GHDL Reverse

2022-03-04

字数统计: 5.8k字 | 阅读时长≈ 30分

最近4个月遇到过2次ghdl程序逆向题，虽然核心代码都很简单，但是感觉还是有必要稍微总结一下经验。

GHDL Reverse

What

VHDL在数电是学过的，大抵就是一种模拟电子电路的硬件语言。

简单来说，这个GHDL就是就是在Linux平台上解析VHDL或者Verilog脚本，一通转换，翻译以后进入LLVM或者GCC进行编译，转换成Linux的ELF可执行文件。

About — GHDL 3.0.0-dev documentation

这里面有GHDL流程图（不想在我的博客里面搞图片）

安装

https://github.com/ghdl/ghdl/releases

这边给了已经编译过的现成可执行程序。下一个Linux的。同时再下一份源码便于分析。

1 2	ghdl-gha-ubuntu-18.04-gcc // Ubuntu 18 ghdl-nighly.zip // Source code

Windows版本比较特殊，由于某些bug原因暂时没能搞明白，所以不管了。Ubuntu版本的会轻松很多。

例子

`hello.vhdl`

--  hello.vhdl
--  Hello world program
use std.textio.all; -- Imports the standard textio package.

--  Defines a design entity, without any ports.
entity hello_world is
end hello_world;

architecture behaviour of hello_world is
begin
  process
    variable l : line;
  begin
    write (l, String'("Hello world!"));
    writeline (output, l);
    wait;
  end process;
end behaviour;

这个语法据我研究好像是Ada编程语言？

ADA语言Hello World_quanben-CSDN博客_ada语言

编译

GHDL有三种底层，mcode，LLVM和gcc。这里使用的是gcc后端。mcode是内部程式码，似乎是给Windows平台提供的支持方案。

首先，解析hello.vhdl。这个操作会分析你的vhdl文件的语法错误，若无误则会生成一份work-obj93.cf以及hello.o可重定位文件。

1	./ghdl -a hello.vhdl

然后

1	./ghdl -e hello_world

此时将会基于刚刚解析的结果编译出一份hello_world可执行程序（在源码中定义过entity hello_world，所以生成的模块名就得是这个）。

1	./ghdl -r hello_world

则会编译且执行。这样就会打印Hello world!了。

当然由于已经编译出二进制文件了，所以直接

1	./hello_world

也行。

逆向

直接拖进IDA看。（如果被strip过了，那么自己整一份有调试信息的，然后Bindiff即可恢复大部分函数。）

int __cdecl main(int argc, const char **argv, const char **envp)
{
  return ghdl_main((unsigned int)argc, argv);
}

__int64 __fastcall ghdl_main(__int64 a1, __int64 *a2)
{
  __int64 v3; // [rsp+18h] [rbp-8h]

  v3 = 0LL;
  grt_init(a1);
  if ( (_DWORD)a1 != 0 || a2 != 0LL )
  {
    if ( !a2 )
      _gnat_last_chance_handler("ghdl_main.adb", 53LL);
    v3 = *a2;
  }
  grt_main_options(v3, (unsigned int)a1, a2);
  grt__main__run();
  return grt__errors__exit_status;
}

进入grt__main__run函数

__int64 grt__main__run()
{
  __int64 result; // rax
  unsigned int v1; // [rsp+8h] [rbp-8h]

  result = grt_main_elab();
  if ( (_DWORD)result )
  {
    v1 = grt__main__run_simul();
    return grt__main__run_finish(v1);
  }
  return result;
}

核心在grt_main_elab()函数

__int64 grt_main_elab()
{
  __int64 stdout; // rax

  stdout = _ghdl_get_stdout();
  grt__errors__set_error_stream(stdout);
  grt__modules__register_modules();
  if ( (unsigned __int8)grt__options__decode() )
    return 0LL;
  grt__main__check_flag_string();
  grt__hooks__call_init_hooks();
  grt__processes__init();
  grt__signals__init();
  if ( grt__options__flag_stats )
    grt__stats__start_elaboration();
  if ( (int)_ghdl_run_through_longjump(grt__main__ghdl_elaborate_wrapper) < 0 )
    grt__errors__error(&unk_C85D8, &unk_C85F0);
  return 1LL;
}

其中_ghdl_run_through_longjump指向了一个grt__main__ghdl_elaborate_wrapper函数

__int64 grt__main__ghdl_elaborate_wrapper()
{
  _ghdl_ELABORATE();
  return 0LL;
}

__int64 _ghdl_ELABORATE()
{
  __int64 v1; // [rsp+0h] [rbp-10h]

  v1 = _ghdl_malloc0(32LL);
  *(_QWORD *)(v1 + 8) = 0LL;
  _ghdl_rti_add_top(2LL, &_ghdl_top_RTIARRAY, &work__hello_world__ARCH__behaviour__RTI, v1);
  _ghdl_rti_add_package(&std__standard__RTI);
  work__hello_world__PKG_ELAB();
  _ghdl_init_top_generics();
  work__hello_world__ARCH__behaviour__DECL_ELAB(v1);
  work__hello_world__ARCH__behaviour__STMT_ELAB(v1);
  return work__hello_world__ARCH__behaviour__DEFAULT_CONFIG(v1);
}

然后在work__hello_world__ARCH__behaviour__STMT_ELAB

__int64 __fastcall work__hello_world__ARCH__behaviour__STMT_ELAB(__int64 a1)
{
  __int64 result; // rax

  work__hello_world__STMT_ELAB(a1);
  _ghdl_process_register(
    a1,
    work__hello_world__ARCH__behaviour__P0__PROC,
    &work__hello_world__ARCH__behaviour__P0__RTI,
    a1 + 16);
  *(_QWORD *)(a1 + 16) = 0LL;
  result = a1;
  *(_DWORD *)(a1 + 24) = 0;
  return result;
}

