Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

vm for the masses - a vm compiler incl source

A classroom run by newbies for newbies. Gain valuable reversing experience & skills as we explain the in's and out's of RCE.
b3n
Posts: 27
Joined: Wed Mar 21, 2007 5:17 am
Location: Australia
Contact:

Post by b3n »

maybe you can help me with this 0rp: im just trying to develop my own little grammar to play around with, but the scanner and parser generated use wchar_t* everywhere instead of char*. i saw your scanner and parser use just char *. is there any way on how to tell the coco to use char* instead of wchar_t? its driving me nuts cause every time i change something in the grammar and i have to regenerate the parser and scanner i have to manually edit all the files...
-------
nothing
-------
User avatar
dELTA
Posts: 4209
Joined: Mon Oct 30, 2000 7:00 am
Location: Ring -1

Post by dELTA »

b3n wrote:why did you decide to create a final binary version of the input program instead of letting the vm execute the vm instructions during runtime as kind of an interpreter? if you have a binary version of the input program, what do you need the vm for?
0rp wrote:bc you can easy replace the static number of opcodes by own hacked opcodes and do whatever you want
Well, sure, but in the case of building a normal binary like this, you lose the entire idea of people not being able to analyze the code statically with any tool they like, not to mention creating a simple IDC script that marks up all these sequences into their corresponding VM instruction (or even dumps the entire original script to a text file). (and yes, a much more advanced IDC script could do this even if you do it in VM code, but that's much harder, and again, exactly what is the reason/advantage with a VM in the first place with this method?)

And I really don't want to be rude or anything, I just wanted to check if I missed something here, just like b3n?
"Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."
b3n
Posts: 27
Joined: Wed Mar 21, 2007 5:17 am
Location: Australia
Contact:

Post by b3n »

i think you got more to the point than me dELTA :)
-------
nothing
-------
0rp
Posts: 111
Joined: Wed Mar 03, 2004 12:47 pm

Post by 0rp »

its using vmregs or a vmstack, so i would still call it a vm, or whats the definition of a vm?



as i said, it was a vm like you mean in some early version:

http://woodmann.com/forum/attachment.ph ... 1166647623

opcodes were much bigger and generic, and there was an array of vminstructions that were in fact the params for those generic opcodes

an opcode looked like this:

Code: Select all

0040D0EE    8B6B 24         mov     ebp, dword ptr ds:[ebx+24]
0040D0F1    036B 14         add     ebp, dword ptr ds:[ebx+14]
0040D0F4    8D75 6C         lea     esi, dword ptr ss:[ebp+6C]
0040D0F7    8B06            mov     eax, dword ptr ds:[esi]
0040D0F9    B9 08000000     mov     ecx, 8
0040D0FE    8B148E          mov     edx, dword ptr ds:[esi+ecx*4]
0040D101    3353 28         xor     edx, dword ptr ds:[ebx+28]
0040D104    0353 14         add     edx, dword ptr ds:[ebx+14]
0040D107    3302            xor     eax, dword ptr ds:[edx]
0040D109  ^ E2 F3           loopd   short testcon.0040D0FE
0040D10B    8943 4C         mov     dword ptr ds:[ebx+4C], eax
0040D10E    8DB5 90000000   lea     esi, dword ptr ss:[ebp+90]
0040D114    8B06            mov     eax, dword ptr ds:[esi]
0040D116    B9 08000000     mov     ecx, 8
0040D11B    8B148E          mov     edx, dword ptr ds:[esi+ecx*4]
0040D11E    3353 28         xor     edx, dword ptr ds:[ebx+28]
0040D121    0353 14         add     edx, dword ptr ds:[ebx+14]
0040D124    3302            xor     eax, dword ptr ds:[edx]
0040D126  ^ E2 F3           loopd   short testcon.0040D11B
0040D128    8943 50         mov     dword ptr ds:[ebx+50], eax
0040D12B    8B43 4C         mov     eax, dword ptr ds:[ebx+4C]
0040D12E    8B4B 50         mov     ecx, dword ptr ds:[ebx+50]
0040D131    890C03          mov     dword ptr ds:[ebx+eax], ecx
0040D134    8D75 00         lea     esi, dword ptr ss:[ebp]
0040D137    8B06            mov     eax, dword ptr ds:[esi]
0040D139    B9 08000000     mov     ecx, 8
0040D13E    8B148E          mov     edx, dword ptr ds:[esi+ecx*4]
0040D141    3353 28         xor     edx, dword ptr ds:[ebx+28]
0040D144    0353 14         add     edx, dword ptr ds:[ebx+14]
0040D147    3302            xor     eax, dword ptr ds:[edx]
0040D149  ^ E2 F3           loopd   short testcon.0040D13E
0040D14B    8943 24         mov     dword ptr ds:[ebx+24], eax
0040D14E    8D75 48         lea     esi, dword ptr ss:[ebp+48]
0040D151    8B06            mov     eax, dword ptr ds:[esi]
0040D153    B9 08000000     mov     ecx, 8
0040D158    8B148E          mov     edx, dword ptr ds:[esi+ecx*4]
0040D15B    3353 28         xor     edx, dword ptr ds:[ebx+28]
0040D15E    0353 14         add     edx, dword ptr ds:[ebx+14]
0040D161    3302            xor     eax, dword ptr ds:[edx]
0040D163  ^ E2 F3           loopd   short testcon.0040D158
0040D165    50              push    eax
0040D166    8D75 24         lea     esi, dword ptr ss:[ebp+24]
0040D169    8B06            mov     eax, dword ptr ds:[esi]
0040D16B    B9 08000000     mov     ecx, 8
0040D170    8B148E          mov     edx, dword ptr ds:[esi+ecx*4]
0040D173    3353 28         xor     edx, dword ptr ds:[ebx+28]
0040D176    0353 14         add     edx, dword ptr ds:[ebx+14]
0040D179    3302            xor     eax, dword ptr ds:[edx]
0040D17B  ^ E2 F3           loopd   short testcon.0040D170
0040D17D    8F43 28         pop     dword ptr ds:[ebx+28]
0040D180    0343 14         add     eax, dword ptr ds:[ebx+14]
0040D183    FFE0            jmp     eax



but again, then you just need to make this basic opcode set patch safe (crcing an backup, or completly remove crcing), thats why i switched to executable instructions, wich are harder to retrieve from the vm, esp. when they are encrypted (yes, i failed here too: http://woodmann.com/forum/attachment.ph ... 1170436383)




b3n: try switching your project to multibyte, or if you use coco, you can change the parser/lexer code templates. they are in parser.frame and scanner.frame
Fh_prg
Junior Member
Posts: 16
Joined: Mon Jul 21, 2008 11:59 am

Post by Fh_prg »

hello , how we can use this source code to protect a sample app with it's VM ?
0rp
Posts: 111
Joined: Wed Mar 03, 2004 12:47 pm

Post by 0rp »

you cant protect x86 code with it. you have to write your secret code with the vm-script language and compile it to vm

(dont use it for serious business, because its too weak)
Fh_prg
Junior Member
Posts: 16
Joined: Mon Jul 21, 2008 11:59 am

Post by Fh_prg »

Thank you so much.
Locked