Log in

View Full Version : brief insight into secu vm

0rp
September 30th, 2007, 07:59
since yates needs a proper explanation about the secu vm, here it goes:

each secu title has 256 opcodes. an opcode is a block containing upto 512 instructions (maybe more, doesnt matter). most opcodes are obfuscated.

an opcode consists of serveral parts: param decryption, real deal, goto next opcode, so it looks like

game -> opcode (aka vmenter) -> opcode -> opcode -> .... -> opcode (aka vmexit) -> game

there are several types of how the vm is used. most games use only the socalled boring mode, wich means the vm does nothing but link two gamecode parts together (why 99% of all games use just this easy to defeat mode?)

a more fun type is where the vm actually does some game related stuff (why is this feature like never used btw?). gamedevs have to use this feature with sdk macros i guess (enlight me please)

heres a small log:

Code:


0046   mov      reg_0068,     007e28fc          reg_0068 = 00000000

000d   add      reg_0068,     [reg_03a4]        reg_0068 = 007e28fc, reg_03a4 = 00400000, [00400000] = 00905a4d

00ad   mov      reg_0068,     [reg_0068]        reg_0068 = 00be28fc, reg_0068 = 00be28fc, [00be28fc] = 7b414fb1

00bb   mov      reg_0054,     007f6edc          reg_0054 = 00000000

000d   add      reg_0054,     [reg_03a4]        reg_0054 = 007f6edc, reg_03a4 = 00400000, [00400000] = 00905a4d

00ad   mov      reg_0054,     [reg_0054]        reg_0054 = 00bf6edc, reg_0054 = 00bf6edc, [00bf6edc] = 00f00971

0099   mov      reg_0050,     [reg_0054]        reg_0050 = 00000000, reg_0054 = 00f00971, [00f00971] = 000001be

0077   add      reg_0054,     00000004          reg_0054 = 00f00971

0086   mov      reg_0058,     reg_001c          reg_0058 = 00000000, reg_001c = 0022c950

0077   add      reg_0058,     00000024          reg_0058 = 0022c950

0077   add      reg_0058,     00000008          reg_0058 = 0022c974

0099   mov      reg_0058,     [reg_0058]        reg_0058 = 0022c97c, reg_0058 = 0022c97c, [0022c97c] = 00ed45c5

0089   mov      reg_005c,     00000000          reg_005c = 00000000

00da   mov      reg_0320,     00cceec0          reg_0320 = 00000001

0046   mov      reg_03c8,     0424448b          reg_03c8 = 00000000

00c8   mov      reg_03cc,     08244c8b          reg_03cc = 00000000

007c   mov      reg_03d0,     0004c969          reg_03d0 = 00000000

0065   mov      reg_03d4,     30800000          reg_03d4 = 00000000

00c7   mov      reg_03d8,     fae240eb          reg_03d8 = 00000000

0065   mov      reg_03dc,     505a5958          reg_03dc = 00000000

0046   mov      reg_03e0,     9090c351          reg_03e0 = 00000000

00d9   mov      reg_00c8,     e8cb5060          reg_00c8 = 00000001

00bb   mov      reg_00cc,     2c6aebeb          reg_00cc = 00000000

00ee   mov      reg_00d0,     ebebebef          reg_00d0 = 00000000

007c   mov      reg_00d4,     92e4151b          reg_00d4 = 00000000

0032   mov      reg_00d8,     ebd46be2          reg_00d8 = 00000000

0089   mov      reg_00dc,     12957b18          reg_00dc = 00000000

0065   mov      reg_00e0,     ea531900          reg_00e0 = 00000000

0087   mov      reg_00e4,     b8ebebeb          reg_00e4 = 00000000

0087   mov      reg_00e8,     34ce49e4          reg_00e8 = 00000000

0046   mov      reg_00ec,     b0141414          reg_00ec = 00000000

00c8   mov      reg_00f0,     e8c36862          reg_00f0 = 00000000

00c8   mov      reg_00f4,     7b28ebeb          reg_00f4 = 00000000

0032   mov      reg_00fc,     0000000c          reg_00fc = 00000000

0094   mov      reg_0100,     [reg_0058]        reg_0100 = 00000000, reg_0058 = 00ed45c5, [00ed45c5] = d6640055

0077   add      reg_0100,     000000c8          reg_0100 = 47250404

0000   unk

0000   unk

00b6   mov      reg_0100,     reg_0014          reg_0100 = 472504cc, reg_0014 = 47250404

0077   add      reg_0100,     000003c8          reg_0100 = 47250404

0095   jmp      472507cc


in this log, opcode 95 leaves the vm and jumps to code at 472507cc
472507cc is generated code, that the vm before that vm has generated. the code at 472507cc:

Code:


472507cc   8b 44 24 04             mov     eax,  [esp+4]

472507d0   8b 4c 24 08             mov     ecx,  [esp+8]

472507d4   69 c9 04 00 00 00       imul    ecx,  ecx,  00000004

472507da   80 30 eb                xor     [eax],  eb

472507dd   40                      inc     eax

472507de   e2 fa                   loop    472507da

472507e0   58                      pop     eax

472507e1   59                      pop     ecx

472507e2   5a                      pop     edx

472507e3   50                      push    eax

472507e4   51                      push    ecx

472507e5   c3                      ret


its obvious that this generated code has only one purpose: generate (or decrypt) a buf.

this is the encrypted buf:

Code:


e8cb5060 2c6aebeb ebebebef 92e4151b

ebd46be2 12957b18 ea531900 b8ebebeb

34ce49e4 b0141414 e8c36862 7b28ebeb


as you can see, the values in this buf are written by the vm i pasted above:

Code:


00d9   mov      reg_00c8,     e8cb5060          reg_00c8 = 00000001

00bb   mov      reg_00cc,     2c6aebeb          reg_00cc = 00000000

00ee   mov      reg_00d0,     ebebebef          reg_00d0 = 00000000




and whats the decrypted version of this buf?