_ghdl_process_register中的work__hello_world__ARCH__behaviour__P0__PROC就是

__int64 __fastcall work__hello_world__ARCH__behaviour__P0__PROC(__int64 a1)
{
  __int64 result; // rax
  int v2; // [rsp+10h] [rbp-70h] BYREF
  __int64 v3; // [rsp+18h] [rbp-68h]
  __int64 v4[2]; // [rsp+20h] [rbp-60h] BYREF
  __int64 v5[2]; // [rsp+30h] [rbp-50h] BYREF
  char v6; // [rsp+40h] [rbp-40h]
  int v7; // [rsp+44h] [rbp-3Ch]
  _QWORD *v8; // [rsp+48h] [rbp-38h]
  __int64 v9; // [rsp+50h] [rbp-30h]
  int v10; // [rsp+5Ch] [rbp-24h]
  const char *v11; // [rsp+60h] [rbp-20h]
  _QWORD *v12; // [rsp+68h] [rbp-18h]
  __int64 v13; // [rsp+70h] [rbp-10h]
  int v14; // [rsp+7Ch] [rbp-4h]

  v14 = *(_DWORD *)(a1 + 24);
  if ( v14 )
  {
    if ( v14 != 1 )
      _ghdl_program_error("hello.vhdl", 10LL, 6LL);
    _ghdl_program_error("hello.vhdl", 15LL, 6LL);
  }
  v13 = _ghdl_stack2_mark();
  v12 = (_QWORD *)(a1 + 16);
  v5[0] = *(_QWORD *)(a1 + 16);
  v11 = "Hello world!";
  v4[0] = (__int64)"Hello world!";
  v4[1] = (__int64)&unk_C71B8;
  v5[1] = (__int64)v4;
  v6 = 0;
  v10 = 0;
  v7 = 0;
  std__textio__writeO7(v5);
  *v12 = v5[0];
  _ghdl_stack2_release(v13);
  v9 = _ghdl_stack2_mark();
  v2 = std__textio__output;
  v8 = (_QWORD *)(a1 + 16);
  v3 = *(_QWORD *)(a1 + 16);
  std__textio__writeline(&v2);
  *v8 = v3;
  _ghdl_stack2_release(v9);
  _ghdl_process_wait_exit();
  result = a1;
  *(_DWORD *)(a1 + 24) = 1;
  return result;
}

就是主程序逻辑了。

不过我个人觉得_ghdl_process_register这里应该不是立刻执行的，而是初始化寄存器，得到函数指针啥的，然后到后面grt_main__run_simul这样的函数再去执行。

由于这个例子太简单，并不能展现出核心函数的什么具体特征，但是用于分析程序启动流程倒是可以的。

源码解读

`Ghdl_Process_Register`

在src/grt/grt-processes.ads中发现

--  Register a process during elaboration.
--  This procedure is called by vhdl elaboration code.
procedure Ghdl_Process_Register (Instance : Instance_Acc;
                                 Proc : Proc_Acc;
                                 Ctxt : Ghdl_Rti_Access;
                                 Addr : System.Address);

对应了_ghdl_process_register函数。

第二个参数就是程序地址。

`Ghdl_Stack2_`

同样在grt-processes.ads和grt-processes.adb中有

_ghdl_stack2_mark和_ghdl_stack2_release函数的定义。

function Ghdl_Stack2_Mark return Mark_Id
is
   Proc : constant Process_Acc := Get_Current_Process;
   St2 : Stack2_Ptr;
begin
   St2 := Proc.Stack2;
   --  Check that stack2 has been created.  This check is done only here,
   --  because Mark is called before Release (obviously) but also before
   --  Allocate.
   if St2 = Null_Stack2_Ptr then
      if Proc.State = State_Sensitized then
         --  Sensitized processes share the stack2, as the stack2 is empty
         --  when sensitized processes suspend.
         St2 := Get_Common_Stack2;
      else
         St2 := Grt.Stack2.Create;
      end if;
      Proc.Stack2 := St2;
   end if;
   return Grt.Stack2.Mark (St2);
end Ghdl_Stack2_Mark;

procedure Ghdl_Stack2_Release (Mark : Mark_Id)
is
   Proc : constant Process_Acc := Get_Current_Process;
begin
   Grt.Stack2.Release (Proc.Stack2, Mark);
end Ghdl_Stack2_Release;

和IDA中

__int64 _ghdl_stack2_mark()
{
  __int64 current_process; // [rsp+0h] [rbp-10h]
  __int64 common_stack2; // [rsp+8h] [rbp-8h]

  current_process = grt__unithread__get_current_process();
  if ( !current_process )
    _gnat_last_chance_handler("grt-processes.adb", 307LL);
  common_stack2 = *(_QWORD *)(current_process + 24);
  if ( !common_stack2 )
  {
    if ( *(_BYTE *)(current_process + 18) )
      common_stack2 = grt__stack2__create();
    else
      common_stack2 = grt__unithread__get_common_stack2();
    *(_QWORD *)(current_process + 24) = common_stack2;
  }
  return grt__stack2__mark(common_stack2);
}

一致。

这个函数的作用大致就是分配栈空间的。具体作用不需要知道，只需要了解这个函数存在于一段主核心逻辑的开头和结尾，是一个特征函数。

`heartbeat.vhdl`

上面的hello.vhdl证明了ghdl可以被用作通用编程语言。第二个例子则更接近实际硬件编程。

library ieee;
use ieee.std_logic_1164.all;

entity heartbeat is
  port ( clk: out std_logic);
end heartbeat;

architecture behaviour of heartbeat
is
  constant clk_period : time := 10 ns;
begin
  -- Clock process definition
  clk_process: process
  begin
    clk <= '0';
    wait for clk_period/2;
    clk <= '1';
    wait for clk_period/2;
  end process;
end behaviour;

这个程序并没有调用write，writeline函数，所以没有一般的控制台输出。相反的，它是输出0-1波形的。

保存波形文件，通过

1	./ghdl -r heartbeat --wave=wave.ghw

获取ghw相关信息：

1	./ghwdump [-OPTION] wave.ghw

不过这道程序由于没法自动退出，手动强制退出可能使得生成的wave.ghw文件也有问题，会导致ghwdump出现SIGABRT异常退出。

还有gtkwave，在Ubuntu18.04上面可以直接sudo apt install gtkwave来安装。不过由于需要图形界面，需要使用VMWare虚拟机或者WSL2+图形界面插件来使用。

逆向

日常操作，很快发现主函数：

__int64 __fastcall work__heartbeat__ARCH__behaviour__clk_process__PROC(__int64 a1)
{
  __int64 result; // rax
  _BYTE *v2; // [rsp+20h] [rbp-20h]
  _BYTE *v3; // [rsp+30h] [rbp-10h]
  bool v4; // [rsp+3Ah] [rbp-6h]
  bool v5; // [rsp+3Bh] [rbp-5h]
  int i; // [rsp+3Ch] [rbp-4h]

  for ( i = *(_DWORD *)(a1 + 40); i != 1; i = 0 )
  {
    if ( !i )
    {
      v3 = *(_BYTE **)(a1 + 16);
      *(_BYTE *)(a1 + 44) = 2;
      if ( v3[42] )
        v5 = 1;
      else
        v5 = *v3 != *(_BYTE *)(a1 + 44);
      if ( v5 )
        _ghdl_signal_direct_assign(v3);
      _ghdl_process_wait_timeout(*(_QWORD *)(a1 + 32) / 2LL, "heartbeat.vhdl", 16LL);
      result = a1;
      *(_DWORD *)(a1 + 40) = 1;
      return result;
    }
    if ( i != 2 )
      _ghdl_program_error("heartbeat.vhdl", 13LL, 6LL);
  }
  v2 = *(_BYTE **)(a1 + 16);
  *(_BYTE *)(a1 + 44) = 3;
  if ( v2[42] )
    v4 = 1;
  else
    v4 = *v2 != *(_BYTE *)(a1 + 44);
  if ( v4 )
    _ghdl_signal_direct_assign(v2);
  _ghdl_process_wait_timeout(*(_QWORD *)(a1 + 32) / 2LL, "heartbeat.vhdl", 18LL);
  result = a1;
  *(_DWORD *)(a1 + 40) = 2;
  return result;
}

