Jump to content
Tuts 4 You
  • 0
HellSpider

[DevirtualizeMe] VMProtect 3.0.9

Question

HellSpider

Difficulty : 8
Language : C++
Platform : Windows 32-bit and 64-bit
OS Version : All
Packer / Protector : VMProtect 3.0.9

Description :

The objective is to interpret virtualized functions in the attached binaries.
No additional options have been used - no memory protection, no import protection and no compression.
The virtualized function(s) will execute when the following key(s) is/are pressed:

VMP32 (V1) : P
VMP32 (V2) : 1 and 2
VMP64 (V1) : P
VMP64 (V2) : 1 and 2

The virtualized functions are not very large.

Detailed information of the interpreting procedure/internals or a complete solution paper is preferable.

I will post similar challenges for other protectors if someone supplies me with a recent version (CodeVirtualizer, Themida, Enigma ...).

Accepted solutions:

VMP32 (V1) : @Raham
VMP32 (V2) : @Raham
VMP64 (V1) : @SmilingWolf @fvrmatteo
VMP64 (V2) : @fvrmatteo @SmilingWolf @mrexodia @xSRTsect

Files:

devirtualizeme32_vmp_3.0.9_v1.rar
devirtualizeme32_vmp_3.0.9_v2.rar
devirtualizeme64_vmp_3.0.9_v1.rar
devirtualizeme64_vmp_3.0.9_v2.rar

Screenshot :

devirtualizeme32_vmp_3.0.9_v1_2017-12-15_00-12-45.png.c019ad1506c9478af99c749349f404f3.png

 

 

Edited by HellSpider
Awards (see edit history)
  • Like 2

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0
Downpour

Currently working on the VM32 version. My deobfuscator/demutizer (idk how to call that) is done and works for both x64 and x32 targets. Currently investing time into the 32-bit VM (works a bit different than 64 bit?). I've compared it to a target you've posted before and saw that they've stepped up their game with the instruction pointer and such? Instead of using a table hardwritten into the memory they have connected each handler with the following handler like some sort of linked list and unique, which means that there isn't just one handler for "push" as example but like for every push in the code there is a single handler. Therefore you have to analyze every single handler by it's own (can be automated I think but tricky) and see how it reads from the instruction chunk. That's just what I've figured out, maybe it's wrong and there is indeed a table with each handler. Because of using for each VM_OPCODE an unique implementation it would expand the output a lot which is really ineffecient.

Share this post


Link to post
Share on other sites
  • 0
Downpour

-

Edited by Castor
was double post sorry (see edit history)

Share this post


Link to post
Share on other sites
  • 0
HellSpider
On 9/21/2017 at 7:24 PM, Raham said:

Hi Guys

 

and here is my solution for 32bit one.

 

devirtualizeme32_vmp_3.0.9_v1_deVM_Raham.zip

 

PS: my decompiler is in progress state, so tell me if you found mistake in X86 instructions.

Kind Regards

 

Well done. :)

I can't say if each instruction matches 100% since I lost my original compiled binaries due to a windows reinstall. The recompiled binary from the same source code is extremely close. All constants are the same in any case and the general code flow is in order.

I will accept this solution in the OP.

  • Like 2

Share this post


Link to post
Share on other sites
  • 0
Raham
9 hours ago, HellSpider said:

Well done. :)

I can't say if each instruction matches 100% since I lost my original compiled binaries due to a windows reinstall. The recompiled binary from the same source code is extremely close. All constants are the same in any case and the general code flow is in order.

I will accept this solution in the OP.

Hi HellSpider.

Please post second challenge for VMP 32bit.

Share this post


Link to post
Share on other sites
  • 0
HellSpider
17 hours ago, Raham said:

Hi HellSpider.

Please post second challenge for VMP 32bit.

Challenge posted.

Share this post


Link to post
Share on other sites
  • 0
xSRTsect
Posted (edited)

Hello.

 

Who the heck designed the new security requirements as far as passwords for this forum? Its absolutely insane.

