Results 1 to 10 of 10

Thread: brief insight into secu vm

  1. #1

    brief insight into secu vm

    since yates needs a proper explanation about the secu vm, here it goes:

    each secu title has 256 opcodes. an opcode is a block containing upto 512 instructions (maybe more, doesnt matter). most opcodes are obfuscated.

    an opcode consists of serveral parts: param decryption, real deal, goto next opcode, so it looks like

    game -> opcode (aka vmenter) -> opcode -> opcode -> .... -> opcode (aka vmexit) -> game

    there are several types of how the vm is used. most games use only the socalled boring mode, wich means the vm does nothing but link two gamecode parts together (why 99% of all games use just this easy to defeat mode?)

    a more fun type is where the vm actually does some game related stuff (why is this feature like never used btw?). gamedevs have to use this feature with sdk macros i guess (enlight me please)

    heres a small log:

    Code:
    0046   mov      reg_0068,     007e28fc          reg_0068 = 00000000
    000d   add      reg_0068,     [reg_03a4]        reg_0068 = 007e28fc, reg_03a4 = 00400000, [00400000] = 00905a4d
    00ad   mov      reg_0068,     [reg_0068]        reg_0068 = 00be28fc, reg_0068 = 00be28fc, [00be28fc] = 7b414fb1
    00bb   mov      reg_0054,     007f6edc          reg_0054 = 00000000
    000d   add      reg_0054,     [reg_03a4]        reg_0054 = 007f6edc, reg_03a4 = 00400000, [00400000] = 00905a4d
    00ad   mov      reg_0054,     [reg_0054]        reg_0054 = 00bf6edc, reg_0054 = 00bf6edc, [00bf6edc] = 00f00971
    0099   mov      reg_0050,     [reg_0054]        reg_0050 = 00000000, reg_0054 = 00f00971, [00f00971] = 000001be
    0077   add      reg_0054,     00000004          reg_0054 = 00f00971
    0086   mov      reg_0058,     reg_001c          reg_0058 = 00000000, reg_001c = 0022c950
    0077   add      reg_0058,     00000024          reg_0058 = 0022c950
    0077   add      reg_0058,     00000008          reg_0058 = 0022c974
    0099   mov      reg_0058,     [reg_0058]        reg_0058 = 0022c97c, reg_0058 = 0022c97c, [0022c97c] = 00ed45c5
    0089   mov      reg_005c,     00000000          reg_005c = 00000000
    00da   mov      reg_0320,     00cceec0          reg_0320 = 00000001
    0046   mov      reg_03c8,     0424448b          reg_03c8 = 00000000
    00c8   mov      reg_03cc,     08244c8b          reg_03cc = 00000000
    007c   mov      reg_03d0,     0004c969          reg_03d0 = 00000000
    0065   mov      reg_03d4,     30800000          reg_03d4 = 00000000
    00c7   mov      reg_03d8,     fae240eb          reg_03d8 = 00000000
    0065   mov      reg_03dc,     505a5958          reg_03dc = 00000000
    0046   mov      reg_03e0,     9090c351          reg_03e0 = 00000000
    00d9   mov      reg_00c8,     e8cb5060          reg_00c8 = 00000001
    00bb   mov      reg_00cc,     2c6aebeb          reg_00cc = 00000000
    00ee   mov      reg_00d0,     ebebebef          reg_00d0 = 00000000
    007c   mov      reg_00d4,     92e4151b          reg_00d4 = 00000000
    0032   mov      reg_00d8,     ebd46be2          reg_00d8 = 00000000
    0089   mov      reg_00dc,     12957b18          reg_00dc = 00000000
    0065   mov      reg_00e0,     ea531900          reg_00e0 = 00000000
    0087   mov      reg_00e4,     b8ebebeb          reg_00e4 = 00000000
    0087   mov      reg_00e8,     34ce49e4          reg_00e8 = 00000000
    0046   mov      reg_00ec,     b0141414          reg_00ec = 00000000
    00c8   mov      reg_00f0,     e8c36862          reg_00f0 = 00000000
    00c8   mov      reg_00f4,     7b28ebeb          reg_00f4 = 00000000
    0032   mov      reg_00fc,     0000000c          reg_00fc = 00000000
    0094   mov      reg_0100,     [reg_0058]        reg_0100 = 00000000, reg_0058 = 00ed45c5, [00ed45c5] = d6640055
    0077   add      reg_0100,     000000c8          reg_0100 = 47250404
    0000   unk
    0000   unk
    00b6   mov      reg_0100,     reg_0014          reg_0100 = 472504cc, reg_0014 = 47250404
    0077   add      reg_0100,     000003c8          reg_0100 = 47250404
    0095   jmp      472507cc
    in this log, opcode 95 leaves the vm and jumps to code at 472507cc
    472507cc is generated code, that the vm before that vm has generated. the code at 472507cc:

    Code:
    472507cc   8b 44 24 04             mov     eax,  [esp+4]
    472507d0   8b 4c 24 08             mov     ecx,  [esp+8]
    472507d4   69 c9 04 00 00 00       imul    ecx,  ecx,  00000004
    472507da   80 30 eb                xor     [eax],  eb
    472507dd   40                      inc     eax
    472507de   e2 fa                   loop    472507da
    472507e0   58                      pop     eax
    472507e1   59                      pop     ecx
    472507e2   5a                      pop     edx
    472507e3   50                      push    eax
    472507e4   51                      push    ecx
    472507e5   c3                      ret
    its obvious that this generated code has only one purpose: generate (or decrypt) a buf.

    this is the encrypted buf:

    Code:
    e8cb5060 2c6aebeb ebebebef 92e4151b
    ebd46be2 12957b18 ea531900 b8ebebeb
    34ce49e4 b0141414 e8c36862 7b28ebeb
    as you can see, the values in this buf are written by the vm i pasted above:

    Code:
    00d9   mov      reg_00c8,     e8cb5060          reg_00c8 = 00000001
    00bb   mov      reg_00cc,     2c6aebeb          reg_00cc = 00000000
    00ee   mov      reg_00d0,     ebebebef          reg_00d0 = 00000000


    and whats the decrypted version of this buf?


    Code:
    472504cc   8b bb 20 03 00 00       mov     edi,  [ebx+320]
    472504d2   81 c7 04 00 00 00       add     edi,  00000004
    472504d8   f0 fe 0f                lock dec     [edi]
    472504db   79 09                   jns     472504e6
    472504dd   80 3f 00                cmp     [edi],  00
    472504e0   f3 90                   pause   
    472504e2   7e f9                   jle     472504dd
    472504e4   eb f2                   jmp     472504d8
    472504e6   b8 01 00 00 00          mov     eax,  00000001
    472504eb   53                      push    ebx
    472504ec   0f a2                   cpuid   
    472504ee   25 df ff ff ff          and     eax,  ffffffdf
    472504f3   5b                      pop     ebx
    472504f4   89 83 28 03 00 00       mov     [ebx+328],  eax
    472504fa   c3                      ret

    so, this super hidden generated code just gets the cpuid of the current process and stores its value in a vmreg

  2. #2
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5
    More or less what I think of, although I have to disagree with this:

    there are several types of how the vm is used. most games use only the socalled boring mode, wich means the vm does nothing but link two gamecode parts together (why 99% of all games use just this easy to defeat mode?)
    Ummm, every securom 7 game I have in my collection does at least this much:
    a) "link gamecode parts together", or as I prefer to call it, handles redirection via the JMP DWORD PTR's
    b) dynamically decrypts routines in the game
    c) advanced api redirection, where it goes to the VM via a call eax. Securom loves to change around how exactly that call eax gets called, making automation a pain.
    d) it steals single instructions from the game code and emulates them inside the VM, so a "mov eax, ebx" might become a "push xxx/call secu_vm" after the protection process. This feature actually requires you to reverse a couple of VM handlers
    e) it steals multiple instructions, replaces them with a "push xx/ call secu_vm" and emulates them all inside the securom VM. Not too sure about this feature, am currently studying it.
    f ) has a second, recursive VM, which also gets called via "call eax". I haven't solved this one yet, only observed it. But from what I have observed about it so far, it seems... well... simple, despite its "recursiveness".

    g) This is optional, included via the developer SDK. I'm guessing that these are the famous securom "triggers". You can find them in the code section of the game, and look like this:
    push xx
    call secu_vm
    jmp_short
    00
    00
    00
    00
    00
    _short:
    (game code)

    Again, I have not yet solved the triggers, only observed a couple. Some seem to be adding 2 values and saving that in .data. Others seems to simply increment a value in .data. These values later then get "silently" checked by the game code. If these values are wrong (meaning securom has been "fucked with" somehow) then I guess the game silently "fucks you"

    Aside from that, the VM is a very nice piece of work IMO. Most of the 512 instructions/handler can be broken down to 4-15 ASM instructions.

    And then there is the calculation of the VM_EIP.... oooooohhhhhhhh it fucks with my mind That little byte at [ebx+10], you never know if its gonna get xor'd, rol'd, or left alone before it is used to calculate next place the VM will jump.

    Anyways, this is a fun puzzle to look at during my free time in school

    I'm doing an old target right now. I guess I'll update later and see if they changed anything
    Last edited by rendari; September 30th, 2007 at 13:06.

  3. #3
    Reversing Since '98 \o/ [yAtEs]'s Avatar
    Join Date
    Feb 2002
    Posts
    97
    Blog Entries
    2
    hehe thanks orp ;-)
    seems fairly accurate.

    /yates( without animated avatar :'( )

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    Quote Originally Posted by '[yAtEs
    /yates( without animated avatar :'( )
    Ah geez /yates, you're killing me here. I had an old copy of the board and replaced your cool avatar for you. Sleep well

  5. #5
    Reversing Since '98 \o/ [yAtEs]'s Avatar
    Join Date
    Feb 2002
    Posts
    97
    Blog Entries
    2
    woohoo! i love you

    cd goes in,,cd goes out,,cd goes in,,cd goes out,,

  6. #6
    cd doesnt crack? ;p

  7. #7
    Wierd! I still can't see his avatar in IE7, but it shows up fine in Firefox. IE7 just shows me a broken image with the red "x".

    Regards,
    JMI

  8. #8

    weird indeed

    Same here, works in FF but not IE7. Also, if the gif is saved, the windows pictures/fax viewer will not show/preview the file. However, if separated into frames then reassembled, it works in all of the above. So something in the original file throws IE7 and the windows picture viewer. Anyone tested it in IE6?

    xenakis
    I have nothing to say and I am saying it and that is poetry as I need it.
    -John Cage

  9. #9
    I can see it just fine.

    IE 6.0.2800.1106

    I wonder if any reverser would use IE7 anyway, it's been rumored to contain a rather large amount of bugs

  10. #10
    heh or its yates' super leet pic exploit and he owns all your pc's now (except those using ie7 which magically detects yates' antics) ;p

Similar Threads

  1. A quick insight into the Driver Signature Enforcement
    By j00ru vx tech blog in forum Blogs Forum
    Replies: 0
    Last Post: July 2nd, 2010, 09:18

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •