Results 1 to 11 of 11

Thread: VM Crackme

  1. #1
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,157
    Blog Entries
    5

    VM Crackme

    While walking my regular "what's new in the RE world?" beat I came across this. Haven't looked at it yet but thought it might be interesting...


    http://opcode0x90.wordpress.com/2007/06/21/my-second-crackme-this-time-a-vm-crackme/

    http://filexoom.com/files/2007/3/27/65350/crackme_nop_vm.zip


    (Last time I attached someone's stuff without asking I got shit, so for now I won't, but if it turns out to be good I'll attach the crackme to this thread for longevity)


    Kayaker

  2. #2
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,529
    Blog Entries
    15
    looks nice but not much hard atleast not to the magnitude of one vm which i looked at for a few hours viz oreans

    Code:
    Log data
    Address    Message
    77E7F13A   CALL to WriteFile from nop_vm.004010BD
                 hFile = 00000007
                 Buffer = nop_vm.00401284
                 nBytesToWrite = 1
                 pBytesWritten = nop_vm.00403400
                 pOverlapped = NULL
    77E7F13A   Breakpoint at kernel32.WriteFile
               string [[esp+8]] = y Opcode0x90, 7 June 2007     -
    -----------------------------------------------------
    Have phun ! ;)
    
    
    Password pl0x: Y
    004010BD   Breakpoint at nop_vm.004010BD
    77E7F13A   CALL to WriteFile from nop_vm.004010BD
                 hFile = 00000007
                 Buffer = nop_vm.00401285
                 nBytesToWrite = 1
                 pBytesWritten = nop_vm.00403400
                 pOverlapped = NULL
    77E7F13A   Breakpoint at kernel32.WriteFile
               string [[esp+8]] =  Opcode0x90, 7 June 2007     -
    -----------------------------------------------------
    Have phun ! ;)
    
    
    Password pl0x: Y
    004010BD   Breakpoint at nop_vm.004010BD
    77E7F13A   CALL to WriteFile from nop_vm.004010BD
                 hFile = 00000007
                 Buffer = nop_vm.00401286
                 nBytesToWrite = 1
                 pBytesWritten = nop_vm.00403400
                 pOverlapped = NULL
    77E7F13A   Breakpoint at kernel32.WriteFile
               string [[esp+8]] = Opcode0x90, 7 June 2007     -
    -----------------------------------------------------
    Have phun ! ;)
    
    
    Password pl0x: Y
    004010BD   Breakpoint at nop_vm.004010BD
    77E7F13A   CALL to WriteFile from nop_vm.004010BD
                 hFile = 00000007
                 Buffer = nop_vm.00401287
                 nBytesToWrite = 1
                 pBytesWritten = nop_vm.00403400
                 pOverlapped = NULL
    77E7F13A   Breakpoint at kernel32.WriteFile
               string [[esp+8]] = pcode0x90, 7 June 2007     -
    -----------------------------------------------------
    Have phun ! ;)
    
    
    Password pl0x: Y
    004010BD   Breakpoint at nop_vm.004010BD
    
    Call stack of main thread
    Address    Stack      Procedure / arguments                 Called from                   Frame
    0012FCC0   77F762F3   Includes 7FFE0304                     ntdll.77F762F1                0012FCE0
    0012FCC4   77F561A5   ntdll.ZwRequestWaitReplyPort          ntdll.77F561A0                0012FCE0
    0012FCE4   77E92703   ntdll.CsrClientCallServer             kernel32.77E926FD             0012FCE0
    0012FDD4   77E92588   ? kernel32.77E925DB                   kernel32.ReadConsoleA+26      0012FDD0
    0012FE4C   77E92542   kernel32.ReadConsoleA                 kernel32.77E9253D             0012FE48
    0012FE50   00000003     hConsole = 00000003
    0012FE54   00403000     Buffer = nop_vm.00403000
    0012FE58   00000400     ToRead = 400 (1024.)
    0012FE5C   00403400     pRead = nop_vm.00403400
    0012FE60   00000000     pReserved = NULL
    
