Jump to content
Tuts 4 You

ClumsyVM


LoLLo90
Go to solution Solved by Washi,

Recommended Posts

LoLLo90

ClumsyVM


This is my clumsy virtual machine 😃

Goals:

Bronze - Patch the crackme to show the correct message

Silver - Bronze + explain how the virtualized code works

Gold - Silver + write a totally different virtualized code to pass the check


 

Link to post
Washi

Are you absolutely sure this is doable without bruteforce? After spending some hours on analyzing and devirtualizing, this crackme feels very much like a "guess-what-the-author-wanted-you-to-do" challenge, rather than an actual reverse engineering challenge where we have to infer the password based on the code. In the spoiler some more detailed info of why I think this is the case.

Spoiler

As far as I can tell, bronze is not possible without a good understanding of what the virtualized functions compute, since the good boy message is decrypted with the result of the virtualized code used as a key. Sure, 3DES and MD5 are obsolete cryptographic schemes, but I doubt the goal of the challenge is to break 3DES or MD5.

After one day of analysing the binary, I think I have a very good understanding of the (horribly inefficient 😛) virtual machine. Without spoiling too much before a proper writeup, the virtualized code computes some static hardcoded mathematical expression. The problem is that this expression is not dependent on any kind of user input (unless the initial state of the virtual memory and registers is considered the input?), nor does it contain any comparison or other kind of hint or clue that would tell me what to even do with this machine (it's just some random maths expression that returns a random integer, that is not further verified before plugged in as a decryption key). Furthermore, since the decryption key is the concatenation of the final states of the virtual 32-bit registers 2, 4 and 7 (of which 2 and 4 are the "special" pc and sp registers), I fail to see how this is doable without some form of guess work, bruteforce of the correct value of r7, or some form of user input that would allow us to compute the final key.

For the sake of not spoiling too much, lmk if you need more information via DMs.

EDIT:

Spoiler

Seems like bruteforce is one of the ways to solve it, which is kind of lame in my opinion. Also your crackme has multiple solutions (though only one seems to be ascii text). Not sure if this was intended or not.

 image.png.49b40c5a1d7d8ecd8ffc242ce57c1d81.png 

I will try to get a proper writeup / description on the VM tomorrow.

 

Edited by Washi (see edit history)
  • Like 5
Link to post
LoLLo90
11 hours ago, Washi said:

Are you absolutely sure this is doable without bruteforce? After spending some hours on analyzing and devirtualizing, this crackme feels very much like a "guess-what-the-author-wanted-you-to-do" challenge, rather than an actual reverse engineering challenge where we have to infer the password based on the code. In the spoiler some more detailed info of why I think this is the case.

  Hide contents

As far as I can tell, bronze is not possible without a good understanding of what the virtualized functions compute, since the good boy message is decrypted with the result of the virtualized code used as a key. Sure, 3DES and MD5 are obsolete cryptographic schemes, but I doubt the goal of the challenge is to break 3DES or MD5.

After one day of analysing the binary, I think I have a very good understanding of the (horribly inefficient 😛) virtual machine. Without spoiling too much before a proper writeup, the virtualized code computes some static hardcoded mathematical expression. The problem is that this expression is not dependent on any kind of user input (unless the initial state of the virtual memory and registers is considered the input?), nor does it contain any comparison or other kind of hint or clue that would tell me what to even do with this machine (it's just some random maths expression that returns a random integer, that is not further verified before plugged in as a decryption key). Furthermore, since the decryption key is the concatenation of the final states of the virtual 32-bit registers 2, 4 and 7 (of which 2 and 4 are the "special" pc and sp registers), I fail to see how this is doable without some form of guess work, bruteforce of the correct value of r7, or some form of user input that would allow us to compute the final key.

For the sake of not spoiling too much, lmk if you need more information via DMs.

EDIT:

  Hide contents

Seems like bruteforce is one of the ways to solve it, which is kind of lame in my opinion. Also your crackme has multiple solutions (though only one seems to be ascii text). Not sure if this was intended or not.

 image.png.49b40c5a1d7d8ecd8ffc242ce57c1d81.png 

I will try to get a proper writeup / description on the VM tomorrow.

 

You are right, bronze is possible only with bruteforcing, but it is not true that bruteforce is the only option to pass the check(no guessing Is needed)

This virtual machine is horribly inefficient: absolutely true. This is due to two things:
1) There is a "a sort of" of obfuscation in the virtualized code.
2) The architecture is designed to be inefficient! (it is not my fault!!, when i will get a valid solution i will explain why).

You say this is a "guess-what-the-author-wanted-you-to-do": it's not nice to say certain things, especially when this is not true. The fact that there is no explicit input does not imply what you are saying.  Your partial understanding of the VM behavior leads you to say this, trust me!

 

None of the protections used in the challenge i posted on tuts4you or any other reversing forum is intended for production use. So "orribly inefficient" does not mean anything to me, it is exactly as i wanted It to be. 

