[keygenme] VM KeygenMe #1

[Hyperlisk]

Well, I been experimenting with writing a little pet VM, just for fun, and I plan on releasing little KeygenMe's as I add new features. Right now it supports quite a few op codes, though not all of them are used in this algo. The EXE is not compressed or protected and it was compiled without optimizations, so it's just straight reversing. I kept the algo simple so that the focus is mainly on actual reversing and figuring out how my VM works. If there's any problems with it, let me know, thanks!

Well, have fun! And here's an example key:

Name: Hyperlisk

Serial: 1C3A-FE0A

VM.zip

Edited May 1, 2010 by Hyperlisk

[BoRoV]

thanx for keygenme

interesting VM, it is yours?

vm_keygen.rar

[Hyperlisk]

thanx for keygenme

interesting VM, it is yours?

Thanks for trying it, your keygen looks good!

Yep, it's my VM, just a little side project I'm working on Nicely done!

[BoRoV]

why your vm is 16 bit, why you dont make x32 VM?

[Hyperlisk]

why your vm is 16 bit, why you dont make x32 VM?

It keeps things interesting That and I don't plan on needing 32-bit addresses anytime. Though I do miss 32-bit registers/operations...

[T-rad]

can anyone explain the proper way to find the routine for this. i've traced thought it a long time and found what appears to be the spot, but am unsure, i wrote a keygen - its seems to work. any tuts on vm would help.

Thanks

T-rad

[deepzero]

can anyone explain the proper way to find the routine for this.

yeah, that would be nice.

Also, mind posting the source for the vm crackme? Would be interesting to some people, i think.

dp0 .)

Edited May 28, 2010 by deepzero

[BoRoV]

this VM is very simple, it has no obfuscation, garbage code and other tricks, to disassemble a pleasure

Edited May 28, 2010 by BoRoV

[Hyperlisk]

yeah, that would be nice.

Also, mind posting the source for the vm crackme? Would be interesting to some people, i think.

dp0 .)

Yeah, no problem. I wasn't sure if you meant the actual VM source or the keygenme source, so I just threw them both in there Just excuse the ugliness Also, I haven't had time to work on this more yet, but I promise there will be more

Also, I'm pretty sure there's some bugs in there too... Like I'm pretty sure I set up my stack frames wrong, so ENTER/LEAVE are probably broken for subroutines needing anything but one parameter lol, and you can't actually adjust the stack pointer in code, either without ENTER/LEAVE, so... Yeah...

Also also: I threw my assembler in there too, it's written in PHP though, so to use it you just do "php PopVM_ASM.php my_source.asm". There's a bug in my lexer too, for the assembler, making it match mnemonics before labels, which I never got around to fixing. I just prefix labels with '@' or '_' as a workaround.

Anyway, here you go, I rambled on much more than I thought I would.

PopVM.zip

Edited May 28, 2010 by Hyperlisk

[T-rad]

this VM is very simple, it has no obfuscation, garbage code and other tricks, to disassemble a pleasure

how did u find the routine???. i thick i found it by plain dumb luck...

[BoRoV]

main handler of all pcode

.text:00402DAF sub_402DAF      proc near               ; CODE XREF: sub_4027ED+13p
.text:00402DAF                 push    ebp
.text:00402DB0                 mov     ebp, esp
.text:00402DB2                 sub     esp, 8
.text:00402DB5                 jmp     short loc_402DBC
.text:00402DB7 ; ---------------------------------------------------------------------------
.text:00402DB7
.text:00402DB7 loc_402DB7:                             ; CODE XREF: sub_402DAF+14j
.text:00402DB7                 call    sub_40273D               ; <-- read instructions from pcode
.text:00402DBC
.text:00402DBC loc_402DBC:                             ; CODE XREF: sub_402DAF+6j
.text:00402DBC                 mov     al, ds:byte_40BA23
.text:00402DC1                 test    al, al
.text:00402DC3                 jz      short loc_402DB7
.text:00402DC5                 mov     eax, ds:VM_Result
.text:00402DCA                 leave
.text:00402DCB                 retn
.text:00402DCB sub_402DAF      endp

[T-rad]

@BoRoV, thanks for the info

it helped alot