This time I submit a fully devirtualized version of the aforementioned crackme for the 64 bit version of VMP.

Of course, I didn't work on this entirely by myself, it was more like a joint project with other reversers that are no strangers to this forum.

 

Because we all had the same interests (code deobfuscation/VMs devirtualization/Unpacking) we decide to create our own group, where we essentially reverse some well known protectors for PE files.

Current group members:

 

@fvrmatteo

@SmilingWolf

@mrexodia

@xSRTsect

@Raham

@root

@Downpour

 

People involved in the coding of the 64 bit VMP devirtualization tool:

@fvrmatteo, @SmilingWolf, @mrexodia@xSRTsect.

 

The tools will never be released.

 

There is a tiny chance that an outsider can join our group IFF you have pwned an interesting protector and you are willing to share your insight with our group or you are willing to impress us with some mad unpacking / deobfuscation skills.

 

Best Regards,

 

The European Reversers Alliance.

 

Edit: Added gay @ symbols to the nicknames (some people really wanted that). And added a more gay version of the devirtualized binary which is essentially the same but with the devirtualized functions linked statically.

 

devirtualized.rar

inlined_version_ERA.7z

Edited by xSRTsect
Gay Reasons. (see edit history)
  • Like 6

Share this post


Link to post
Share on other sites
  • 0
HellSpider
On 5/23/2018 at 3:47 AM, xSRTsect said:

Hello.

 

Who the heck designed the new security requirements as far as passwords for this forum? Its absolutely insane.

This time I submit a fully devirtualized version of the aforementioned crackme for the 64 bit version of VMP.

Of course, I didn't work on this entirely by myself, it was more like a joint project with other reversers that are no strangers to this forum.

 

Because we all had the same interests (code deobfuscation/VMs devirtualization/Unpacking) we decide to create our own group, where we essentially reverse some well known protectors for PE files.

Current group members:

 

@fvrmatteo

@SmilingWolf

@mrexodia

@xSRTsect

@Raham

@root

@Downpour

 

People involved in the coding of the 64 bit VMP devirtualization tool:

@fvrmatteo, @SmilingWolf, @mrexodia@xSRTsect.

 

The tools will never be released.

 

There is a tiny chance that an outsider can join our group IFF you have pwned an interesting protector and you are willing to share your insight with our group or you are willing to impress us with some mad unpacking / deobfuscation skills.

 

Best Regards,

 

The European Reversers Alliance.

 

Edit: Added gay @ symbols to the nicknames (some people really wanted that). And added a more gay version of the devirtualized binary which is essentially the same but with the devirtualized functions linked statically.

 

devirtualized.rar

inlined_version_ERA.7z

Results from quick value tests compared to my published file:

Devirtualized = Key#1 = different | Key#2 = different
Inlined version = Key#1 = ok | Key#2 = different

Did these work on your systems?

Share this post


Link to post
Share on other sites
  • 0
xSRTsect
1 hour ago, HellSpider said:

Results from quick value tests compared to my published file:

Devirtualized = Key#1 = different | Key#2 = different
Inlined version = Key#1 = ok | Key#2 = different

Did these work on your systems?

 

I think I know what the problem was. Would you try this again? If it doesn't work for proc2 then please supply your register state after executing CPUID.

devirtualizeme64_vmp_3.0.9.inlined_fx.exe

Share this post


Link to post
Share on other sites
  • 0
HellSpider
3 hours ago, xSRTsect said:

 

I think I know what the problem was. Would you try this again? If it doesn't work for proc2 then please supply your register state after executing CPUID.

devirtualizeme64_vmp_3.0.9.inlined_fx.exe

Still no. CPUID state:

RAX : 000000000000000B
RBX : 00000000756E6547
RCX : 000000006C65746E
RDX : 0000000049656E69
RBP : 000000014000F7F8
RSP : 000000000014F9E0
RSI : 0000000000000000
RDI : 0000000080006010
R8  : 0000000000000000
R9  : 0000000000030001
R10 : 000000000025042E
R11 : 0000000000000246
R12 : 000000000025042E
R13 : 0000000000000100
R14 : 0000000000000000
R15 : 0000000000000000

Hint:

Spoiler

Check the compare conditions for which branch is to be executed based on the CPUID result

 

Share this post


Link to post
Share on other sites
  • 0
deepzero
Quote

 

The European Reversers Alliance.