Code:


472504cc   8b bb 20 03 00 00       mov     edi,  [ebx+320]

472504d2   81 c7 04 00 00 00       add     edi,  00000004

472504d8   f0 fe 0f                lock dec     [edi]

472504db   79 09                   jns     472504e6

472504dd   80 3f 00                cmp     [edi],  00

472504e0   f3 90                   pause   

472504e2   7e f9                   jle     472504dd

472504e4   eb f2                   jmp     472504d8

472504e6   b8 01 00 00 00          mov     eax,  00000001

472504eb   53                      push    ebx

472504ec   0f a2                   cpuid   

472504ee   25 df ff ff ff          and     eax,  ffffffdf

472504f3   5b                      pop     ebx

472504f4   89 83 28 03 00 00       mov     [ebx+328],  eax

472504fa   c3                      ret



so, this super hidden generated code just gets the cpuid of the current process and stores its value in a vmreg
rendari
September 30th, 2007, 13:02
More or less what I think of, although I have to disagree with this:
Quote:


there are several types of how the vm is used. most games use only the socalled boring mode, wich means the vm does nothing but link two gamecode parts together (why 99% of all games use just this easy to defeat mode?)


Ummm, every securom 7 game I have in my collection does at least this much:
a) "link gamecode parts together", or as I prefer to call it, handles redirection via the JMP DWORD PTR's
b) dynamically decrypts routines in the game
c) advanced api redirection, where it goes to the VM via a call eax. Securom loves to change around how exactly that call eax gets called, making automation a pain.
d) it steals single instructions from the game code and emulates them inside the VM, so a "mov eax, ebx" might become a "push xxx/call secu_vm" after the protection process. This feature actually requires you to reverse a couple of VM handlers
e) it steals multiple instructions, replaces them with a "push xx/ call secu_vm" and emulates them all inside the securom VM. Not too sure about this feature, am currently studying it.
f ) has a second, recursive VM, which also gets called via "call eax". I haven't solved this one yet, only observed it. But from what I have observed about it so far, it seems... well... simple, despite its "recursiveness".

g) This is optional, included via the developer SDK. I'm guessing that these are the famous securom "triggers". You can find them in the code section of the game, and look like this:
push xx
call secu_vm
jmp_short
00
00
00
00
00
_short:
(game code)

Again, I have not yet solved the triggers, only observed a couple. Some seem to be adding 2 values and saving that in .data. Others seems to simply increment a value in .data. These values later then get "silently" checked by the game code. If these values are wrong (meaning securom has been "fucked with" somehow) then I guess the game silently "fucks you"

Aside from that, the VM is a very nice piece of work IMO. Most of the 512 instructions/handler can be broken down to 4-15 ASM instructions.

And then there is the calculation of the VM_EIP.... oooooohhhhhhhh it fucks with my mind That little byte at [ebx+10], you never know if its gonna get xor'd, rol'd, or left alone before it is used to calculate next place the VM will jump.

Anyways, this is a fun puzzle to look at during my free time in school

I'm doing an old target right now. I guess I'll update later and see if they changed anything
[yAtEs]
October 1st, 2007, 00:24
hehe thanks orp ;-)
seems fairly accurate.

/yates( without animated avatar :'( )
Kayaker
October 1st, 2007, 00:48
Quote:
[Originally Posted by '[yAtEs]/yates( without animated avatar :'( )


Ah geez /yates, you're killing me here. I had an old copy of the board and replaced your cool avatar for you. Sleep well
[yAtEs]
October 1st, 2007, 01:03
woohoo! i love you

cd goes in,,cd goes out,,cd goes in,,cd goes out,,
evlncrn8
October 1st, 2007, 08:59
cd doesnt crack? ;p
JMI
October 1st, 2007, 10:29
Wierd! I still can't see his avatar in IE7, but it shows up fine in Firefox. IE7 just shows me a broken image with the red "x".

Regards,
xenakis
October 1st, 2007, 19:15
Same here, works in FF but not IE7. Also, if the gif is saved, the windows pictures/fax viewer will not show/preview the file. However, if separated into frames then reassembled, it works in all of the above. So something in the original file throws IE7 and the windows picture viewer. Anyone tested it in IE6?

xenakis
LLXX
October 1st, 2007, 22:43
I can see it just fine.

IE 6.0.2800.1106

I wonder if any reverser would use IE7 anyway, it's been rumored to contain a rather large amount of bugs
evlncrn8
October 1st, 2007, 23:11
heh or its yates' super leet pic exploit and he owns all your pc's now (except those using ie7 which magically detects yates' antics) ;p