`_ghdl_process_wait_timeout`

在grt-processed.adb中

--  Return TRUE if woken up by a timeout.
function Ghdl_Process_Wait_Timed_Out return Boolean
is
    Proc : constant Process_Acc := Get_Current_Process;
begin
    -- Note: in case of timeout, the timeout is removed when process is
    -- woken up.
    return Proc.State = State_Timeout;
end Ghdl_Process_Wait_Timed_Out;

这个对应vhdl中的wait for关键词。

`_ghdl_signal_direct_assign`

在grt/grt-signals.adb中

   --  Assigning a waveform to a signal:
   --
   --  For simple waveform (sig <= val), the short form can be used:
   --    Ghdl_Signal_Simple_Assign_XX (Sig, Val);
   --  For all other forms
   --  SIG <= reject R inertial V1 after T1, V2 after T2, ...:
   --    Ghdl_Signal_Start_Assign_XX (SIG, R, V1, T1);
   --    Ghdl_Signal_Next_Assign_XX (SIG, V2, T2);
   --    ...
   --  If the delay mechanism is transport, they R = 0,
   --  if there is no rejection time, the mechanism is internal and R = T1.

   --  Performs some internal checks on signals (transaction order).
   --  Internal_error is called in case of error.


procedure Ghdl_Signal_Direct_Assign (Sign : Ghdl_Signal_Ptr) is
begin
    Insert_Active_Chain (Sign);

    --  Must be always set (as Sign.Link may be set by a regular driver).
    Sign.Flags.Is_Direct_Active := True;
end Ghdl_Signal_Direct_Assign;

这个就是输出信号。

传参结构体逆向

可以发现这个函数在很多地方用了a1的值。猜测a1是一个很重要的结构体，但无奈这个函数似乎是编译器生成的，且我不了解Ada编程语言的定义习惯。

不过交叉引用，向上查找能直接查到的库函数中对此a1的应用，有助于分析。

向上查到这里，发现(A *)_ghdl_malloc0(48LL);，可以得知此结构体大小为48字节，即6个QWORD。

__int64 _ghdl_ELABORATE()
{
  _BYTE *v1; // [rsp+8h] [rbp-18h]
  A *vm; // [rsp+10h] [rbp-10h]

  vm = (A *)_ghdl_malloc0(48LL);
  vm->field_8 = 0LL;
  _ghdl_rti_add_top(2LL, &_ghdl_top_RTIARRAY, &work__heartbeat__ARCH__behaviour__RTI, vm);
  _ghdl_rti_add_package(&std__standard__RTI);
  work__heartbeat__PKG_ELAB();
  _ghdl_init_top_generics();
  vm->field_18 = _ghdl_malloc0(1LL);
  _ghdl_signal_name_rti(&work__heartbeat__clk__RTI, &work__heartbeat__RTI, vm);
  v1 = (_BYTE *)vm->field_18;
  *v1 = 0;
  vm->field_10 = _ghdl_create_signal_e8(v1, ieee__std_logic_1164__resolved_RESOLV, 0LL);
  work__heartbeat__ARCH__behaviour__DECL_ELAB(vm);
  work__heartbeat__ARCH__behaviour__STMT_ELAB(vm);
  return work__heartbeat__ARCH__behaviour__DEFAULT_CONFIG(vm);
}

field_18=Ghdl_Value_Ptr（QWORD）

field_10=Ghdl_Signal_Ptr（QWORD）

function Ghdl_Create_Signal_E8 (Val_Ptr : Ghdl_Value_Ptr;
                                Resolv_Func : Resolver_Acc;
                                Resolv_Inst : System.Address)
                               return Ghdl_Signal_Ptr is

1
2
3

v1 = (_BYTE *)vm->field_18;
*v1 = 0;
vm->field_10 = _ghdl_create_signal_e8(v1, ieee__std_logic_1164__resolved_RESOLV, 0LL);

__int64 __fastcall work__heartbeat__DECL_ELAB(A *a1)
{
  return _ghdl_signal_merge_rti(a1->Ghdl_Signal_Ptr, &work__heartbeat__clk__RTI);
}

1 2	procedure Ghdl_Signal_Merge_Rti (Sig : Ghdl_Signal_Ptr; Rti : Ghdl_Rti_Access)

field_2C=Value（BYTE）

A *__fastcall work__heartbeat__ARCH__behaviour__STMT_ELAB(A *a1)
{
  A *result; // rax

  work__heartbeat__STMT_ELAB(a1);
  _ghdl_process_register(
    a1,
    work__heartbeat__ARCH__behaviour__clk_process__PROC,
    &work__heartbeat__ARCH__behaviour__clk_process__RTI,
    &a1->field_28);
  a1->field_2C = 0;
  _ghdl_signal_add_direct_driver(a1->Ghdl_Signal_Ptr, &a1->field_2C);
  result = a1;
  a1->field_28 = 0;
  return result;
}

1 2	procedure Ghdl_Signal_Add_Direct_Driver (Sign : Ghdl_Signal_Ptr; Drv : Ghdl_Value_Ptr)

field_28=System（DWORD）

A *__fastcall work__heartbeat__ARCH__behaviour__STMT_ELAB(A *a1)
{
  A *result; // rax

  work__heartbeat__STMT_ELAB(a1);
  _ghdl_process_register(
    a1,
    work__heartbeat__ARCH__behaviour__clk_process__PROC,
    &work__heartbeat__ARCH__behaviour__clk_process__RTI,
    &a1->System);
  a1->Value = 0;
  _ghdl_signal_add_direct_driver((__int64)a1->Ghdl_Signal_Ptr, (__int64)&a1->Value);
  result = a1;
  a1->System = 0;
  return result;
}

procedure Ghdl_Process_Register
  (Instance : Instance_Acc;
   Proc : Proc_Acc;
   Ctxt : Ghdl_Rti_Access;
   Addr : System.Address)

field_0=__ARCH__behaviour__RTI（QWORD*）

field_20=10000000（QWORD）

A *__fastcall work__heartbeat__ARCH__behaviour__DECL_ELAB(A *a1)
{
  A *result; // rax

  a1->field_0 = (__int64)&work__heartbeat__ARCH__behaviour__RTI;
  work__heartbeat__DECL_ELAB(a1);
  result = a1;
  a1->field_20 = 10000000LL;
  return result;
}

