Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

vm for the masses - a vm compiler incl source

A classroom run by newbies for newbies. Gain valuable reversing experience & skills as we explain the in's and out's of RCE.
0rp
Posts: 111
Joined: Wed Mar 03, 2004 12:47 pm

vm for the masses - a vm compiler incl source

Post by 0rp »

hi,

i have attached the complete sourcecode of a working vm compiler. this compiler was used for the 'impossible crackme' - crackmes

i have also included a brief explanation of everything

please keep in mind that this vm underwent some major changes (read the impossible crackme threads), thats why parts of the code are messy and smelly

p.
Attachments
xm.zip
(305.12 KiB) Downloaded 1678 times
Sab
Senior Member
Posts: 175
Joined: Tue Aug 13, 2002 12:26 am

hm

Post by Sab »

Great to see a good public contribution. Thanks orp.
User avatar
ZaiRoN
Posts: 922
Joined: Fri Oct 12, 2001 7:00 am
Location: Italy
Contact:

Post by ZaiRoN »

Thank you Orp :yay:
b3n
Posts: 27
Joined: Wed Mar 21, 2007 5:17 am
Location: Australia
Contact:

Post by b3n »

thanks orp, i was looking for something like this! :)
-------
nothing
-------
winndy
Junior Member
Posts: 25
Joined: Tue May 31, 2005 9:31 am

Post by winndy »

thank you very much!!
That's what I'm looking for.
Crack and unpack is a way to enjoy life.
FaTaL_PrIdE

Post by FaTaL_PrIdE »

Great contribution. Thank you for sharing!

:yay:
winndy
Junior Member
Posts: 25
Joined: Tue May 31, 2005 9:31 am

Post by winndy »

I try to compile it with VS6.

I download msvcr80.dll and msvcp80.dll.
But opcodetoheader still can't be executed.
Finally I found it's side-by-side configuration error.
I installed vcredist_x86.exe.It still cann't run .

opcodetoheader source isn't included.
Orp,would you please upload opcodetoheader source code?
Thanks!!

Another question:
What's the BYTE base[] array?
How does it be generated?
Crack and unpack is a way to enjoy life.
NeOXOeN
Member
Posts: 95
Joined: Sun Feb 05, 2006 9:33 pm

Post by NeOXOeN »

thx for source i was looking for something like this for long time

i think its for VC 7


bye
0rp
Posts: 111
Joined: Wed Mar 03, 2004 12:47 pm

Post by 0rp »

hi,

i have attached the opcodetoheader sources

the base[] array is the ready-to-use vm-binary-code.
this whole sourcefile (vmfuncs.cpp) is generated by the backend
see void Backend::generateCPP()
Attachments
opcodetoheader.zip
(3.34 KiB) Downloaded 614 times
Silver
Posts: 570
Joined: Thu May 06, 2004 11:48 am

Post by Silver »

Nice stuff 0rp, I'll have a browse through your code later.

Is there a lot of interest in VM these days? Was mulling over a RECON submission for this year...
Still here...
winndy
Junior Member
Posts: 25
Joined: Tue May 31, 2005 9:31 am

Post by winndy »

Thank you,Orp.
I'll take a good study at your code.

So If we want add more fuctions in vmfuncs.cpp,
we should write code to generate it.
Every fuction in vmfuncs.cpp has a different offset.

And instructions.dat is the base array.
char* mem points to the randmized data which is writed in base[] later.

While in compiler.cpp,some base array DWORD are wrote with fuction address or variabal address.

Code: Select all

	*(DWORD *)(base + 0) = (DWORD)xm_allocate;
	*(DWORD *)(base + 4) = (DWORD)xm_free;
	*(DWORD *)(base + 8) = (DWORD)sprintf;
	*(DWORD *)(base + 12) = (DWORD)globals;
	*(DWORD *)(base + 16) = (DWORD)xm_printf;
	*(DWORD *)(base + 20) = (DWORD)xm_export;
I'll study it more carefully to understand the blueprint of how VM works.

BR
Crack and unpack is a way to enjoy life.
0rp
Posts: 111
Joined: Wed Mar 03, 2004 12:47 pm

Post by 0rp »

if you want more functions in vmfuncs.cpp, then you have to put more funcs into your input script (test.txt)

basically each function has an own startoffset in this base array, but only functions that are exported (__export) get special code, that pushes real stack parameters to the vm stack:

Code: Select all

	if (function->containsDeclSpec("export"))
	{
		INSTR_BEGIN(ENTER);
			vmFunction->exportStart = instr;
		INSTR_END();

		for (int i = 0; i < function->parameters.size(); i++)
		{
			MOV_TEMP_CONST(TEMP(1), (10 + i) * 4);
			ADD(TEMP(1), APPREGS);
			MOV_TEMP_MEM(TEMP(0), TEMP(1));
			
			MOV_MEM_TEMP(ESP, TEMP(0));
			MOV_TEMP_CONST(TEMP(0), 4);
			ADD(ESP, TEMP(0));
		}
	}


Code: Select all

	*(DWORD *)(base + 0) = (DWORD)xm_allocate;
	*(DWORD *)(base + 4) = (DWORD)xm_free;
	*(DWORD *)(base + 8) = (DWORD)sprintf;
.....
this are required 'imports', that the vm needs to run happily. so if you finally generated a vm and want to start it, you have to write this functionptrs to those vm addresses. its done in compiler just for testing purposes, since the vm gets executed:

Code: Select all

	char msg[1024];
	test(43, msg);
	info("%s", msg);
winndy
Junior Member
Posts: 25
Joined: Tue May 31, 2005 9:31 am

Post by winndy »

Orp,Thanks for your explanation.

I'm sorry to trouble you again.
Coco.exe caused side-by-side configuration error.
It just donn't work.
It seems that you rebuild your coco.exe .
Is your coco source this one:
Coco/R for C++
ported and maintained by Markus Löberbauer and Csaba Balazs
I replaced Coco.exe with the above coco.exe.
I just got error:
Coco/R (Jan 15, 2007)
checking
FuncCallParams deletable
Statements deletable
XM deletable
LL1 warning in Factor: "(" is start of several alternatives
LL1 warning in IfElse: "else" is start & successor of deletable structure
parser -- incomplete or corrupt parser frame file
I wonder what coco.exe you used.Thanks.

I just want to compile your xm sourcecode.I didn't expect so much problems.
Sorry.
And I think I should turn to VS2005.


BR
Crack and unpack is a way to enjoy life.
0rp
Posts: 111
Joined: Wed Mar 03, 2004 12:47 pm

Post by 0rp »

check the attachment
i recompiled coco without msvcrt dlls, ive also included its source
i changed coco a bit to fit my needs

i also re-enabled a fancy vm feature:

data MessageBoxA = __export("user32.dll", "MessageBoxA");
MessageBoxA(0, "oook", "hi", 3);
Attachments
xm.zip
(473.61 KiB) Downloaded 810 times
winndy
Junior Member
Posts: 25
Joined: Tue May 31, 2005 9:31 am

Post by winndy »

That's very kind of you.
I'll study it.
You're a great coder and reverser.
What's more,you are my patient teacher. ;)
Crack and unpack is a way to enjoy life.
Locked