survivalizeed's VM

Author:
survivalizeed

Language:
C/C++

Upload:
2024-04-15 22:51

Download

Platform:
Windows

Difficulty:
4.2

Quality:
5.0

Arch:
x86-64

Downloads:
15

Size:
206.50 KB

Writeups:
1

Comments:
34

Description

A fairly complicated custom VM which supports the most common x86-64 instructions. Why try this crackme? - 100+ lines of custom vm instructions. A lot of RE needs to be done :) - No Anti-Debugging. In my opinion it's just annoying when doing crackmes - No known VM used. Who wants to reverse VMP over and over again - No packing done. Just start your RE without having to care about unpacking the executable Rules: No patching or modifying in the higher levels. Level 1 (Very very easy): Patch the program to be always registered Level 2 (Hard): Find the correct Key Level 3 (Very hard): Write a devirtualizer for the instructions Good luck and let me know if you want a second version.

Comments (34)
Writeups (1)

You must be logged in to post a comment

sporta778 on 2024-04-16 09:58: some activation microcomputer writer's....

survivalizeed on 2024-04-16 12:19: I dont get what you are trying to say

sporta778 on 2024-04-23 20:41: It loudly said VM, i call it microcomputer. i was surprised, but codes changed after restarting application...

survivalizeed on 2024-04-23 20:49: Isnt VM == microcomputer in this context? But yeah it is randomized at the beginning. As a small hint: The code obviously doesnt change at all in its mechanics. Only thing getting more difficult is writing a devirtualizer. If you need a few more little hints you can always ask :)

sporta778 on 2024-04-23 21:32: no no i think i do not ask , i already process first function, and i now started learn second call this function of proccessing codes of microcomputer. i think i can find password and write disassembler. Just ANY- i found. But i think it loudly said that this devirtualizer. I call it disassembler. But maybe i do not understand some abstraction.

sporta778 on 2024-04-23 21:33: okay if it will hard i will ask...

survivalizeed on 2024-04-23 21:50: Yes the ANY- is correct. Very nice! Second part can be a bit harder but its obviously the same vm used as core.

survivalizeed on 2024-04-23 21:53: Idk maybe you are getting some terms wrong or its just a language barrier. With a devirtualizer I mean that the custom instruction set i created which is read by my custom VM has to be decoded in normal x86-64 instructions. So if you e.g have something like 0x12, 0xf3 then your devirtualizer should make a "mov" out of it.

sporta778 on 2024-04-23 22:22: I understand you, but if you will see at this https://crackmes.one/crackme/65f1f892cddae72ae250b57e, i interpret this crackme as microcomputer becouse it microcomputer have RAM (random access memory) and RAM2. I think it no problem call it virtual machine , but for me it is too loudly. This is just my cockroaches.

sporta778 on 2024-04-24 13:56: Hehe... here some secret. Rbx after calling functions of core VM do not changed , but after first call of it function it loaded by zero from eax, in which saved memory0 (but memory0 loaded in first function by zero).Memory0 = qword [rcx] (rcx loaded at input of core function).

sporta778 on 2024-04-24 14:17: sorry no needed , i found it...

survivalizeed on 2024-04-25 18:49: You got the key?

sporta778 on 2024-04-25 20:43: ANY-K$Y $ any symbol , and you can add any string to it, i writed solution, and i send it on site...

sporta778 on 2024-04-28 20:43: if they approval approval , go next

survivalizeed on 2024-05-07 15:40: sporta just saw your solution... Really amazing solution. You really seem to know what you are doing :)

sporta778 on 2024-05-07 18:58: thanks

survivalizeed on 2024-05-08 14:19: Would you be interested in a more challenging version? I am currently working on something

sporta778 on 2024-05-08 14:30: lets go..;)

survivalizeed on 2024-05-08 16:36: nice, glad to hear haha. Again i wont use anti debugging or packing... just a VM + some obfuscation. Give me some time to finish it :). I will notify you when everything is finished up. Btw. Where did you learn RE?