这个__DECL_ELAB函数和__STMT_ELAB函数都在_ghdl_ELABORATE函数中。

根据交叉引用发现，这个field_20应该就是源码中定义的clk_period常量。

可以合理推测，DECL_ELAB函数是用于初始化常量变量的，而STMT_ELAB则是存储了执行逻辑

恢复后

00000000 A               struc ; (sizeof=0x30, mappedto_33)
00000000 __ARCH__behaviour__RTI dq ?             ; base 2
00000008 field_8         dq ?
00000010 Ghdl_Signal_Ptr dq ?                    ; offset
00000018 Ghdl_Value_Ptr  dq ?                    ; offset
00000020 clk_period      dq ?
00000028 System          dd ?
0000002C Value           db ?
0000002D field_2D        db ?
0000002E field_2E        db ?
0000002F field_2F        db ?
00000030 A               ends
00000030

A *__fastcall work__heartbeat__ARCH__behaviour__clk_process__PROC(A *vm)
{
  A *result; // rax
  _BYTE *v2; // [rsp+20h] [rbp-20h]
  _BYTE *Ghdl_Signal_Ptr; // [rsp+30h] [rbp-10h]
  bool v4; // [rsp+3Ah] [rbp-6h]
  bool v5; // [rsp+3Bh] [rbp-5h]
  int i; // [rsp+3Ch] [rbp-4h]

  for ( i = vm->System; i != 1; i = 0 )
  {
    if ( !i )
    {
      Ghdl_Signal_Ptr = vm->Ghdl_Signal_Ptr;
      vm->Value = 2;
      if ( Ghdl_Signal_Ptr[42] )
        v5 = 1;
      else
        v5 = *Ghdl_Signal_Ptr != vm->Value;
      if ( v5 )
        _ghdl_signal_direct_assign(Ghdl_Signal_Ptr);
      _ghdl_process_wait_timeout(vm->clk_period / 2, "heartbeat.vhdl", 16LL);
      result = vm;
      vm->System = 1;
      return result;
    }
    if ( i != 2 )
      _ghdl_program_error("heartbeat.vhdl", 13LL, 6LL);
  }
  v2 = vm->Ghdl_Signal_Ptr;
  vm->Value = 3;
  if ( v2[42] )
    v4 = 1;
  else
    v4 = *v2 != vm->Value;
  if ( v4 )
    _ghdl_signal_direct_assign(v2);
  _ghdl_process_wait_timeout(vm->clk_period / 2, "heartbeat.vhdl", 18LL);
  result = vm;
  vm->System = 2;
  return result;
}

不过那个Ghdl_Signal_Ptr暂时不管了，大抵指向了一个Signal结构体，然后又要我去分析Create_Signal函数，太过麻烦。

`adder.vhdl`

entity adder is
  -- `i0`, `i1`, and the carry-in `ci` are inputs of the adder.
  -- `s` is the sum output, `co` is the carry-out.
  port (i0, i1 : in bit; ci : in bit; s : out bit; co : out bit);
end adder;

architecture rtl of adder is
begin
  --  This full-adder architecture contains two concurrent assignments.
  --  Compute the sum.
  s <= i0 xor i1 xor ci;
  --  Compute the carry.
  co <= (i0 and i1) or (i0 and ci) or (i1 and ci);
end rtl;

数电里面这种玩意学的老会了，就是个全加器的vhdl描述。

__int64 _ghdl_ELABORATE()
{
  _BYTE *v1; // [rsp+8h] [rbp-38h]
  _BYTE *v2; // [rsp+10h] [rbp-30h]
  _BYTE *v3; // [rsp+18h] [rbp-28h]
  _BYTE *v4; // [rsp+20h] [rbp-20h]
  _BYTE *v5; // [rsp+28h] [rbp-18h]
  _QWORD *v6; // [rsp+30h] [rbp-10h]

  v6 = (_QWORD *)_ghdl_malloc0(104LL);
  v6[1] = 0LL;
  _ghdl_rti_add_top(1LL, &_ghdl_top_RTIARRAY, &work__adder__ARCH__rtl__RTI, v6);
  _ghdl_rti_add_package(&std__standard__RTI);
  work__adder__PKG_ELAB();
  _ghdl_init_top_generics();
  v6[3] = _ghdl_malloc0(1LL);
  _ghdl_signal_name_rti(&work__adder__i0__RTI, &work__adder__RTI, v6);
  v5 = (_BYTE *)v6[3];
  *v5 = 0;
  v6[2] = _ghdl_create_signal_b1(v5, 0LL, 0LL);
  v6[5] = _ghdl_malloc0(1LL);
  _ghdl_signal_name_rti(&work__adder__i1__RTI, &work__adder__RTI, v6);
  v4 = (_BYTE *)v6[5];
  *v4 = 0;
  v6[4] = _ghdl_create_signal_b1(v4, 0LL, 0LL);
  v6[7] = _ghdl_malloc0(1LL);
  _ghdl_signal_name_rti(&work__adder__ci__RTI, &work__adder__RTI, v6);
  v3 = (_BYTE *)v6[7];
  *v3 = 0;
  v6[6] = _ghdl_create_signal_b1(v3, 0LL, 0LL);
  v6[9] = _ghdl_malloc0(1LL);
  _ghdl_signal_name_rti(&work__adder__s__RTI, &work__adder__RTI, v6);
  v2 = (_BYTE *)v6[9];
  *v2 = 0;
  v6[8] = _ghdl_create_signal_b1(v2, 0LL, 0LL);
  v6[11] = _ghdl_malloc0(1LL);
  _ghdl_signal_name_rti(&work__adder__co__RTI, &work__adder__RTI, v6);
  v1 = (_BYTE *)v6[11];
  *v1 = 0;
  v6[10] = _ghdl_create_signal_b1(v1, 0LL, 0LL);
  work__adder__ARCH__rtl__DECL_ELAB(v6);
  work__adder__ARCH__rtl__STMT_ELAB((__int64)v6);
  return work__adder__ARCH__rtl__DEFAULT_CONFIG(v6);
}

可以发现不同的程序，传参结构体组成也不一样。得具体问题具体分析。

--  Creating a signal:
--  1a) call Ghdl_Signal_Name_Rti (CTXT and ADDR are unused) to register
--      the RTI for the whole signal (in particular the mode and the
--      has_active flag)
--  or
--  1b) call Ghdl_Signal_Set_Mode to register the mode and the has_active
--      flag.  In that case, the signal has no name.
--
--  2) call Ghdl_Create_Signal_XXX for each non-composite element

procedure Ghdl_Signal_Name_Rti (Sig : Ghdl_Rti_Access;
                                   Ctxt : Ghdl_Rti_Access;
                                   Addr : Address)