    00403000  68 65 6C 6C 6F 20 76 6D 20 62 61 62 79 20 68 6F  hello vm baby ho
    00403010  77 20 61 72 65 20 79 6F 75 20 68 6F 70 65 20 79  w are you hope y
    00403020  6F 75 20 61 72 65 20 65 61 73 79 20 0D 0A 00 00  ou are easy ....
    well this is the comparison i think may be not one run automated it seems its adding like this
    for (i=0;i<string.strlen;i++)
    {
    const = leetcode
    const = string[i].dword + const ; i++
    }

    Code:
    EBX=0A4F4CAB
    Stack DS:[0012FF50]=8B1C0A80
    Last edited by blabberer; July 2nd, 2007 at 12:58.

  3. #3
    it's VM identifies only few instruction;

    75h FFh -> call a VWed Code

    97h AEh -> MOV Reg,Reg
    97h FFh -> MOV Reg,Imm

    59h AEh -> PUSH Reg
    59h FFh -> PUSH Imm

    E8h AEh -> CALL Reg (API calls)
    E8h FFh -> CALL Imm

    F6h AEh -> CMP Reg,Reg
    F6h FFh -> CMP Reg,Imm

    4Bh AEh -> JMP Reg
    4Bh FFh -> JMP Imm

    AEh AEh -> JZ Reg
    AEh FFh -> JZ Imm

    13h AEh -> JNZ Reg
    13h FFh -> JNZ Imm

    33h AEh -> MOV [Reg],Reg
    33h FFh -> MOV [Reg],Imm

    A1h AEh -> AND Reg, Reg
    A1h FFh -> AND Reg, Imm

    1Dh AEh -> ADD Reg, Reg
    1Dh FFh -> ADD Reg, Imm

    so simple that it possible to rebuild the original instructions from the VMed code. each VM instruction has the below format:

    OPCODE[2 bytes], instruction length[1 byte ], PARAMs[n bytes]

    example:

    75 FF 07 56 14 40 00------>call Sub_401456
    A1 FF 08 1C 00 00 00 00-->and eax, edi

    @blabberer: do you have any experience with VMProtect? any idea on recovering the original code.

    Regards

  4. #4
    although it was an easy VM crackme but this was my first VM dealing.
    so it took me about 5-6 hours of understanding and coding.
    hope you like the solution
    Attached Files Attached Files

  5. #5
    One of the speakers at Recon posted a VM on crackmes, miniVMCrackme1. Have you guys look at it yet?. I will check it out as soon as I have the time.

  6. #6
    I did.
    I statically reverse engineered it completely, and reconstructed the pcode program after that. took a couple hours, with alcohol
    It's rather easy, i am going to write something soon about it.
    Real ones don't need source

  7. #7
    Great!, more stuff to read. I'll give it a try this coming week.

  8. #8
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    genaytyk"s VM_crackme 2005year is at crackmes.de, worth it to play?
    or unsolvable is that "HIGH CHIPER"?

  9. #9
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    this was solved in 2006, 1,3MB..
    http://defisfc.free.fr/affDefi.php?numDefi=75

  10. #10
    Whoa! Look who has dropped back in for a visit! Welcome back evaluator!
    Hope you are going to hang around again.

    Regards,
    JMI

  11. #11
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    "don't take.."

Similar Threads

  1. KeyGen-Me Crackme
    By active bytex in forum Mini Project Area
    Replies: 18
    Last Post: June 11th, 2005, 04:15
  2. Crackme #6
    By javelin in forum Mini Project Area
    Replies: 0
    Last Post: February 27th, 2002, 05:54
  3. Crackme #5
    By javelin in forum Mini Project Area
    Replies: 0
    Last Post: January 12th, 2002, 18:47
  4. Crackme #3
    By javelin in forum Mini Project Area
    Replies: 2
    Last Post: November 28th, 2001, 23:49
  5. Crackme #4
    By javelin in forum Mini Project Area
    Replies: 3
    Last Post: November 25th, 2001, 17:34

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •