRX
XOR TRX DRX
MOV DRX TRX
MOV TRX "HonEyWheat"
XOR DRX TRX
MOV TRX DRX
MOV DRX "HamBurgerBuns"
REVERSE DRX
XOR TRX DRX
REVERSE TRX
XOR TRX DRX
REVERSE TRX
REVERSE TRX
REVERSE TRX
XOR DRX DRX
XOR TRX DRX
MOV DRX "IceCUBES"
XOR TRX DRX
MOV DRX "BuTTeR"
XOR TRX DRX
REVERSE TRX
XOR TRX DRX
REVERSE TRX
MOV DRX "CaRoTs"
XOR TRX DRX
MOV DRX "strawBerries"
XOR TRX DRX
```

# Solution

I wrote following python code

```python

class Register:
def __init__(self,value="") -> None:
self.value=value

def xor_pwn(a,b):
res=b''
if len(a)>len(b):
dest,src=a,b
else:
dest,src=b,a
for i in range(len(src)):
res+=chr((dest[i])^(src[i])).encode()
for j in range(len(src),len(dest)):
res+=chr(dest[j]).encode()
return res

def mov(dest:Register,source):
if type(source)==str:
dest.value=source.encode()
else:
dest.value=source.value
def xor(dest:Register,source):
if type(source)==str:
dest.value=xor_pwn(dest.value,source.encode())
else:
dest.value=xor_pwn(dest.value,source.value)
def reverse(dest):
dest.value=dest.value[::-1]

TRX = Register(b"GED\x03hG\x15&Ka =;\x0c\x1a31o*5M")
DRX = Register()
codelines=open("Crypto.asm","r").read().splitlines()

for codeline in codelines:
dest=codeline.split()[1]
if dest=="TRX":
dest=TRX
else:
dest=DRX
if len(codeline.split())>2:
src=codeline.split()[2]
if '"' in src:
src=src.replace('"','')
elif src=="TRX":
src=TRX
else:
src=DRX
if codeline.startswith("MOV "):
mov(dest,src)
elif codeline.startswith("XOR "):
xor(dest,src)
elif codeline.startswith("REVERSE "):
reverse(dest)
print(TRX.value)
```

Original writeup (https://gist.github.com/ebubekirtrkr/1663a01c33464f73a8362e8c174a94b3).