Jump to content
Tuts 4 You

VMProtect v3.5.0.1213


whoknows

Recommended Posts

whoknows

VMProtect v3.5.0.1213


Try to unpack or alternatively provide a serial. If there is no solution provided by Saturday 11am (GMT+0) I will attach the same without debugger detection.

Protections used:

Debugger detection (User-mode + Kernel-mode)

Ultra (Mutation + Virtualization)


 

Edited by whoknows (see edit history)
  • Like 1
Link to post
  • 3 weeks later...
tungtruong20xx
On 8/23/2020 at 9:51 PM, sirp said:

First step :)

 

 

dump.JPG

can u help me solution :( 

Link to post
BataBo

Here is one of the solutions:

Spoiler

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACsbHDTcxIP0LWYgmPM663d4ylbijmKAs0o0gXodxQEb

It uses cryptography to decrypt a string provided withing the key,key also contains RV and salt,which I both set to all \0,if it succeeds then it prints hi <DecrytpedString> thanks for registering,if it fails it prints invalid serial

 

Edit:

Decrypted Validate function:

Spoiler

ValidateFunc.png.81d689de80e36125f19de28f995784fd.png

 

Edited by BataBo (see edit history)
Link to post
AzoresRCE
On 8/23/2020 at 3:51 PM, sirp said:

First step :)

 

 

dump.JPG

clean mutations to fully complete

  • Haha 1
Link to post

Fun challenge. I went for finding just the key algorithm rather than fully devirtualizing, but the code is pretty clear. Here some sample keys:

Spoiler

whoknows: DkkLJ5UOI5DizM/Z7UhGQRt3dsR+OeyHlNNcQgmgFERdCXocbP6A3pMWWkhwqxLSMKEBN90qktRdhJPCsuCHQtm6M1GdlMtcFhkW5L+YTeaT3JAeZ+GTofwXKiD9ATdd

washi: t4t7484q1B32mDFo36MW6MCKEWef3WYzd6W/6Gq9K7OPGJDkMC8DBs3jQEX5KfW5basCKM4fo9klSGwoauyyOL4FCXtz5hcdTYLPVRpWIWi+CIgPv/36P9iEuU5l0Nnu

tuts4you: bX3YxhIyuJGGC5q7nCA5Ta8Ger+7AuRwdLe+58Pam+AwB9h8US6mO/NwosOE6DwEDx55ZHHzfGqZaFJbc9DNq3ZZv+pkwKhd5Vt3j3WpVFxTyhBxIflEAaymH08V5FqD

Approach:

Spoiler
  • Notice Validate is virtualized using VMP, and returns a string which is later displayed. => returned value is probably the name.
  • Notice that VM reads code using method  0x06000046. Also notice that field  0x04000048 is the virtual program counter and field 0x0400004A contains the stack.
  • Use this harmony script to perform a VM trace that dumps the program counter, stack contents and calls.
  • First run with garbage data reveals it requires a base64 string.
  • Second run, with a random base64 string reveals the key consists of three parts: first and second part are both 32 bytes, the rest is of arbitrary length.
  • Third run with hex data 00010203...4b4c4d4e4f reveals all that is necessary to create a keygen (full trace https://pastebin.com/Qcc2ULc6)
  • Notice it creates a new instance of Rfc2898DeriveBytes using 'tetris' as password, the first 32 bytes of the serial as salt, and 1000 iterations
  • Notice it creates a new instance of RijndaelManaged with blocksize = 256, mode = CBC, padding = PKCS7, and IV = the second part of the serial.
  • Notice it attempts to decrypt the remaining part of the serial using this instance of RijndaelManaged.
  • Keygen is simply doing the reverse of all operations in the trace.
  • Notice the decrypted data is returned and displayed => encrypted data is username encrypted using the same algorithm.

Keygen.7z

Edited by Washi (see edit history)
  • Like 1
  • Thanks 5
Link to post
BataBo
16 hours ago, Washi said:

Fun challenge. I went for finding just the key algorithm rather than fully devirtualizing, but the code is pretty clear. Here some sample keys:

  Hide contents

whoknows: DkkLJ5UOI5DizM/Z7UhGQRt3dsR+OeyHlNNcQgmgFERdCXocbP6A3pMWWkhwqxLSMKEBN90qktRdhJPCsuCHQtm6M1GdlMtcFhkW5L+YTeaT3JAeZ+GTofwXKiD9ATdd

washi: t4t7484q1B32mDFo36MW6MCKEWef3WYzd6W/6Gq9K7OPGJDkMC8DBs3jQEX5KfW5basCKM4fo9klSGwoauyyOL4FCXtz5hcdTYLPVRpWIWi+CIgPv/36P9iEuU5l0Nnu

tuts4you: bX3YxhIyuJGGC5q7nCA5Ta8Ger+7AuRwdLe+58Pam+AwB9h8US6mO/NwosOE6DwEDx55ZHHzfGqZaFJbc9DNq3ZZv+pkwKhd5Vt3j3WpVFxTyhBxIflEAaymH08V5FqD

Approach:

  Reveal hidden contents
  • Notice Validate is virtualized using VMP, and returns a string which is later displayed. => returned value is probably the name.
  • Notice that VM reads code using method  0x06000046. Also notice that field  0x04000048 is the virtual program counter and field 0x0400004A contains the stack.
  • Use this harmony script to perform a VM trace that dumps the program counter, stack contents and calls.
  • First run with garbage data reveals it requires a base64 string.
  • Second run, with a random base64 string reveals the key consists of three parts: first and second part are both 32 bytes, the rest is of arbitrary length.
  • Third run with hex data 00010203...4b4c4d4e4f reveals all that is necessary to create a keygen (full trace https://pastebin.com/Qcc2ULc6)
  • Notice it creates a new instance of Rfc2898DeriveBytes using 'tetris' as password, the first 32 bytes of the serial as salt, and 1000 iterations
  • Notice it creates a new instance of RijndaelManaged with blocksize = 256, mode = CBC, padding = PKCS7, and IV = the second part of the serial.
  • Notice it attempts to decrypt the remaining part of the serial using this instance of RijndaelManaged.
  • Keygen is simply doing the reverse of all operations in the trace.
  • Notice the decrypted data is returned and displayed => encrypted data is username encrypted using the same algorithm.

Keygen.7z 7.15 kB · 7 downloads

Are you sure it's correct,the key isn't 'tetris' the key is 'duck',keys provided above don't work.

Link to post
kao

I think Washi's solution is actually for 

 

At least, the provided keys work for that executable. :)

 

  • Like 1
Link to post
3 hours ago, BataBo said:

Are you sure it's correct,the key isn't 'tetris' the key is 'duck',keys provided above don't work.

Whoops you are completely right, I posted my reply to the wrong vmp crackme/unpackme challenge thread. @whoknows has made two threads :D

This one is actually easier, since code is pretty much readable (after you dumped it from memory that is). And yea, the password for this one is indeed "duck" rather than tetris. :)

 

Edited by Washi (see edit history)
  • Like 2
Link to post
  • 3 weeks later...
  • 4 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...