Tuts 4 You

ClumsyVM

Go to solution Solved by Washi,

Recommended Posts

ClumsyVM

This is my clumsy virtual machine ðŸ˜ƒ

Goals:

Bronze - Patch the crackme to show the correct message

Silver - Bronze + explain how the virtualized code works

Gold - Silver + write a totally different virtualized code to pass the check

• Submitter
• Submitted
01/31/2021
• Category

Share on other sites

Are you absolutely sure this is doable without bruteforce? After spending some hours on analyzing and devirtualizing, this crackme feels very much like a "guess-what-the-author-wanted-you-to-do" challenge, rather than an actual reverse engineering challenge where we have to infer the password based on the code. In the spoiler some more detailed info of why I think this is the case.

Spoiler

As far as I can tell, bronze is not possible without a good understanding of what the virtualized functions compute, since the good boy message is decrypted with the result of the virtualized code used as a key. Sure, 3DES and MD5 are obsolete cryptographic schemes, but I doubt the goal of the challenge is to break 3DES or MD5.

After one day of analysing the binary, I think I have a very good understanding of the (horribly inefficient ðŸ˜›) virtual machine. Without spoiling too much before a proper writeup, the virtualized code computes some static hardcoded mathematical expression. The problem is that this expression is not dependent on any kind of user input (unless the initial state of the virtual memory and registers is considered the input?), nor does it contain any comparison or other kind of hint or clue that would tell me what to even do with this machine (it's just some random maths expression that returns a random integer, that is not further verified before plugged in as a decryption key). Furthermore, since the decryption key is the concatenation of the final states of the virtual 32-bit registers 2, 4 and 7 (of which 2 and 4 are the "special" pc and sp registers), I fail to see how this is doable without some form of guess work, bruteforce of the correct value of r7, or some form of user input that would allow us to compute the final key.

For the sake of not spoiling too much, lmk if you need more information via DMs.

EDIT:

Spoiler

Seems like bruteforce is one of the ways to solve it, which is kind of lame in my opinion. Also your crackme has multiple solutions (though only one seems to be ascii text). Not sure if this was intended or not.

Â Â

I will try to get a proper writeup / description on the VM tomorrow.

Â

Edited by Washi
• 6
Share on other sites

11 hours ago, Washi said:

Are you absolutely sure this is doable without bruteforce? After spending some hours on analyzing and devirtualizing, this crackme feels very much like a "guess-what-the-author-wanted-you-to-do" challenge, rather than an actual reverse engineering challenge where we have to infer the password based on the code. In the spoiler some more detailed info of why I think this is the case.

Â  Hide contents

As far as I can tell, bronze is not possible without a good understanding of what the virtualized functions compute, since the good boy message is decrypted with the result of the virtualized code used as a key. Sure, 3DES and MD5 are obsolete cryptographic schemes, but I doubt the goal of the challenge is to break 3DES or MD5.

After one day of analysing the binary, I think I have a very good understanding of the (horribly inefficient ðŸ˜›) virtual machine. Without spoiling too much before a proper writeup, the virtualized code computes some static hardcoded mathematical expression. The problem is that this expression is not dependent on any kind of user input (unless the initial state of the virtual memory and registers is considered the input?), nor does it contain any comparison or other kind of hint or clue that would tell me what to even do with this machine (it's just some random maths expression that returns a random integer, that is not further verified before plugged in as a decryption key). Furthermore, since the decryption key is the concatenation of the final states of the virtual 32-bit registers 2, 4 and 7 (of which 2 and 4 are the "special" pc and sp registers), I fail to see how this is doable without some form of guess work, bruteforce of the correct value of r7, or some form of user input that would allow us to compute the final key.

For the sake of not spoiling too much, lmk if you need more information via DMs.

EDIT:

Â  Hide contents

Seems like bruteforce is one of the ways to solve it, which is kind of lame in my opinion. Also your crackme has multiple solutions (though only one seems to be ascii text). Not sure if this was intended or not.

Â Â

I will try to get a proper writeup / description on the VM tomorrow.

Â

You are right, bronze is possible only with bruteforcing, but it is not true that bruteforce is the only option to pass the check(no guessing Is needed)

This virtual machine is horribly inefficient: absolutely true. This is due to twoÂ things:
1) There is a "a sort of"Â of obfuscationÂ in the virtualized code.
2) The architecture is designed to be inefficient! (it is not my fault!!, when i will get a valid solution i will explain why).

You say this is a "guess-what-the-author-wanted-you-to-do": it's not nice to say certain things, especially when this is not true. The fact that there is no explicit input does not imply what you are saying.Â  Your partial understanding of the VM behavior leads you to say this, trust me!

