VM Crackme [Archive] - RCE Messageboard's Regroupment

View Full Version : VM Crackme

Kayaker

June 26th, 2007, 12:36

While walking my regular "what's new in the RE world?" beat I came across this. Haven't looked at it yet but thought it might be interesting...

http://opcode0x90.wordpress.com/2007/06/21/my-second-crackme-this-time-a-vm-crackme/

http://filexoom.com/files/2007/3/27/65350/crackme_nop_vm.zip

(Last time I attached someone's stuff without asking I got shit, so for now I won't, but if it turns out to be good I'll attach the crackme to this thread for longevity)

Kayaker

blabberer

July 2nd, 2007, 12:14

looks nice but not much hard

atleast not to the magnitude of one vm which i looked at for a few hours viz oreans

Code:



Log data

Address    Message

77E7F13A   CALL to WriteFile from nop_vm.004010BD

             hFile = 00000007

             Buffer = nop_vm.00401284

             nBytesToWrite = 1

             pBytesWritten = nop_vm.00403400

             pOverlapped = NULL

77E7F13A   Breakpoint at kernel32.WriteFile

           string [[esp+8]] = y Opcode0x90, 7 June 2007     -

-----------------------------------------------------

Have phun ! 





Password pl0x: Yÿ

004010BD   Breakpoint at nop_vm.004010BD

77E7F13A   CALL to WriteFile from nop_vm.004010BD

             hFile = 00000007

             Buffer = nop_vm.00401285

             nBytesToWrite = 1

             pBytesWritten = nop_vm.00403400

             pOverlapped = NULL

77E7F13A   Breakpoint at kernel32.WriteFile

           string [[esp+8]] =  Opcode0x90, 7 June 2007     -

-----------------------------------------------------

Have phun ! 





Password pl0x: Yÿ

004010BD   Breakpoint at nop_vm.004010BD

77E7F13A   CALL to WriteFile from nop_vm.004010BD

             hFile = 00000007

             Buffer = nop_vm.00401286

             nBytesToWrite = 1

             pBytesWritten = nop_vm.00403400

             pOverlapped = NULL

77E7F13A   Breakpoint at kernel32.WriteFile

           string [[esp+8]] = Opcode0x90, 7 June 2007     -

-----------------------------------------------------

Have phun ! 





Password pl0x: Yÿ

004010BD   Breakpoint at nop_vm.004010BD

77E7F13A   CALL to WriteFile from nop_vm.004010BD

             hFile = 00000007

             Buffer = nop_vm.00401287

             nBytesToWrite = 1

             pBytesWritten = nop_vm.00403400

             pOverlapped = NULL

77E7F13A   Breakpoint at kernel32.WriteFile

           string [[esp+8]] = pcode0x90, 7 June 2007     -

-----------------------------------------------------

Have phun ! 





Password pl0x: Yÿ

004010BD   Breakpoint at nop_vm.004010BD



Call stack of main thread

Address    Stack      Procedure / arguments                 Called from                   Frame

0012FCC0   77F762F3   Includes 7FFE0304                     ntdll.77F762F1                0012FCE0

0012FCC4   77F561A5   ntdll.ZwRequestWaitReplyPort          ntdll.77F561A0                0012FCE0

0012FCE4   77E92703   ntdll.CsrClientCallServer             kernel32.77E926FD             0012FCE0

0012FDD4   77E92588   ? kernel32.77E925DB                   kernel32.ReadConsoleA+26      0012FDD0

0012FE4C   77E92542   kernel32.ReadConsoleA                 kernel32.77E9253D             0012FE48

0012FE50   00000003     hConsole = 00000003

0012FE54   00403000     Buffer = nop_vm.00403000

0012FE58   00000400     ToRead = 400 (1024.)

0012FE5C   00403400     pRead = nop_vm.00403400

0012FE60   00000000     pReserved = NULL



00403000  68 65 6C 6C 6F 20 76 6D 20 62 61 62 79 20 68 6F  hello vm baby ho

00403010  77 20 61 72 65 20 79 6F 75 20 68 6F 70 65 20 79  w are you hope y

00403020  6F 75 20 61 72 65 20 65 61 73 79 20 0D 0A 00 00  ou are easy ....

well this is the comparison i think may be not

one run automated it seems its adding like this
for (i=0;i<string.strlen;i++)
{
const = leetcode
const = string[I].dword + const ; i++
}

Code:



EBX=0A4F4CAB

Stack DS:[0012FF50]=8B1C0A80

cEnginEEr

July 4th, 2007, 03:30

it's VM identifies only few instruction;

75h FFh -> call a VWed Code

97h AEh -> MOV Reg,Reg
97h FFh -> MOV Reg,Imm

59h AEh -> PUSH Reg
59h FFh -> PUSH Imm

E8h AEh -> CALL Reg (API calls)
E8h FFh -> CALL Imm

F6h AEh -> CMP Reg,Reg
F6h FFh -> CMP Reg,Imm

4Bh AEh -> JMP Reg
4Bh FFh -> JMP Imm

AEh AEh -> JZ Reg
AEh FFh -> JZ Imm

13h AEh -> JNZ Reg
13h FFh -> JNZ Imm

33h AEh -> MOV [Reg],Reg
33h FFh -> MOV [Reg],Imm

A1h AEh -> AND Reg, Reg
A1h FFh -> AND Reg, Imm

1Dh AEh -> ADD Reg, Reg
1Dh FFh -> ADD Reg, Imm

so simple that it possible to rebuild the original instructions from the VMed code. each VM instruction has the below format:

OPCODE[2 bytes], instruction length[1 byte ], PARAMs[n bytes]

example:

75 FF 07 56 14 40 00------>call Sub_401456
A1 FF 08 1C 00 00 00 00-->and eax, edi

@blabberer: do you have any experience with VMProtect? any idea on recovering the original code.

Regards

nanobit

June 17th, 2008, 16:12

although it was an easy VM crackme but this was my first VM dealing.
so it took me about 5-6 hours of understanding and coding.
hope you like the solution

owl

June 18th, 2008, 14:23

One of the speakers at Recon posted a VM on crackmes, miniVMCrackme1. Have you guys look at it yet?. I will check it out as soon as I have the time.

Nico

June 18th, 2008, 16:51

I did.
I statically reverse engineered it completely, and reconstructed the pcode program after that. took a couple hours, with alcohol

It's rather easy, i am going to write something soon about it.

owl

June 19th, 2008, 10:17

Great!, more stuff to read. I'll give it a try this coming week.

evaluator

July 5th, 2008, 04:07

genaytyk"s VM_crackme 2005year is at crackmes.de, worth it to play?
or unsolvable is that "HIGH CHIPER"?

evaluator

July 5th, 2008, 04:38

this was solved in 2006, 1,3MB..
http://defisfc.free.fr/affDefi.php?numDefi=75

JMI

July 5th, 2008, 09:28

Whoa! Look who has dropped back in for a visit! Welcome back evaluator!
Hope you are going to hang around again.

Regards,

evaluator

July 5th, 2008, 15:42

"don't take.."