Results 1 to 6 of 6

Thread: Virtual Machine RE-building

  1. #1

    This is my beta of the new VM article I wrote. Hi tech reversing, I suppose.



    PS: since 1-click link seems not working (at least for me :? ), I attached it too.
    Attached Images Attached Images
    Last edited by Maximus; September 14th, 2006 at 10:28.
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    ..."a shellcode is a command you do at the linux shell"...

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Blog Entries
    Thank you Maximus for another installment of what is becoming your outstanding "VM" series of articles, definitely high tech reversing.

    I split your post from the Mini Project forum to here in order to highlight it. The original T2'06 Challenge file can be found here for reference:

    t206 challenge

    Best Regards,

  3. #3
    Thanks alot Kayaker!

    I would like to know if anyone wishes to have clarifications on some part/found some bug here and there, before I submit it to CodeBreakers.

    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    ..."a shellcode is a command you do at the linux shell"...

  4. #4
    To be honest, the first part is very confusing as you start without much explanation on how you figured out the VM context, instructions encoding etc., and proceed to jump all over the place. (And I did solve the contest so I can imagine it will be even worse to those who didn't.) I'm not sure how best to fix that, but I would probably describe it in this manner:
    1) the offset table most probably lists functions executing various opcodes.
    2) a function executing an opcode would need a) VM state b) opcode arguments. And it gets two arguments, so we just need to figure out which is which.
    3) The table lists one certain function many times - more than other ones. So it should be an "invalid opcode" function - however, in our case it is a NOP function. Still, in it we can see which parameter it does update - that should be the VM state.
    4) Since we know what's the VM state, the other parameter passed to opcode execute function is the opcode description, and we can see that it's filled in in another function above. So that must be the instruction decoder. By investigating it we might figure out some of the opcode description structure fields (maybe not all), and that would help us in figuring out various opcode execution function, which in turn helps in identifying VM state fields.
    ...or something like that. Just pasting fully analyzed IDA dumps doesn't help in understanding how you figured out what all the parameters and offsets mean.

    One specific error I noticed:
    "Once I found and understood this code, it immediately gave me understanding of the 0x80000000 value. It's just 1 written with big endian order."
    Well, this is completely wrong. 1 in big endian would be 0x01000000 in little endian (00 00 00 01 in memory).
    Actually, 0x80000000 is just the starting value of ESP. Start of the "program" is FFEE6000.

    Also, you should run it though a spellchecker at least, though the best would be to get a real editor look it over. You may think it's small things, but small things is what can spoil an otherwise good work.
    Just to list a few examples.
    "Once found the hec"
    "And it alos"
    "However, This is not even the head of the iceberg" (correct expression is "the tip of the iceberg")
    "many instructions that calls internal functions"

  5. #5

    Indeed, I too wrote it that way in analysis, but when placing all together I must have confused that.

    Thank you! I have this weekend to rearrange the content, then

    fix in progress. I hope to make it more understandable. About the 'tip' problem, please note i'm not an English native speaker, so I'm somewhat limited when writing it.
    Attached Images Attached Images  
    Last edited by Maximus; September 17th, 2006 at 05:18.
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    ..."a shellcode is a command you do at the linux shell"...

  6. #6

    I would be honored if you would allow me to re-write it for grammatical

    Send me a PM if you desire.


Similar Threads

  1. KINS malware: the Virtual Machine
    By My Infected Computer in forum Blogs Forum
    Replies: 0
    Last Post: August 13th, 2013, 08:17
  2. Virtual Machine Attack
    By tHE mUTABLE in forum Off Topic
    Replies: 1
    Last Post: February 25th, 2008, 03:41
  3. Virtual Machine detection method cd.
    By OpenRCE_j00ru in forum Blogs Forum
    Replies: 0
    Last Post: January 23rd, 2008, 20:56
  4. Generating Virtual Machine Code
    By b3n in forum Advanced Reversing and Programming
    Replies: 9
    Last Post: March 29th, 2007, 09:58
  5. Some thing about Virtual Machine
    By vodu in forum The Newbie Forum
    Replies: 10
    Last Post: June 23rd, 2006, 06:05


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts