Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: Reversing VMs

  1. #1

    Reversing VMs Tutorial

    Hi,
    Last night I wrote this tute, as I received requests (i.e. foreigner) on how VMs are analysed. It is not complete, don't know if I wish to do it

    It is based on a crackme at crackmes.de, but it does not explain much of it, so that the reversing such crackme will not be really affected.

    I apologise for the style, but was very late and I was writing in a flow manner, so it's not refined.

    @Zairon: if you think this would compromise cm, feel free to remove. But I don't think so.

    Regards,
    Maximus
    Attached Images Attached Images
    Last edited by Maximus; July 15th, 2006 at 20:43. Reason: added the missing section to the tute ;)
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Thanks for your contribution.

  3. #3
    Yup. This is a topic which could use more tutorials and/or information as it gains in popularity.

    Regards,
    JMI

  4. #4
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Wow, really interesting article!!!

    Here is the link of the target used in the tutorial:
    http://www.crackmes.de/users/thehyper/hyperunpackme2/download

  5. #5
    Thanks! When I'll have time, I might reshape it in a more formal way and fixing the few glitches in it -eventually adding samples from harder stuff (commercial protectors? ).
    However, my goal was making something that could introduce to the VM analysis, as nothing good is around (apart a short paper on SF's VM of Yates, that explains really little about VM attacks, being rather a description of a morphed opcode).

    Regards,
    Maximus
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  6. #6
    Master Of Nebulah Frost Polaris's Avatar
    Join Date
    Jun 2002
    Location
    Invincible Cyclones Of FrostWinds
    Posts
    221
    Great job man, really interesting stuff!
    Stand In The Fog With So Cold A Heart... Watching The Death Of The Sun...

  7. #7
    Zairon:

    I got a error with:

    http://www.crackmes.de/users/thehyper/hyperunpackme2/download

    but this one gets the page and the download link there works correctly;

    http://www.crackmes.de/users/thehyper/hyperunpackme2/

    Just a heads-up, if anyone is having similiar problems and wants the unpackme.

    Regards,
    JMI

  8. #8
    That's an excellent article you have written Maximus. I have often heard mention of virtual machines being adopted in commercial protections and was curious about what they are and how they work.

    You have certainly helped fill a void by wrting this tutorial as they are far from common. I look forward to reading more from you in relation to their use in commercial protectors.

    Could you perhaps help me understand what is meant by a binded flow VM, from yates tute he describes it as a op codes data which cannot be examined as it appears to be dynamic.

    It then goes on to say that the structure of the opcode data is so large to be unfeasible to step through it and reverse it, the trouble is that every time you trace over each instruction the data will be extracted in different ways.
    He suggest the the only feasible way to analyse this is by using heuristics and thats it. Can you elaborate on this or should I ask Yates?

    I'm probably getting in way over my head, but I though I'd ask and take the time acknowledge your efforts at the same time. I think I'll read through your tute again just to refresh my memory.

    5aLIVE
    Last edited by 5aLIVE; July 17th, 2006 at 12:29.

  9. #9

    Thanx to everybody~~~

    this is good tut.

  10. #10
    I agree, a well written article about something that is not too often covered. Good work maximus, hoping to see more.
    To teach is to learn

  11. #11
    Howdy,

    maximus, a most excellent work.

    Please continue your efforts in this area of research.
    You have given us (the community) a great work.

    Woodmann

  12. #12
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    Aloha,

    i agree to my reverse engineering colleagues in all points. A fine work. It's nice to see other people aroung working activly on vms

    OHP.
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  13. #13
    Well, really thank you! I didn't honestly expect so much good feedback on it!
    It seems I have to make an _interesting_ sequel, someday...

    Thanks for your attention!

    Regards,
    Maximus
    Last edited by Maximus; July 18th, 2006 at 11:31.
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  14. #14
    5Alive, I have the same question actually. I assume you saw that in Yates' starforce doc? I've done some work on VM's and even coded my own but I've never come across the phrase "binded flow". It might be he's created the term to describe something, and it's commonly known as something else.

    In principle at least I can see what he means, a large VM that supports a large set of instructions with variable operands would be very difficult to understand. I did a little exercise a while ago creating a very simple crackme in my scripting language. Tracing script execution through the VM was awkward, even without me adding any protection code to it and knowing what my own code did!

    Excellent doc Maximus.
    Still here...

  15. #15
    SF does not have a 'decoder', all the VM logic is instrinsic in opcodes. Let's try to give a look together to Yates paper on such SF version:
    You can see that each VM instruction contains current and next opcode, where 'flow' is arranged by a simple jump to another VM instruction.
    Opcodes are encrypted using dynamic keys, which changes at each instruction (check the [edi+24h] usage: it is the key for decrypting next opcode, contained within the first opcode).
    let's remove complexities and make the instruction this way:
    Code:
    Instruction:
        byte Current_opcode;
        byte Next_opcode_to_be_masked_with_accumulator;
        byte Next_opcode_accumulator_mask;
        byte Current_operand_1;
        byte Current_operand_2;
    -----
    VM_Context
        byte Opcode_mask_accumulator;
    -----
    function get_next_opcode()
        Opcode_mask_accumulator ::= Opcode_mask_accumulator xor Next_opcode_accumulator_mask;
        next_opcode ::= Next_opcode_to_be_masked_with_accumulator xor Opcode_mask_accumulator;
    endfunction
    Now think: we get next opcode to jump at by xoring "Next_opcode_to_be_masked_with_accumulator" with "Opcode_mask_accumulator".
    Let's suppose we accumulate the "Next_opcode_accumulator_mask" within "Opcode_mask_accumulator", as they names i gave means.
    So, ForEachInstruction:
    What might happen if, a certain point, we jump again to that instruction? What might be the next instruction after it?
    This should be what Yates called 'EIP Stream' (also note that nothing prevent eip flows to 'cross', like for x86 opcodes -if not better).
    Same for 'Data Stream', but related to instruction's operands, so instructions can i.e. stay the same but their data changes.


    the hell, I want to see Ultima recompiler.
    (edit: sorry JMI, ff went mad on 'save' button so I reopened in opera ...windows hate me)
    Last edited by Maximus; July 19th, 2006 at 18:18.
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

Similar Threads

  1. Reversing SHR EAX,1F
    By captcpsc in forum The Newbie Forum
    Replies: 16
    Last Post: May 19th, 2012, 23:14
  2. DOS/4GW , DOS/16M Reversing Help !
    By visions_of_eden in forum The Newbie Forum
    Replies: 6
    Last Post: December 1st, 2010, 07:49
  3. InTether Protection System Reversing...Reversing Kernel Code
    By tHE mUTABLE in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: December 20th, 2007, 10:48
  4. About Reversing
    By Joda in forum Advanced Reversing and Programming
    Replies: 12
    Last Post: July 11th, 2001, 13:28
  5. Reversing
    By A_m_A in forum Advanced Reversing and Programming
    Replies: 11
    Last Post: May 3rd, 2001, 14:43

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •