...kk

This is my beta of the new VM article I wrote. Hi tech reversing, I suppose.


http://rapidshare.de/files/33084072/Virtual_Machine_RE-building.pdf.html


Enjoy!

Maximus

PS: since 1-click link seems not working (at least for me :? ), I attached it too.

Thank you Maximus for another installment of what is becoming your outstanding "VM" series of articles, definitely high tech reversing.

I split your post from the Mini Project forum to here in order to highlight it. The original T2'06 Challenge file can be found here for reference:

t206 challenge
http://www.woodmann.net/forum/showthread.php?t=9445

Best Regards,
Kayaker

Thanks alot Kayaker!

I would like to know if anyone wishes to have clarifications on some part/found some bug here and there, before I submit it to CodeBreakers.

Regards,
Maximus

To be honest, the first part is very confusing as you start without much explanation on how you figured out the VM context, instructions encoding etc., and proceed to jump all over the place. (And I did solve the contest so I can imagine it will be even worse to those who didn't.) I'm not sure how best to fix that, but I would probably describe it in this manner:
1) the offset table most probably lists functions executing various opcodes.
2) a function executing an opcode would need a) VM state b) opcode arguments. And it gets two arguments, so we just need to figure out which is which.
3) The table lists one certain function many times - more than other ones. So it should be an "invalid opcode" function - however, in our case it is a NOP function. Still, in it we can see which parameter it does update - that should be the VM state.
4) Since we know what's the VM state, the other parameter passed to opcode execute function is the opcode description, and we can see that it's filled in in another function above. So that must be the instruction decoder. By investigating it we might figure out some of the opcode description structure fields (maybe not all), and that would help us in figuring out various opcode execution function, which in turn helps in identifying VM state fields.
...or something like that. Just pasting fully analyzed IDA dumps doesn't help in understanding how you figured out what all the parameters and offsets mean.

One specific error I noticed:
"Once I found and understood this code, it immediately gave me understanding of the 0x80000000 value. It's just 1 written with big endian order."
Well, this is completely wrong. 1 in big endian would be 0x01000000 in little endian (00 00 00 01 in memory).
Actually, 0x80000000 is just the starting value of ESP. Start of the "program" is FFEE6000.

Also, you should run it though a spellchecker at least, though the best would be to get a real editor look it over. You may think it's small things, but small things is what can spoil an otherwise good work.
Just to list a few examples.
"Once found the hec"
"And it alos"
"However, This is not even the head of the iceberg" (correct expression is "the tip of the iceberg"
"many instructions that calls internal functions"
etc.

yepp!

Indeed, I too wrote it that way in analysis, but when placing all together I must have confused that.

Thank you! I have this weekend to rearrange the content, then

edit----
fix in progress. I hope to make it more understandable. About the 'tip' problem, please note i'm not an English native speaker, so I'm somewhat limited when writing it.

Howdy,

I would be honored if you would allow me to re-write it for grammatical
errors.

Send me a PM if you desire.

Woodmann