Description
Why try this crackme?
- It again contains 100+ lines of custom instructions
- It uses a 100% self made multilevel VM
- No Anti-Debugging
- No Packing
Your task: Find the correct Key
Rules: No patching, write a devirtualizer if possible
Good Luck and have fun :)
sporta778 on 8:41 PM 05/14/2024: if possible? I am already scared...
survivalizeed on 10:09 AM 05/15/2024: "if possible" is only from my dumb point of view. This does a lot of things differently but you should be able to do it :). Again if you got questions or need minor help I always here
sporta778 on 9:32 PM 05/23/2024: sorry survivalizeed , here present crackme he threw me off track, these cool guys said cool things on forums...
sporta778 on 10:27 PM 05/23/2024: i have some ambitions, but look like this is do not according to some things
survivalizeed on 10:14 AM 05/24/2024: no need to apologize. We both do this stuff in our free time so its up to you and me how we spend it. Do the crackme when ever you want to and only if you want to :)
0x911 on 12:04 PM 06/02/2024: 214 KB ? , the executable has unnecessary instruction right ?
0x911 on 1:56 PM 06/02/2024: nvm the executable named vm_obfuscation
survivalizeed on 3:09 PM 06/03/2024: 0x911 i wouldn't waste time on this if you aint got a decent RE experience :) If do want to try it and need minor help then I'm here
dev0 on 11:33 AM 06/10/2024: ***** Spoiler *****
AGAIN-ANY-K?Y -- where ? can be any ASCII character (or anything stored in a std::string instance)
Pretty unique idea. If I am wrong I apologize. It looks like you do the random 16 2 byte array but you have 9 of them. You also have a linked list or linked list like structure that is 66 bytes before the start of 6 of the random arrays. You first pass that through a function that, I don't know how to word this, unravels the bytecode into the instruction set and stores that in a std::vector instance using the push_back function. The thing that honestly made this easier was it appears it is the same instruction set as the first crackme you created. It took me a few times reading over the functions to realize you were using the modes (12 being immediate value, and 13 being register space) like the first crackme. After I picked up on that, I took a chance and devirtualized the unraveled bytecode with the previous crackmes instruction set. Very nice. I still love the way you are using the array indices as the opcodes vs the value stored there. Using dynamic analysis it would appear the opcodes change with each run. You also did a really good job using pointer manipulation to access the values in the vm. Very clever ideas! Very good crackme!!
sporta778 on 10:56 PM 06/11/2024: i will better write some more easey solution, i sawed here presents inside more calls later survilized...))) but structurce same))
survivalizeed on 8:51 PM 06/12/2024: very nice @dev0. Yeah the core is the same as with the first version. The thing that really changed for this one is that the instruction set gets translated to the instruction set of a different VM which then translates to the instruction set of a different VM etc. It does that a few times until it reaches the "actual" VM which then has to be devirtualized.
survivalizeed on 8:54 PM 06/12/2024: @sporta778 can't wait to see the solution.
If you guys are interested i will try myself with a way more complicated version. This time really complicated. Obfuscation and all the annoying things will be included :)
imeow256 on 12:54 AM 06/26/2024: wow this is quality made, tough one
dredge on 7:41 PM 07/17/2024: by flick own