Tags: jit rev vm
The binary used a just-in-time virtual machine. There were 40 functions which were transpiled at runtime into ARM assembly. We dumped these functions and then disassembled them by hand. The VM program listened for connections and then attempted to connect to two peer servers. It returned a 32 byte secret based on the requester's IP address and the result of the two peer's output. We re-implemented the logic in C and searched the entire 10.x.x.x ip space via brute force to find the communication tree that led to the flag.
Full writeup here: https://ctf.harrisongreen.me/2021/pwn2win/highest_power/