Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Posted

Difficulty : 7
Language : C/C++
Platform : Windows 32-bit and 64-bit
OS Version : All
Packer / Protector : Obsidium 1.5.2 Build 11

Description :

The objective is to interpret and reconstruct 1 single procedure that has been virtualized.
No additional options have been used.
The virtualized function will execute when key 'P' is pressed.

Detailed information of the interpreting procedure/internals or a complete solution paper is preferable.

I will post similar challenges for other protectors if someone supplies me with a recent version (CodeVirtualizer, Themida, VMProtect, Enigma ...).

Screenshot :

devirtualizeme_obsidium_1.5.2_2017-05-18_18-43-54.png.651a437723ded7779c4b770a666d98ea.png

devirtualizeme_obsidium_1.5.2.rar

Edited by HellSpider

  • 1 month later...

Thank you very much. When I finish the exams, I'll try to get on with it. It is a shame that there is little information on this protection when it seems very well programmed and with constant updates. I have only seen previous versions in a very specific German music program. Now I would like to see how well the VM is implemented and how difficult it is.

  • Author
4 minutes ago, nek0 said:

Thank you very much. When I finish the exams, I'll try to get on with it. It is a shame that there is little information on this protection when it seems very well programmed and with constant updates. I have only seen previous versions in a very specific German music program. Now I would like to see how well the VM is implemented and how difficult it is.

I agree, there is very little information about the internals of this protector, especially the VM internals.
Unfortunately, I cannot afford to allocate time for VM interpretation at the moment, which is part to why I have made these challenges.
I'm looking forward to attempts on this challenge. :)

  • 5 months later...

I'm not good at English.
So I used a translator.
I was thinking about doing some research on virtualization, but I think it's going to be a very daunting task.
I didn't pull out the exact same code.

 

    lea eax,dword ptr [ebp-8]
    push eax
    mov dword ptr [ebp-8],0x104
    mov esi,0x104
    lea eax,dword ptr [ebp-0x210]
    
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    ;push ecx
    ;push ebx
    ;push edx
    ;push eax
    ;mov eax,1
    ;cpuid
    ;add eax,edx
    ;add eax,ecx
    ;sub eax,[2770C2C]
    ;test eax,eax
    ;je ???
    ;pop eax
    ;pop edx
    ;pop ebx
    ;pop ecx
   ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;obsidium code?

    push eax
    call [0x40E070] ;GetComputerNameW
    test eax,eax
    je @error
    movzx eax, word ptr [ebp-0x210]
    xor ecx,ecx
    xor eax,0x5E484C
    ror eax,0x1B
    xor eax,0x1F
    not eax

    @here:
    inc ecx
    cmp ecx,[ebp-8]
    jae @exit
    imul eax, eax, 0x1B
    mov [ebp-4],eax
    mov eax,[ebp-4]
    ror eax,3

    mov [ebp-4],eax
    movzx eax, word ptr [ebp+ecx*2-0x210]
    and eax,1
    add eax,[ebp-0x4]
    ror eax,1
    and eax,0x7FFFFFFF
    sub eax,0xE77B
    mov [ebp-4],eax
    rol dword ptr [ebp-0x4], 0x7
    mov eax,[ebp-4]
    jmp @here

    @exit:
    xor eax,0x4D17B1C5
    
mov ???,eax
    ror eax,8
    ror ???,0x18
    and eax,0xff00ff00
    and ???,0x00ff00ff ; why.... why!!! The register was not found

    add eax,???

    push eax
    push 0x412970
    mov [ebp-4],eax
    push esi
    lea eax,[ebp-0x418]
    push eax
    call 0x401000
    add esp,0x10
    mov eax,eax
    push 0x40
    mov ebp,ebp
    push 0x4128e8
    lea eax,[ebp-0x418]
    push eax
    mov eax,[0x415f08]
    push dword ptr [eax+0x8]
    Call [0x40E168] ;MessageBoxW
    jmp @end
    @error:
    push 0x40
    push 0x4128e8
    push 0x412a08 ;failed to calculate control value!
    mov eax,[0x415f08]
    push dword ptr [eax+0x8]
    Call [0x40E168] ;MessageBoxW
    @end:
    pop esi
    mov esp, ebp
    pop ebp
    ret

It has become a good study.
But I think it is too hard.

 

 

 

Edited by karan

2 hours ago, karan said:

I'm not good at English.
So I used a translator.
I was thinking about doing some research on virtualization, but I think it's going to be a very daunting task.
I didn't pull out the exact same code.

 

    lea eax,dword ptr [ebp-8]
    push eax
    mov dword ptr [ebp-8],0x104
    mov esi,0x104
    lea eax,dword ptr [ebp-0x210]
    
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    ;push ecx
    ;push ebx
    ;push edx
    ;push eax
    ;mov eax,1
    ;cpuid
    ;add eax,edx
    ;add eax,ecx
    ;sub eax,[2770C2C]
    ;je ???
    ;pop eax
    ;pop edx
    ;pop ebx
    ;pop ecx
   ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;obsidium code?

    push eax
    call [0x40E070] ;GetComputerNameW
    test eax,eax
    je @error
    movzx eax, word ptr [ebp-0x210]
    xor ecx,ecx
    xor eax,0x5E484C
    ror eax,0x1B
    xor eax,0x1F
    not eax

    @here:
    inc ecx
    cmp ecx,[ebp-8]
    jae @exit
    imul eax, eax, 0x1B
    mov [ebp-4],eax
    mov eax,[ebp-4]
    ror eax,3

    mov [ebp-4],eax
    movzx eax, word ptr [ebp+ecx*2-0x210]
    and eax,1
    add eax,[ebp-0x4]
    ror eax,1
    and eax,0x7FFFFFFF
    sub eax,0xE77B
    mov [ebp-4],eax
    rol dword ptr [ebp-0x4], 0x7
    mov eax,[ebp-4]
    jmp @here

    @exit:
    xor eax,0x4D17B1C5
    
mov ???,eax
    ror eax,8
    ror ???,0x18
    and eax,0xff00ff00
    and ???,0x00ff00ff ; why.... why!!! The register was not found

    add eax,???

    push eax
    push 0x412970
    mov [ebp-4],eax
    push esi
    lea eax,[ebp-0x418]
    push eax
    call 0x401000
    add esp,0x10
    mov eax,eax
    push 0x40
    mov ebp,ebp
    push 0x4128e8
    lea eax,[ebp-0x418]
    push eax
    mov eax,[0x415f08]
    push dword ptr [eax+0x8]
    Call [0x40E168] ;MessageBoxW
    jmp @end
    @error:
    push 0x40
    push 0x4128e8
    push 0x412a08 ;failed to calculate control value!
    mov eax,[0x415f08]
    push dword ptr [eax+0x8]
    Call [0x40E168] ;MessageBoxW
    @end:
    pop esi
    mov esp, ebp
    pop ebp
    ret

It has become a good study.
But I think it is too hard.

 

 

 

 

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.