Â

None of the protections used in the challenge i posted on tuts4you or any other reversing forum is intended for production use. So "orribly inefficient" does not mean anything to me, it is exactly as i wanted It to be.Â

However, congratulations Washi for what you achieved! I really hope this challenge entertained you, this Is the objective in the end.

Â

EDIT: sorry for the multiple edits.. just wanted to say the last thing. The solution can be reached directly by modifying 21 bits of virtualized code, none of which concerns mathematical operations.

Edited by LoLLo90
Share on other sites

• Solution
3 hours ago, LoLLo90 said:

You say this is a "guess-what-the-author-wanted-you-to-do": it's not nice to say certain things, especially when this is not true.

Oh I didn't try to be mean. It was just a feeling that I had while solving the challenge. I guess it was late in the night when I wrote this reply, which might made my post seem a little bit aggressive. Don't get me wrong, I really enjoyed reversing this challenge. Bruteforce challenges are just not really my cup of tea

Anyway, I just pushed my full write-up with all scripts and dumps to my GitHub:

Â

Edited by Washi
• 4
• 2
Share on other sites

After looking at your challenge, I had exactly the same sentiment as Washi. But unlike him, I just closed the crackme and decided not to spend any more time on it.

Here's an approximation of what I thought about the crackme during ~2 hours I spent on it:
1) Oooh, a new crackme from LoLLo90! Exciting!
2) Mmmm, never seen anything like that!Â Challenge accepted!
3) Where the f*ck do I enter my serial? Confused.
4) It tries to do MD5+3DES based on 3 values. Am I supposed to bruteforce those? Mildly annoyed.
5) Outlined method calls and useless assignments make analysis difficult. Reinventing method inliner and data flow analyzer. Bored.
6) No, seriously, where do I enter my serial?
7) Should I try to make a bruteforcer? Meh.
8) Those string manipulations are stupid. I can't be arsed to analyze those.
9) Annoyance threshold reached. Hit the delete button.

So, maybe (just maybe!) next time before making something "exactly as you wanted it to be", consider who would want to spend his/her time on that? Â Â
Â

• 1
• 1
Share on other sites

5 hours ago, kao said:

After looking at your challenge, I had exactly the same sentiment as Washi. But unlike him, I just closed the crackme and decided not to spend any more time on it.

Here's an approximation of what I thought about the crackme during ~2 hours I spent on it:
1) Oooh, a new crackme from LoLLo90! Exciting!
2) Mmmm, never seen anything like that!Â Challenge accepted!
3) Where the f*ck do I enter my serial? Confused.
4) It tries to do MD5+3DES based on 3 values. Am I supposed to bruteforce those? Mildly annoyed.
5) Outlined method calls and useless assignments make analysis difficult. Reinventing method inliner and data flow analyzer. Bored.
6) No, seriously, where do I enter my serial?
7) Should I try to make a bruteforcer? Meh.
ðŸ˜Ž Those string manipulations are stupid. I can't be arsed to analyze those.
9) Annoyance threshold reached. Hit the delete button.

So, maybe (just maybe!) next time before making something "exactly as you wanted it to be", consider who would want to spend his/her time on that? Â Â
Â

Mr. kao, you know, i have huge respect for you.Â I am sorry to read these things. I accept your criticisms with sincere gratitude. I'll do better next time. Forgive me! (and don't skip the next challenge, you will like itÂ ðŸ˜ƒ, i swear!).

Â

7 hours ago, Washi said:

Oh I didn't try to be mean. It was just a feeling that I had while solving the challenge. I guess it was late in the night when I wrote this reply, which might made my post seem a little bit aggressive. Don't get me wrong, I really enjoyed reversing this challenge. Bruteforce challenges are just not really my cup of tea

Anyway, I just pushed my full write-up with all scripts and dumps to my GitHub:

Â

You are amazing boy. I loved your explanation of the virtual machine.

I am really happy you enjoyed the challenge. I will follow your advices to make a better challenge next time.Â Congrats!
Your consideration on how to speed up bruteforce is exact. ButÂ there is another consideration that allows to reduce the space of possible values in the range of extremes 0-255, so the "bruteforce way" is actually no bruteforce anymore.

Share on other sites

On 2/8/2021 at 6:26 PM, Washi said:

Oh I didn't try to be mean. It was just a feeling that I had while solving the challenge. I guess it was late in the night when I wrote this reply, which might made my post seem a little bit aggressive. Don't get me wrong, I really enjoyed reversing this challenge. Bruteforce challenges are just not really my cup of tea

Anyway, I just pushed my full write-up with all scripts and dumps to my GitHub:

Â

One of the best writeups I've read! Thanks Washi you are amazing...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account