[DevirtualizeMe] Obsidium 1.5.2 Build 11

[HellSpider]

Difficulty : 7
Language : C/C++
Platform : Windows 32-bit and 64-bit
OS Version : All
Packer / Protector : Obsidium 1.5.2 Build 11

Description :

The objective is to interpret and reconstruct 1 single procedure that has been virtualized.
No additional options have been used.
The virtualized function will execute when key 'P' is pressed.

Detailed information of the interpreting procedure/internals or a complete solution paper is preferable.

I will post similar challenges for other protectors if someone supplies me with a recent version (CodeVirtualizer, Themida, VMProtect, Enigma ...).

Screenshot :

devirtualizeme_obsidium_1.5.2.rar

Edited May 18, 2017 by HellSpider

[nek0]

Thank you very much. When I finish the exams, I'll try to get on with it. It is a shame that there is little information on this protection when it seems very well programmed and with constant updates. I have only seen previous versions in a very specific German music program. Now I would like to see how well the VM is implemented and how difficult it is.

[HellSpider]

4 minutes ago, nek0 said:

Thank you very much. When I finish the exams, I'll try to get on with it. It is a shame that there is little information on this protection when it seems very well programmed and with constant updates. I have only seen previous versions in a very specific German music program. Now I would like to see how well the VM is implemented and how difficult it is.

I agree, there is very little information about the internals of this protector, especially the VM internals.
Unfortunately, I cannot afford to allocate time for VM interpretation at the moment, which is part to why I have made these challenges.
I'm looking forward to attempts on this challenge.

[karan]

I'm not good at English.
So I used a translator.
I was thinking about doing some research on virtualization, but I think it's going to be a very daunting task.
I didn't pull out the exact same code.

 

    lea eax,dword ptr [ebp-8]
    push eax
    mov dword ptr [ebp-8],0x104
    mov esi,0x104
    lea eax,dword ptr [ebp-0x210]
    
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    ;push ecx
    ;push ebx
    ;push edx
    ;push eax
    ;mov eax,1
    ;cpuid
    ;add eax,edx
    ;add eax,ecx
    ;sub eax,[2770C2C]
    ;test eax,eax
    ;je ???
    ;pop eax
    ;pop edx
    ;pop ebx
    ;pop ecx
   ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;obsidium code?

    push eax
    call [0x40E070] ;GetComputerNameW
    test eax,eax
    je @error
    movzx eax, word ptr [ebp-0x210]
    xor ecx,ecx
    xor eax,0x5E484C
    ror eax,0x1B
    xor eax,0x1F
    not eax

    @here:
    inc ecx
    cmp ecx,[ebp-8]
    jae @exit
    imul eax, eax, 0x1B
    mov [ebp-4],eax
    mov eax,[ebp-4]
    ror eax,3

    mov [ebp-4],eax
    movzx eax, word ptr [ebp+ecx*2-0x210]
    and eax,1
    add eax,[ebp-0x4]
    ror eax,1
    and eax,0x7FFFFFFF
    sub eax,0xE77B
    mov [ebp-4],eax
    rol dword ptr [ebp-0x4], 0x7
    mov eax,[ebp-4]
    jmp @here

    @exit:
    xor eax,0x4D17B1C5
    mov ???,eax
    ror eax,8
    ror ???,0x18
    and eax,0xff00ff00
    and ???,0x00ff00ff ; why.... why!!! The register was not found
    add eax,???

    push eax
    push 0x412970
    mov [ebp-4],eax
    push esi
    lea eax,[ebp-0x418]
    push eax
    call 0x401000
    add esp,0x10
    mov eax,eax
    push 0x40
    mov ebp,ebp
    push 0x4128e8
    lea eax,[ebp-0x418]
    push eax
    mov eax,[0x415f08]
    push dword ptr [eax+0x8]
    Call [0x40E168] ;MessageBoxW
    jmp @end
    @error:
    push 0x40
    push 0x4128e8
    push 0x412a08 ;failed to calculate control value!
    mov eax,[0x415f08]
    push dword ptr [eax+0x8]
    Call [0x40E168] ;MessageBoxW
    @end:
    pop esi
    mov esp, ebp
    pop ebp
    ret

It has become a good study.
But I think it is too hard.

 

 

 

Edited January 4, 2018 by karan

[karan]

2 hours ago, karan said:

I'm not good at English.
So I used a translator.
I was thinking about doing some research on virtualization, but I think it's going to be a very daunting task.
I didn't pull out the exact same code.

 

    lea eax,dword ptr [ebp-8]
    push eax
    mov dword ptr [ebp-8],0x104
    mov esi,0x104
    lea eax,dword ptr [ebp-0x210]
    
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    ;push ecx
    ;push ebx
    ;push edx
    ;push eax
    ;mov eax,1
    ;cpuid
    ;add eax,edx
    ;add eax,ecx
    ;sub eax,[2770C2C]
    ;je ???
    ;pop eax
    ;pop edx
    ;pop ebx
    ;pop ecx
   ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;obsidium code?

    push eax
    call [0x40E070] ;GetComputerNameW
    test eax,eax
    je @error
    movzx eax, word ptr [ebp-0x210]
    xor ecx,ecx
    xor eax,0x5E484C
    ror eax,0x1B
    xor eax,0x1F
    not eax

    @here:
    inc ecx
    cmp ecx,[ebp-8]
    jae @exit
    imul eax, eax, 0x1B
    mov [ebp-4],eax
    mov eax,[ebp-4]
    ror eax,3

    mov [ebp-4],eax
    movzx eax, word ptr [ebp+ecx*2-0x210]
    and eax,1
    add eax,[ebp-0x4]
    ror eax,1
    and eax,0x7FFFFFFF
    sub eax,0xE77B
    mov [ebp-4],eax
    rol dword ptr [ebp-0x4], 0x7
    mov eax,[ebp-4]
    jmp @here

    @exit:
    xor eax,0x4D17B1C5
    mov ???,eax
    ror eax,8
    ror ???,0x18
    and eax,0xff00ff00
    and ???,0x00ff00ff ; why.... why!!! The register was not found
    add eax,???

    push eax
    push 0x412970
    mov [ebp-4],eax
    push esi
    lea eax,[ebp-0x418]
    push eax
    call 0x401000
    add esp,0x10
    mov eax,eax
    push 0x40
    mov ebp,ebp
    push 0x4128e8
    lea eax,[ebp-0x418]
    push eax
    mov eax,[0x415f08]
    push dword ptr [eax+0x8]
    Call [0x40E168] ;MessageBoxW
    jmp @end
    @error:
    push 0x40
    push 0x4128e8
    push 0x412a08 ;failed to calculate control value!
    mov eax,[0x415f08]
    push dword ptr [eax+0x8]
    Call [0x40E168] ;MessageBoxW
    @end:
    pop esi
    mov esp, ebp
    pop ebp
    ret

It has become a good study.
But I think it is too hard.