关于RTI

Run Time Information (RTI) — GHDL 3.0.0-dev documentation

anyway，Ghdl_Signal_Name_Rti的第一个参数是一个Signal，正是在脚本定义的那几个变量（输出用的）。

1	port (i0, i1 : in bit; ci : in bit; s : out bit; co : out bit);

__int64 __fastcall work__adder__DECL_ELAB(_QWORD *a1)
{
  _ghdl_signal_merge_rti(a1[2], &work__adder__i0__RTI);
  _ghdl_signal_merge_rti(a1[4], &work__adder__i1__RTI);
  _ghdl_signal_merge_rti(a1[6], &work__adder__ci__RTI);
  _ghdl_signal_merge_rti(a1[8], &work__adder__s__RTI);
  return _ghdl_signal_merge_rti(a1[10], &work__adder__co__RTI);
}

没啥用。

恢复

草率的恢复了一下结构体

00000000 A               struc ; (sizeof=0x68, mappedto_33)
00000000 RTI             dq ?
00000008 field_8         dq ?
00000010 Signal_Ptr      dq ?
00000018 Value_Ptr       dq ?                    ; offset
00000020 Signal_Ptr2     dq ?
00000028 Value_Ptr2      dq ?
00000030 Signal_Ptr3     dq ?
00000038 Value_Ptr3      dq ?
00000040 Signal_Ptr4     dq ?
00000048 Value_Ptr4      dq ?
00000050 Signal_Ptr5     dq ?
00000058 Value_Ptr5      dq ?
00000060 System          db ?
00000061 System2         db ?
00000062 field_62        db ?
00000063 field_63        db ?
00000064 field_64        db ?
00000065 field_65        db ?
00000066 field_66        db ?
00000067 field_67        db ?
00000068 A               ends

其中

1 2	Value_Ptr Signal_Ptr

对应一个声明的从port输出的值，一次是i0，i1，ci，s，co。

__int64 __fastcall work__adder__ARCH__rtl__STMT_ELAB(A *a1)
{
  work__adder__STMT_ELAB(a1);
  _ghdl_sensitized_process_register(a1, work__adder__ARCH__rtl__P0__PROC, &work__adder__ARCH__rtl__P0__RTI, &a1->System);
  a1->System = 0;
  _ghdl_signal_add_direct_driver(a1->Signal_Ptr4, &a1->System);
  _ghdl_process_add_sensitivity(a1->Signal_Ptr);
  _ghdl_process_add_sensitivity(a1->Signal_Ptr2);
  _ghdl_process_add_sensitivity(a1->Signal_Ptr3);
  _ghdl_sensitized_process_register(
    a1,
    work__adder__ARCH__rtl__P1__PROC,
    &work__adder__ARCH__rtl__P1__RTI,
    &a1->System2);
  a1->System2 = 0;
  _ghdl_signal_add_direct_driver(a1->Signal_Ptr5, &a1->System2);
  _ghdl_process_add_sensitivity(a1->Signal_Ptr);
  _ghdl_process_add_sensitivity(a1->Signal_Ptr2);
  return _ghdl_process_add_sensitivity(a1->Signal_Ptr3);
}

还是能从sensitized_process_register这样的函数找到主逻辑函数地址。

char __fastcall work__adder__ARCH__rtl__P0__PROC(A *a1)
{
  char result; // al
  _BYTE *Signal_Ptr4; // [rsp+20h] [rbp-10h]
  char v3; // [rsp+2Fh] [rbp-1h]

  Signal_Ptr4 = (_BYTE *)a1->Signal_Ptr4;
  a1->System = *(_BYTE *)a1->Value_Ptr3 ^ *(_BYTE *)a1->Value_Ptr2 ^ *a1->Value_Ptr;
  result = Signal_Ptr4[42];
  if ( result )
  {
    v3 = 1;
  }
  else
  {
    result = *Signal_Ptr4 != a1->System;
    v3 = result;
  }
  if ( v3 )
    return _ghdl_signal_direct_assign(Signal_Ptr4);
  return result;
}

这个对应的显然就是

1	s <= i0 xor i1 xor ci;

指令

char __fastcall work__adder__ARCH__rtl__P1__PROC(A *a1)
{
  char result; // al
  _BYTE *Signal_Ptr5; // [rsp+20h] [rbp-10h]
  char v3; // [rsp+2Ah] [rbp-6h]
  char v4; // [rsp+2Bh] [rbp-5h]
  char v5; // [rsp+2Ch] [rbp-4h]
  char v6; // [rsp+2Dh] [rbp-3h]
  char v7; // [rsp+2Eh] [rbp-2h]
  char v8; // [rsp+2Fh] [rbp-1h]

  v6 = *a1->Value_Ptr;
  if ( v6 )
    v6 = *(_BYTE *)a1->Value_Ptr2;
  v7 = v6;
  if ( !v6 )
  {
    v5 = *a1->Value_Ptr;
    if ( v5 )
      v5 = *(_BYTE *)a1->Value_Ptr3;
    v7 = v5;
  }
  v8 = v7;
  if ( !v7 )
  {
    v4 = *(_BYTE *)a1->Value_Ptr2;
    if ( v4 )
      v4 = *(_BYTE *)a1->Value_Ptr3;
    v8 = v4;
  }
  Signal_Ptr5 = (_BYTE *)a1->Signal_Ptr5;
  a1->System2 = v8;
  result = Signal_Ptr5[42];
  if ( result )
  {
    v3 = 1;
  }
  else
  {
    result = *Signal_Ptr5 != a1->System2;
    v3 = result;
  }
  if ( v3 )
    return _ghdl_signal_direct_assign(Signal_Ptr5);
  return result;
}

则是

1	co <= (i0 and i1) or (i0 and ci) or (i1 and ci);

所以说，结构体的恢复很重要。

TestBench

这个例子官方文档还有一个有关testbench编写流程。不讲了，这是数电开发知识。

Full adder module and testbench — GHDL 3.0.0-dev documentation

技巧总结

使用Bindiff可以恢复很多库函数，极大的帮助逆向过程。
学会恢复结构体
对应源码找库函数原型
有_process_register后缀的函数中可能有核心函数地址指针

