"if possible" is only from my dumb point of view. This does a lot of things differently but you should be able to do it :). Again if you got questions or need minor help I always here |
==> |
Oh and last thing: A more difficult version with multilevel VMs is currently waiting for approval. The name is VM_Madness2. So if you are interested and liked this one then the next version should be even more interesting :) |
==> |
As you probably already found out; the instructions are shorts and the values are int64. That way you can calculate where the jumps should go to :) |
==> |
I am not completely sure what you mean to be honest. I will just post the second vm code so you can see for yourself:
vm2.opcodes.mov, vm2.opcodes.rbx, vm2.opcodes.val, vm_val((i64)key[5], vm2),
vm2.opcodes.mov, vm2.opcodes.rdx, vm2.opcodes.val, vm_val(69, vm2),
vm2.opcodes.x_or, vm2.opcodes.rdx, vm2.opcodes.reg, vm2.opcodes.rbx,
vm2.opcodes.cmp, vm2.opcodes.reg, vm2.opcodes.rdx, vm2.opcodes.reg, vm2.opcodes.rdx,
vm2.opcodes.mov, vm2.opcodes.rcx, vm2.opcodes.val, vm_val(76, vm2),
vm2.opcodes.je, vm2.opcodes.reg, vm2.opcodes.rcx,
vm2.opcodes.x_or, vm2.opcodes.rax, vm2.opcodes.reg, vm2.opcodes.rax,
vm2.opcodes.ret,
vm2.opcodes.cmp, vm2.opcodes.val, vm_val((i64)key[6], vm2), vm2.opcodes.val, vm_val((i64)89, vm2),
vm2.opcodes.jne, vm2.opcodes.val, vm_val(68, vm2),
vm2.opcodes.mov, vm2.opcodes.rax, vm2.opcodes.val, vm_val(1, vm2),
vm2.opcodes.ret |
==> |
Sporta the new crackme is now waiting for approval. Good luck :) |
==> |
Yeah IDA is pretty powerful but it sometimes distracts from the actual stuff you should look at. |
==> |
Alright. I should be finished with the new crackme by tomorrow. Would you like an extra layer of obfuscation by some free third party software or just "my" obfuscation?
You were a bit too quick with this one here so I would like to level up the difficulty even more :) |
==> |
Damn. Im not even 20 years old haha |
==> |
nice, glad to hear haha. Again i wont use anti debugging or packing... just a VM + some obfuscation. Give me some time to finish it :). I will notify you when everything is finished up.
Btw. Where did you learn RE? |
==> |
Would you be interested in a more challenging version? I am currently working on something |
==> |
sporta just saw your solution... Really amazing solution. You really seem to know what you are doing :) |
==> |
You got the key? |
==> |
Idk maybe you are getting some terms wrong or its just a language barrier. With a devirtualizer I mean that the custom instruction set i created which is read by my custom VM has to be decoded in normal x86-64 instructions. So if you e.g have something like 0x12, 0xf3 then your devirtualizer should make a "mov" out of it. |
==> |
Yes the ANY- is correct. Very nice! Second part can be a bit harder but its obviously the same vm used as core. |
==> |
Isnt VM == microcomputer in this context? But yeah it is randomized at the beginning. As a small hint: The code obviously doesnt change at all in its mechanics. Only thing getting more difficult is writing a devirtualizer. If you need a few more little hints you can always ask :) |
==> |
For anyone looking for the complete cleaned up routine (heavy spoiler)
int keypart1[8] = {};
int keypart2[8] = {};
for (int i = 0; i 7) {
keypart2[i - 8] = input[i];
}
else {
keypart1[i] = (int)input[i];
}
}
int sum = keypart1[0] + keypart1[1] + keypart1[2] + keypart1[3] + keypart1[4]
+ keypart1[5] + keypart1[6] + keypart1[7];
int sum_pow = pow(keypart1[0], 2) + pow(keypart1[1], 2) + pow(keypart1[2], 2) +
pow(keypart1[3], 2) + pow(keypart1[4], 2) + pow(keypart1[5], 2) +
pow(keypart1[6], 2) + pow(keypart1[7], 2);
double added_log = 0;
for (int i = 0; i = 0.00000011920929) {
std::cout |
==> |
I have the entire routine reversed now. The key is 16 chars long and is split in half and then processed. Only thing which seems rather impossible is inverting it. I will try my best now ... |
==> |
I dont get what you are trying to say |
==> |
Very nice crackme. One thing I would suggest is that you make "smaller" instruction steps so the jumptable becomes bigger and harder to RE. Just four instructions is a bit less.
Anyways... Thanks for sharing :) |
==> |