sporta778 on 2024-05-08 16:52: i am odrinary man, from the world by thread..

sporta778 on 2024-05-08 21:12: it is no question where, just when i was young it was interested things like 0 ring, winapi , sockets... but just no place to do with it something.... it was more 20 years ago... just have free time to make these things..

survivalizeed on 2024-05-08 23:48: Damn. Im not even 20 years old haha

sporta778 on 2024-05-08 23:52: ;)

survivalizeed on 2024-05-09 00:28: Alright. I should be finished with the new crackme by tomorrow. Would you like an extra layer of obfuscation by some free third party software or just "my" obfuscation? You were a bit too quick with this one here so I would like to level up the difficulty even more :)

sporta778 on 2024-05-09 00:50: do not hurry and do not worry. if really I'm not experienced in these things. I am even can not work with ida ... etc . Only debugger. I think here a lot cool peoples, but they in silence mode.

survivalizeed on 2024-05-09 01:11: Yeah IDA is pretty powerful but it sometimes distracts from the actual stuff you should look at.

survivalizeed on 2024-05-09 16:17: Sporta the new crackme is now waiting for approval. Good luck :)

sporta778 on 2024-05-09 18:43: ok.

dev0 on 2024-05-10 09:28: Great idea for obfuscating a bytecode VM instruction set!! One question though. My math is probably wrong but the last JNZ instruction in the second run of the VM appears to jump to 0x44 but the JZ R2 (I am saying that space operated on for 0xd mode are registers) a few instructions above jumps to 0x4c. That is 2 instructions under the exit. Which appears to be correct. But the jump 0x44 would be in the middle of the instruction before the exit. Is that 0x44 supposed to be 0x4a?

survivalizeed on 2024-05-10 12:24: I am not completely sure what you mean to be honest. I will just post the second vm code so you can see for yourself: vm2.opcodes.mov, vm2.opcodes.rbx, vm2.opcodes.val, vm_val((i64)key[5], vm2), vm2.opcodes.mov, vm2.opcodes.rdx, vm2.opcodes.val, vm_val(69, vm2), vm2.opcodes.x_or, vm2.opcodes.rdx, vm2.opcodes.reg, vm2.opcodes.rbx, vm2.opcodes.cmp, vm2.opcodes.reg, vm2.opcodes.rdx, vm2.opcodes.reg, vm2.opcodes.rdx, vm2.opcodes.mov, vm2.opcodes.rcx, vm2.opcodes.val, vm_val(76, vm2), vm2.opcodes.je, vm2.opcodes.reg, vm2.opcodes.rcx, vm2.opcodes.x_or, vm2.opcodes.rax, vm2.opcodes.reg, vm2.opcodes.rax, vm2.opcodes.ret, vm2.opcodes.cmp, vm2.opcodes.val, vm_val((i64)key[6], vm2), vm2.opcodes.val, vm_val((i64)89, vm2), vm2.opcodes.jne, vm2.opcodes.val, vm_val(68, vm2), vm2.opcodes.mov, vm2.opcodes.rax, vm2.opcodes.val, vm_val(1, vm2), vm2.opcodes.ret

survivalizeed on 2024-05-10 12:26: As you probably already found out; the instructions are shorts and the values are int64. That way you can calculate where the jumps should go to :)

survivalizeed on 2024-05-10 12:31: Oh and last thing: A more difficult version with multilevel VMs is currently waiting for approval. The name is VM_Madness2. So if you are interested and liked this one then the next version should be even more interesting :)

Mickey-snow on 2024-06-14 02:18: Thank you for providing this crackme! The final jump in vm2 to 0x44 seems off, though, as it would lead to an infinite loop when the sixth character in input isn't 'Y'. Correcting this jump to 0x42 makes more sense as it aligns with setting the return value to 0 and return.

Reall222 on 2025-02-24 16:32: crackme https://files.catbox.moe/fpihsu.rar

You must be logged in to submit a writeup

Solution by sporta778 on 2024-04-25 13:14:
Solution for VM_Madness

Download

crackmes.one

survivalizeed's VM_Madness