CTF例题

前面几个的逆向流程其实并不是我一开始打算的东西。可能因为都是这几个官方的例子都是线性流程的，并没有体现CTF题目中的那种想要的结果。

`SUS_CTF2022——hello_world`

基于ghdl的Windows程序逆向。

一开始我是通过在程序scanf的时候中断，然后往上溯源慢慢找到核心代码段的。

经过今天的总结，得知了更快速更轻松的手法。

首先能Bindiff的最好先整一下，设置可信度0.9，多几个已知库函数能大大加速过程。

_start函数是Mingw典型的编译器胶水函数，anyway我们找到main函数的位置

（以下重要函数皆已重命名，或者是Bindiff辅助的）

__int64 __fastcall sub_7FF7BAD6A570(unsigned int a1, __int64 *a2)
{
  sub_7FF7BADF1F60();
  return ghdl_main(a1, a2);
}

__int64 __fastcall ghdl_main(unsigned int a1, __int64 *a2)
{
  __int64 v4; // [rsp+28h] [rbp-8h]

  v4 = 0i64;
  grt_init();
  if ( a1 != 0 || a2 != 0i64 )
  {
    if ( !a2 )
      abort_0();
    v4 = *a2;
  }
  sub_7FF7BAD69ACA(v4, a1, a2);
  grt__main__run();
  return (unsigned int)dword_7FF7BADFC274;
}

__int64 grt__main__run()
{
  __int64 result; // rax
  unsigned int v1; // [rsp+28h] [rbp-8h]

  result = (unsigned __int8)grt_main_elab() ^ 1u;
  if ( (_BYTE)result )
    return result;
  v1 = grt__main__run_simul();
  return grt__main__run_finish(v1);
}

进入grt_main_elab

__int64 grt_main_elab()
{
  __int64 v0; // rax
  __int64 v2[3]; // [rsp+20h] [rbp-20h] BYREF

  v0 = sub_7FF7BAD6A32D();
  grt__errors__set_error_stream(v0);
  sub_7FF7BAD83CA0();
  if ( (unsigned __int8)sub_7FF7BAD76688() )
    return 0i64;
  grt__main__check_flag_string();
  grt__hooks__call_init_hooks();
  sub_7FF7BAD4E26C();
  sub_7FF7BAD63DCC();
  if ( byte_7FF7BADFC2A3 )
    sub_7FF7BAD80E86();
  if ( (int)_ghdl_run_through_longjump(grt__main__ghdl_elaborate_wrapper) >= 0 )
    return 1i64;
  v2[0] = (__int64)&unk_7FF7BAE083C8;
  v2[1] = (__int64)&unk_7FF7BAE083E0;
  grt__errors__error(v2);
  return 1i64;
}

_ghdl_run_through_longjump(grt__main__ghdl_elaborate_wrapper)很经典，传入的是个函数地址。

__int64 ghdl_elaborate()
{
  __int64 v0; // rsi

  v0 = rhs_ghdl_malloc(408i64);
  *(_QWORD *)(v0 + 8) = 0i64;
  rhs_ghdl_rti_add_top(4i64, &ghdl_top_RTIARRAY, &ARCH__behaviour__RTI, v0);
  _ghdl_rti_add_package(&std__standard__RTI);
  work__hello_world__PKG_ELAB_0();
  ghdl_init_top_generics();
  _ARCH__behaviour__DECL_ELAB(v0);
  _ARCH__behaviour__STMT_ELAB(v0);
  return _ARCH__behaviour__DEFAULT_CONFIG(v0);
}

这个函数直接照着其他上面的例子改就行了。（这个函数是直接对着hello_world的ELABORATE函数重命名的）

若是用了port定义硬件波形输出，那么这个函数应该会有很多的 _ghdl_signal_name_rti函数被应用到。但是没有，和hello.vhdl一样，所以是应该就是当成一般通用语言来用了。

v0就是要恢复的结构体。但是这个题目里面太庞大了，懒得搞。

__int64 __fastcall _ARCH__behaviour__STMT_ELAB(__int64 a1)
{
  __int64 v2; // rbx
  __int64 v3; // rbx
  __int64 result; // rax

  nullsub_4();
  sensitized_process_register(a1, MainLoop, &unk_7FF7BAE05E20, a1 + 344);
  *(_QWORD *)(a1 + 344) = 0i64;
  *(_QWORD *)(a1 + 352) = 0i64;
  *(_QWORD *)(a1 + 360) = 0i64;
  *(_BYTE *)(a1 + 368) = 0;
  *(_QWORD *)(a1 + 372) = 0x8000000080000000ui64;
  memmove_0((void *)(a1 + 392), (const void *)(a1 + 80), 8ui64);
  v2 = 0i64;
  do
  {
    _ghdl_signal_add_direct_driver(*(_QWORD *)(a1 + 392 + 8 * v2 - 376), a1 + 392 + v2);
    ++v2;
  }
  while ( (unsigned int)v2 <= 7 );
  memmove_0((void *)(a1 + 400), (const void *)(a1 + 152), 8ui64);
  v3 = 0i64;
  do
  {
    result = _ghdl_signal_add_direct_driver(*(_QWORD *)(a1 + 400 + 8 * v3 - 312), a1 + 400 + v3);
    ++v3;
  }
  while ( (unsigned int)v3 <= 7 );
  *(_DWORD *)(a1 + 380) = 0;
  return result;
}