 

Ah, I like it! Some fresh spirits!

 

If you dont mind, I would love to know what your general approach is in your tool. Is it a direct attack on VMP's VM implementation or a trace-and-deobfuscate approach?

Share this post


Link to post
Share on other sites
  • 0
VirtualPuppet
7 hours ago, deepzero said:

Ah, I like it! Some fresh spirits!

 

If you dont mind, I would love to know what your general approach is in your tool. Is it a direct attack on VMP's VM implementation or a trace-and-deobfuscate approach?

Since VMProtect is one of the easier protectors to devirtualize (since the VM is very simple) I assume they targetted Vmp specifically.

They probably use basic compiler theory to collapse instruction-expansions and then categorize vm handlers based on patterns. Thereafter the rest is easy, trace a functions P-code to determine handler chain, then again use compiler theory to determine x86 equivalent of stack machine code.

For my own devirtualizer, I went with a much different approach; i wrote an Intel/AMD x86(_64) cpu simulator and use it to interpret my data for a full trace that allows branch prediction in realtime. This significantly narrows down things and after that I just have to "reduce" the instructionset. When this is done, I can categorize handlers based on a specific method I came up with, that I won't disclose here, as it seems to work for all VMP versions and i don't want to damage VMP in any way. And once they're categorized I run them through my converter for the restored code.

The smart thing about the cpu simulator is that I can also unpack using this method, and it will make sure malware does not impact me :)

 

Share this post


Link to post
Share on other sites
  • 0
HellSpider
15 hours ago, xSRTsect said:

Well I am very sorry about this. But let me tell you why we are having all these fails: It turns out that our tool produces correct code, however not pretty enough, so what we did was to 'reverse' this code a little and re-write its logic in a more compact/appealing asm program. Unfortunately we are only humans and so I happened to copy a few values incorrectly namely the second if is <0xa and not 0xd (I seriously have no clue on what this value was doing there). Hopefully this time for the win,

devirtualizeme64_vmp_3.0.9.inlined_fx_.exe

This one is completely restored, the instruction order and used registers are fairly similar too. Good job!

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
xSRTsect
12 hours ago, deepzero said:

Ah, I like it! Some fresh spirits!

 

If you dont mind, I would love to know what your general approach is in your tool. Is it a direct attack on VMP's VM implementation or a trace-and-deobfuscate approach?

 

I would love to tell everyone everything, but its evident by now that the VMP developers read this forum and tailor their compiler/packer to break the tools produced here.

(See for instance how Raham's resource protection memory hack using traverse-then-decrypt of the resource tree tool was rendered useless within a very short period of time after release).

I am not trying to protect the vmp developers or anything, I don't really care about them.

Share this post


Link to post
Share on other sites
  • 0
deepzero
Quote

they have connected each handler with the following handler like some sort of linked list and unique

It's called threading / threaded execution.

 

edit: disregard, putting downvoted posts at the end of the thread successfully confused me.

Edited by deepzero (see edit history)

Share this post


Link to post
Share on other sites
  • 0
HellSpider
On 11/12/2018 at 4:25 PM, Raham said:

Hi.

its month after challenge v2, but i had free time just now, to work on target.

Result of both Key 1 & 2 are identical compared to Protected file.

Kind Regards

devirtualizeme32_vmp_3.0.9_v2_DeVM_Final_OK.exe

Excellent. Instructions were fine. Good job!

Share this post


Link to post
Share on other sites
  • -13
HostageOfCode

Hi fvrmatteo,

Congratulations. Is your solution a script for olly or a tool? I mean does it work for ring0 vmp protected drivers too? Does it devirtualize functions in ring0 too?

Edited by recrc
error (see edit history)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×