sporta778 on 9:58 AM 04/16/2024: some activation microcomputer writer's....
survivalizeed on 12:19 PM 04/16/2024: I dont get what you are trying to say
sporta778 on 8:41 PM 04/23/2024: It loudly said VM, i call it microcomputer. i was surprised, but codes changed after restarting application...
survivalizeed on 8:49 PM 04/23/2024: Isnt VM == microcomputer in this context? But yeah it is randomized at the beginning. As a small hint: The code obviously doesnt change at all in its mechanics. Only thing getting more difficult is writing a devirtualizer. If you need a few more little hints you can always ask :)
sporta778 on 9:32 PM 04/23/2024: no no i think i do not ask , i already process first function,
and i now started learn second call this function of proccessing codes of microcomputer. i think i can find password and write disassembler. Just ANY- i found. But i think it loudly said that this devirtualizer. I call it disassembler. But maybe i do not understand some abstraction.
sporta778 on 9:33 PM 04/23/2024: okay if it will hard i will ask...
survivalizeed on 9:50 PM 04/23/2024: Yes the ANY- is correct. Very nice! Second part can be a bit harder but its obviously the same vm used as core.
survivalizeed on 9:53 PM 04/23/2024: Idk maybe you are getting some terms wrong or its just a language barrier. With a devirtualizer I mean that the custom instruction set i created which is read by my custom VM has to be decoded in normal x86-64 instructions. So if you e.g have something like 0x12, 0xf3 then your devirtualizer should make a "mov" out of it.
sporta778 on 10:22 PM 04/23/2024: I understand you, but if you will see at this https://crackmes.one/crackme/65f1f892cddae72ae250b57e, i interpret this crackme as microcomputer becouse it microcomputer have RAM (random access memory) and RAM2. I think it no problem call it virtual machine , but for me it is too loudly. This is just my cockroaches.
sporta778 on 1:56 PM 04/24/2024: Hehe... here some secret. Rbx after calling functions of core VM
do not changed , but after first call of it function it loaded by zero from eax, in which saved memory0 (but memory0 loaded in first function by zero).Memory0 = qword [rcx] (rcx loaded at input of core function).
sporta778 on 2:17 PM 04/24/2024: sorry no needed , i found it...
survivalizeed on 6:49 PM 04/25/2024: You got the key?
sporta778 on 8:43 PM 04/25/2024: ANY-K$Y $ any symbol , and you can add any string to it, i writed solution, and i send it on site...
sporta778 on 8:43 PM 04/28/2024: if they approval approval , go next
survivalizeed on 3:40 PM 05/07/2024: sporta just saw your solution... Really amazing solution. You really seem to know what you are doing :)
sporta778 on 6:58 PM 05/07/2024: thanks
survivalizeed on 2:19 PM 05/08/2024: Would you be interested in a more challenging version? I am currently working on something
sporta778 on 2:30 PM 05/08/2024: lets go..;)
survivalizeed on 4:36 PM 05/08/2024: nice, glad to hear haha. Again i wont use anti debugging or packing... just a VM + some obfuscation. Give me some time to finish it :). I will notify you when everything is finished up.
Btw. Where did you learn RE?
sporta778 on 4:52 PM 05/08/2024: i am odrinary man, from the world by thread..
sporta778 on 9:12 PM 05/08/2024: it is no question where, just when i was young it was interested things like 0 ring, winapi , sockets... but just no place to do with it something.... it was more 20 years ago... just have free time to make these things..
survivalizeed on 11:48 PM 05/08/2024: Damn. Im not even 20 years old haha
sporta778 on 11:52 PM 05/08/2024: ;)
survivalizeed on 12:28 AM 05/09/2024: Alright. I should be finished with the new crackme by tomorrow. Would you like an extra layer of obfuscation by some free third party software or just "my" obfuscation?
You were a bit too quick with this one here so I would like to level up the difficulty even more :)
sporta778 on 12:50 AM 05/09/2024: do not hurry and do not worry. if really I'm not experienced in these things. I am even can not work with ida ... etc . Only debugger. I think here a lot cool peoples, but they in silence mode.
survivalizeed on 1:11 AM 05/09/2024: Yeah IDA is pretty powerful but it sometimes distracts from the actual stuff you should look at.
survivalizeed on 4:17 PM 05/09/2024: Sporta the new crackme is now waiting for approval. Good luck :)
sporta778 on 6:43 PM 05/09/2024: ok.
dev0 on 9:28 AM 05/10/2024: Great idea for obfuscating a bytecode VM instruction set!!
One question though. My math is probably wrong but the last JNZ instruction in the second run of the VM appears to jump to 0x44 but the JZ R2 (I am saying that space operated on for 0xd mode are registers) a few instructions above jumps to 0x4c. That is 2 instructions under the exit. Which appears to be correct. But the jump 0x44 would be in the middle of the instruction before the exit. Is that 0x44 supposed to be 0x4a?
survivalizeed on 12:24 PM 05/10/2024: I am not completely sure what you mean to be honest. I will just post the second vm code so you can see for yourself:
vm2.opcodes.mov, vm2.opcodes.rbx, vm2.opcodes.val, vm_val((i64)key[5], vm2),
vm2.opcodes.mov, vm2.opcodes.rdx, vm2.opcodes.val, vm_val(69, vm2),
vm2.opcodes.x_or, vm2.opcodes.rdx, vm2.opcodes.reg, vm2.opcodes.rbx,
vm2.opcodes.cmp, vm2.opcodes.reg, vm2.opcodes.rdx, vm2.opcodes.reg, vm2.opcodes.rdx,
vm2.opcodes.mov, vm2.opcodes.rcx, vm2.opcodes.val, vm_val(76, vm2),
vm2.opcodes.je, vm2.opcodes.reg, vm2.opcodes.rcx,
vm2.opcodes.x_or, vm2.opcodes.rax, vm2.opcodes.reg, vm2.opcodes.rax,
vm2.opcodes.ret,
vm2.opcodes.cmp, vm2.opcodes.val, vm_val((i64)key[6], vm2), vm2.opcodes.val, vm_val((i64)89, vm2),
vm2.opcodes.jne, vm2.opcodes.val, vm_val(68, vm2),
vm2.opcodes.mov, vm2.opcodes.rax, vm2.opcodes.val, vm_val(1, vm2),
vm2.opcodes.ret
survivalizeed on 12:26 PM 05/10/2024: As you probably already found out; the instructions are shorts and the values are int64. That way you can calculate where the jumps should go to :)
survivalizeed on 12:31 PM 05/10/2024: Oh and last thing: A more difficult version with multilevel VMs is currently waiting for approval. The name is VM_Madness2. So if you are interested and liked this one then the next version should be even more interesting :)
Mickey-snow on 2:18 AM 06/14/2024: Thank you for providing this crackme!
The final jump in vm2 to 0x44 seems off, though, as it would lead to an infinite loop when the sixth character in input isn't 'Y'. Correcting this jump to 0x42 makes more sense as it aligns with setting the return value to 0 and return.