_register后缀函数，第二个是主核心函数。重命名为MainLoop

__int64 __fastcall MainLoop(vm *vm)
{
  int next; // ebp
  _BYTE *v3; // r12
  __int64 v4; // r14
  unsigned int v5; // ebp
  int v6; // ebp
  char v7; // bl
  __int64 v8; // rdi
  __int64 result; // rax
  __int64 v10; // rdi
  __int64 v11; // rdi
  __int64 v12; // rdi
  __int64 v13; // rdi
  __int64 v14; // rdi
  __int64 v15; // rdi
  __int64 v16; // rax
  __int64 v17; // rdi
  __int64 v18; // rdi
  int v19; // ebx
  __int64 v20; // rdi
  unsigned int v21; // ebx
  int tmp; // ebx
  __int64 v23; // rbx
  __int64 i; // rbp
  _BYTE *v25; // rcx
  bool v26; // al
  _BYTE *locArr; // rbx
  __int64 j; // rbp
  _BYTE *v29; // rcx
  bool v30; // al
  __int64 v31; // rdi
  int v32[2]; // [rsp+28h] [rbp-1F0h] BYREF
  char v33; // [rsp+30h] [rbp-1E8h]
  int v34; // [rsp+34h] [rbp-1E4h]
  int v35[2]; // [rsp+38h] [rbp-1E0h] BYREF
  char v36; // [rsp+40h] [rbp-1D8h]
  int v37; // [rsp+44h] [rbp-1D4h]
  int v38[2]; // [rsp+48h] [rbp-1D0h] BYREF
  char v39; // [rsp+50h] [rbp-1C8h]
  int v40; // [rsp+54h] [rbp-1C4h]
  _QWORD *v41; // [rsp+58h] [rbp-1C0h] BYREF
  char v42; // [rsp+60h] [rbp-1B8h]
  int v43; // [rsp+68h] [rbp-1B0h] BYREF
  __int64 v44; // [rsp+70h] [rbp-1A8h]
  __int64 v45[2]; // [rsp+78h] [rbp-1A0h] BYREF
  char v46; // [rsp+88h] [rbp-190h]
  int v47; // [rsp+8Ch] [rbp-18Ch]
  int v48; // [rsp+90h] [rbp-188h] BYREF
  __int64 v49; // [rsp+98h] [rbp-180h]
  __int64 v50[2]; // [rsp+A0h] [rbp-178h] BYREF
  char v51; // [rsp+B0h] [rbp-168h]
  int v52; // [rsp+B4h] [rbp-164h]
  _BYTE *ret2; // [rsp+B8h] [rbp-160h]
  int *v54; // [rsp+C0h] [rbp-158h]
  __int64 v55; // [rsp+C8h] [rbp-150h]
  int *v56; // [rsp+D0h] [rbp-148h]
  int v57; // [rsp+D8h] [rbp-140h] BYREF
  __int64 v58; // [rsp+E0h] [rbp-138h]
  __int64 v59[2]; // [rsp+E8h] [rbp-130h] BYREF
  char v60; // [rsp+F8h] [rbp-120h]
  int v61; // [rsp+FCh] [rbp-11Ch]
  int v62; // [rsp+100h] [rbp-118h] BYREF
  _QWORD *v63; // [rsp+108h] [rbp-110h]
  int v64; // [rsp+110h] [rbp-108h] BYREF
  __int64 v65; // [rsp+118h] [rbp-100h]
  __int64 v66[2]; // [rsp+120h] [rbp-F8h] BYREF
  char v67; // [rsp+130h] [rbp-E8h]
  int v68; // [rsp+134h] [rbp-E4h]
  __int64 v69[2]; // [rsp+138h] [rbp-E0h] BYREF
  __int64 v70[2]; // [rsp+148h] [rbp-D0h] BYREF
  __int64 v71[2]; // [rsp+158h] [rbp-C0h] BYREF
  __int64 v72; // [rsp+168h] [rbp-B0h] BYREF
  __int64 v73; // [rsp+170h] [rbp-A8h]
  __int64 v74[2]; // [rsp+178h] [rbp-A0h] BYREF
  _BYTE *ret; // [rsp+188h] [rbp-90h] BYREF
  __int64 v76; // [rsp+190h] [rbp-88h]
  __int64 v77; // [rsp+198h] [rbp-80h] BYREF
  __int64 v78; // [rsp+1A0h] [rbp-78h]
  __int64 v79[2]; // [rsp+1A8h] [rbp-70h] BYREF
  __int64 v80[3]; // [rsp+1B8h] [rbp-60h] BYREF
  str *v81; // [rsp+1D0h] [rbp-48h]