However, congratulations Washi for what you achieved! I really hope this challenge entertained you, this Is the objective in the end.

 

EDIT: sorry for the multiple edits.. just wanted to say the last thing. The solution can be reached directly by modifying 21 bits of virtualized code, none of which concerns mathematical operations.

Edited by LoLLo90 (see edit history)
Link to post
  • Solution
Washi
3 hours ago, LoLLo90 said:

You say this is a "guess-what-the-author-wanted-you-to-do": it's not nice to say certain things, especially when this is not true.

Oh I didn't try to be mean. It was just a feeling that I had while solving the challenge. I guess it was late in the night when I wrote this reply, which might made my post seem a little bit aggressive. Don't get me wrong, I really enjoyed reversing this challenge. Bruteforce challenges are just not really my cup of tea :)

Anyway, I just pushed my full write-up with all scripts and dumps to my GitHub:

https://github.com/Washi1337/ctf-writeups/tree/master/Miscellaneous/tuts4you/ClumsyVM

 

Edited by Washi (see edit history)
  • Like 4
  • Thanks 2
Link to post
kao

After looking at your challenge, I had exactly the same sentiment as Washi. But unlike him, I just closed the crackme and decided not to spend any more time on it.

Here's an approximation of what I thought about the crackme during ~2 hours I spent on it:
1) Oooh, a new crackme from LoLLo90! Exciting!
2) Mmmm, never seen anything like that! Challenge accepted!
3) Where the f*ck do I enter my serial? Confused.
4) It tries to do MD5+3DES based on 3 values. Am I supposed to bruteforce those? Mildly annoyed.
5) Outlined method calls and useless assignments make analysis difficult. Reinventing method inliner and data flow analyzer. Bored.
6) No, seriously, where do I enter my serial?
7) Should I try to make a bruteforcer? Meh.
8) Those string manipulations are stupid. I can't be arsed to analyze those.
9) Annoyance threshold reached. Hit the delete button.

So, maybe (just maybe!) next time before making something "exactly as you wanted it to be", consider who would want to spend his/her time on that? :)  
 

  • Like 1
  • Thanks 1
Link to post
LoLLo90
5 hours ago, kao said:

After looking at your challenge, I had exactly the same sentiment as Washi. But unlike him, I just closed the crackme and decided not to spend any more time on it.

Here's an approximation of what I thought about the crackme during ~2 hours I spent on it:
1) Oooh, a new crackme from LoLLo90! Exciting!
2) Mmmm, never seen anything like that! Challenge accepted!
3) Where the f*ck do I enter my serial? Confused.
4) It tries to do MD5+3DES based on 3 values. Am I supposed to bruteforce those? Mildly annoyed.
5) Outlined method calls and useless assignments make analysis difficult. Reinventing method inliner and data flow analyzer. Bored.
6) No, seriously, where do I enter my serial?
7) Should I try to make a bruteforcer? Meh.
😎 Those string manipulations are stupid. I can't be arsed to analyze those.
9) Annoyance threshold reached. Hit the delete button.

So, maybe (just maybe!) next time before making something "exactly as you wanted it to be", consider who would want to spend his/her time on that? :)  
 

Mr. kao, you know, i have huge respect for you. I am sorry to read these things. I accept your criticisms with sincere gratitude. I'll do better next time. Forgive me! (and don't skip the next challenge, you will like it 😃, i swear!).

 

7 hours ago, Washi said:

Oh I didn't try to be mean. It was just a feeling that I had while solving the challenge. I guess it was late in the night when I wrote this reply, which might made my post seem a little bit aggressive. Don't get me wrong, I really enjoyed reversing this challenge. Bruteforce challenges are just not really my cup of tea :)

Anyway, I just pushed my full write-up with all scripts and dumps to my GitHub:

https://github.com/Washi1337/ctf-writeups/tree/master/Miscellaneous/tuts4you/ClumsyVM

 

You are amazing boy. I loved your explanation of the virtual machine.

I am really happy you enjoyed the challenge. I will follow your advices to make a better challenge next time. Congrats!
Your consideration on how to speed up bruteforce is exact. But there is another consideration that allows to reduce the space of possible values in the range of extremes 0-255, so the "bruteforce way" is actually no bruteforce anymore.

Link to post
Rhotav
On 2/8/2021 at 6:26 PM, Washi said:

Oh I didn't try to be mean. It was just a feeling that I had while solving the challenge. I guess it was late in the night when I wrote this reply, which might made my post seem a little bit aggressive. Don't get me wrong, I really enjoyed reversing this challenge. Bruteforce challenges are just not really my cup of tea :)

Anyway, I just pushed my full write-up with all scripts and dumps to my GitHub:

https://github.com/Washi1337/ctf-writeups/tree/master/Miscellaneous/tuts4you/ClumsyVM

 

One of the best writeups I've read! Thanks Washi you are amazing...

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...