  next = *(_DWORD *)vm->gap17C;
  v3 = &vm->gap0[224];
  while ( 1 )
  {
    switch ( next )
    {
      case 0:
        vm->field_178 = 0;
        v8 = _ghdl_stack2_mark();
        v66[0] = *(_QWORD *)&vm->gap160[8];
        v80[0] = (__int64)"Input Flag:";
        v80[1] = (__int64)&unk_7FF7BAE06148;
        v66[1] = (__int64)v80;
        v67 = 0;
        v68 = 0;
        sub_7FF7BAD17FD0(v66);
        *(_QWORD *)&vm->gap160[8] = v66[0];
        sub_7FF7BAD4EBD4(v8);
        result = _ghdl_process_wait_timeout(1000000i64, "hello.vhdl", 34i64);
        *(_DWORD *)vm->gap17C = 1;
        return result;
      case 1:
        v10 = _ghdl_stack2_mark();
        v64 = dword_7FF7BAE28064;
        v65 = *(_QWORD *)&vm->gap160[8];
        sub_7FF7BAD17670(&v64);
        *(_QWORD *)&vm->gap160[8] = v65;
        sub_7FF7BAD4EBD4(v10);
        sub_7FF7BAD65A38((unsigned int)dword_7FF7BAE28064);
        result = _ghdl_process_wait_timeout(1000000i64, "hello.vhdl", 37i64);
        *(_DWORD *)vm->gap17C = 2;
        return result;
      case 2:
        v11 = _ghdl_stack2_mark();
        v62 = dword_7FF7BAE28060;
        v63 = vm->field_158;
        getinput((unsigned int *)&v62);
        vm->field_158 = v63;
        sub_7FF7BAD4EBD4(v11);
        result = _ghdl_process_wait_timeout(1000000i64, "hello.vhdl", 39i64);
        *(_DWORD *)vm->gap17C = 3;
        return result;
      case 3:
        v81 = (str *)vm->field_158;
        v80[2] = (__int64)v81->s;
        next = 5;
        if ( HIDWORD(v81->unk) >= 0x2Cui64 )
          next = 4;
        continue;
      case 4:
        *(_QWORD *)&vm->index = 0x2C00000001i64;
        next = 9;
        continue;
      case 5:
        v12 = _ghdl_stack2_mark();
        v59[0] = *(_QWORD *)vm->gap160;
        v79[0] = (__int64)"Wrong!";
        v79[1] = (__int64)&unk_7FF7BAE06178;
        v59[1] = (__int64)v79;
        v60 = 0;
        v61 = 0;
        sub_7FF7BAD17FD0(v59);
        *(_QWORD *)vm->gap160 = v59[0];
        sub_7FF7BAD4EBD4(v12);
        v13 = _ghdl_stack2_mark();
        v57 = dword_7FF7BAE28064;
        v58 = *(_QWORD *)vm->gap160;
        sub_7FF7BAD17670(&v57);
        *(_QWORD *)vm->gap160 = v58;
        sub_7FF7BAD4EBD4(v13);
        result = _ghdl_process_wait_exit();
        *(_DWORD *)vm->gap17C = 6;
        return result;
      case 6:
        error2((__int64)"hello.vhdl", 0x2Bu, 6);
      case 7:
        next = 8;
        if ( vm->index != *(_DWORD *)vm->gap184 )
        {
          ++vm->index;
          next = 9;
        }
        continue;
      case 8:
        if ( vm->field_178 == 44 )
        {
          v14 = _ghdl_stack2_mark();
          v50[0] = *(_QWORD *)vm->gap160;
          v70[0] = (__int64)aC0rrect;
          v70[1] = (__int64)&unk_7FF7BAE06198;
          v50[1] = (__int64)v70;
          v51 = 0;
          v52 = 0;
          sub_7FF7BAD17FD0(v50);
          *(_QWORD *)vm->gap160 = v50[0];
          sub_7FF7BAD4EBD4(v14);
          v15 = _ghdl_stack2_mark();
          v48 = dword_7FF7BAE28064;
          v49 = *(_QWORD *)vm->gap160;
          sub_7FF7BAD17670(&v48);
          v16 = v49;
        }
        else
        {
          v31 = _ghdl_stack2_mark();
          v45[0] = *(_QWORD *)vm->gap160;
          v69[0] = (__int64)"Nah";
          v69[1] = (__int64)&unk_7FF7BAE061B8;
          v45[1] = (__int64)v69;
          v46 = 0;
          v47 = 0;
          sub_7FF7BAD17FD0(v45);
          *(_QWORD *)vm->gap160 = v45[0];
          sub_7FF7BAD4EBD4(v31);
          v15 = _ghdl_stack2_mark();
          v43 = dword_7FF7BAE28064;
          v44 = *(_QWORD *)vm->gap160;
          sub_7FF7BAD17670(&v43);
          v16 = v44;
        }
        *(_QWORD *)vm->gap160 = v16;
        sub_7FF7BAD4EBD4(v15);
        result = _ghdl_process_wait_exit();
        *(_DWORD *)vm->gap17C = 12;
        return result;
      case 9:
        v17 = _ghdl_stack2_mark();
        v41 = vm->field_158;
        v42 = 0;
        sub_7FF7BAD13F60(&v41);
        vm->field_158 = v41;
        vm->gap160[16] = v42;
        sub_7FF7BAD4EBD4(v17);
        *(_DWORD *)&vm->gap160[20] = (unsigned __int8)vm->gap160[16];
        v18 = _ghdl_stack2_mark();
        v19 = *(_DWORD *)&vm->gap160[20];
        if ( v19 < 0 )
          sub_7FF7BAD688D2("hello.vhdl", 48i64);
        GetBin(&v77, v19, 8u);
        v55 = v77;
        v56 = v38;
        v38[0] = *(_DWORD *)v78;
        v38[1] = *(_DWORD *)(v78 + 4);
        v39 = *(_BYTE *)(v78 + 8);
        v40 = *(_DWORD *)(v78 + 12);
        if ( v40 != 8 )
          sub_7FF7BAD688D2("hello.vhdl", 48i64);
        v23 = v55;
        for ( i = 0i64; (unsigned int)i <= 7; ++i )
        {
          v25 = *(_BYTE **)&vm->gap0[8 * i + 16];
          vm->gap184[i + 4] = *(_BYTE *)(v23 + i);
          v26 = 1;
          if ( !v25[42] )
            v26 = *v25 != vm->gap184[i + 4];
          if ( v26 )
            _ghdl_signal_direct_assign();
        }
        sub_7FF7BAD4EBD4(v18);
        result = _ghdl_process_wait_timeout(1000000i64, "hello.vhdl", 49i64);
        *(_DWORD *)vm->gap17C = 10;
        return result;
      case 10:
        v20 = _ghdl_stack2_mark();
        v21 = vm->index - 1;
        if ( v21 >= 0x2C )
          error((__int64)"hello.vhdl", 0x32u, v21, (__int64)&unk_7FF7BAE05C38);
        tmp = Enc[v21];
        if ( tmp < 0 )
          sub_7FF7BAD688D2("hello.vhdl", 50i64);
        GetBin(&ret, tmp, 8u);
        ret2 = ret;
        v54 = v35;
        v35[0] = *(_DWORD *)v76;
        v35[1] = *(_DWORD *)(v76 + 4);
        v36 = *(_BYTE *)(v76 + 8);
        v37 = *(_DWORD *)(v76 + 12);
        if ( v37 != 8 )
          sub_7FF7BAD688D2("hello.vhdl", 50i64);
        locArr = ret2;
        for ( j = 0i64; (unsigned int)j <= 7; ++j )
        {
          v29 = *(_BYTE **)&vm->gap0[8 * j + 88];
          vm->retEncStr[j] = locArr[j];
          v30 = 1;
          if ( !v29[42] )
            v30 = *v29 != vm->retEncStr[j];
          if ( v30 )
            _ghdl_signal_direct_assign();
        }
        sub_7FF7BAD4EBD4(v20);
        result = _ghdl_process_wait_timeout(1000000i64, "hello.vhdl", 51i64);
        *(_DWORD *)vm->gap17C = 11;
        return result;
      case 11:
        v74[0] = (__int64)v3;
        v74[1] = (__int64)&unk_7FF7BAE05AB8;
        v4 = _ghdl_stack2_mark();
        v5 = vm->index - 1;
        if ( v5 >= 0x2C )
          error((__int64)"hello.vhdl", 0x34u, v5, (__int64)&unk_7FF7BAE05B68);
        v6 = dword_7FF7BAE05B80[v5];
        if ( v6 < 0 )
          sub_7FF7BAD688D2("hello.vhdl", 52i64);
        GetBin(&v72, v6, 8u);
        v71[0] = v72;
        v71[1] = (__int64)v32;
        v32[0] = *(_DWORD *)v73;
        v32[1] = *(_DWORD *)(v73 + 4);
        v33 = *(_BYTE *)(v73 + 8);
        v34 = *(_DWORD *)(v73 + 12);
        v7 = sub_7FF7BAD19CC0(v74, v71);
        sub_7FF7BAD4EBD4(v4);
        next = 7;
        if ( (v7 & 1) != 0 )
          ++vm->field_178;
        break;
      case 12:
        error2((__int64)"hello.vhdl", 0x3Fu, 6);
      default:
        error2((__int64)"hello.vhdl", 0x15u, 6);
    }
  }
}

这一大块大概就是由于有分支的原因，而被ghdl编译成了switch-case类的迫真虚拟机形态。

而且每一个case基本都有很明显的_ghdl_stack2_mark()函数作为开头。

每一个case头部下个断点，便可以调试得知每一个块的流程。

注意到case 11有

1	v6 = dword_7FF7BAE05B80[v5];

case 10有

1	tmp = Enc[v21];

两个数组，直接异或就是flag。

由于核心加密过程过于简单，所以找到这两个数组就是赢。

当然如果有人慢慢调试，从输入开始慢慢看流程的话，偶尔可能会发现存在以2，3组成的8比特串。2对应0，3对应1，其实就代表了一个字节。如果是字符的话那就是个ASCII码。这玩意在2次CTF题目中都出现过。（就算不是ASCII码，稍微有点耐心，爆破出每个字符对应的比特串也是可以的）

总结

另一道题上学期做的了，不想找。一个例子足矣

找到核心函数其实是ghdl逆向中非常重要的一个环节。

本文作者： Taardis
本文链接： https://taardisaa.github.io/2022/03/04/ghdl reverse/
版权声明： 本博客所有文章除特别声明外，均采用 Apache License 2.0 许可协议。转载请注明出处！