VirtualGuard v1.0

[virtualguard]

View File

VirtualGuard v1.0

---

This file is protected by the first version of VirtualGuard. VirtualGuard is an obfuscator I develop that I am trying to receive some stress testing on

I hope this VM makes people think at least a little bit; It's fairly close to 1:1, however I do believe I do some interesting things with comparisons and branching. Haven't seen it anywhere else. Let the record state this is not a "mod" of any other vm, so if you are interested in seeing some new stuff this is for you.

This sample contains some fairly simple branch offset mutations, at first glance it may be a slight "wtf moment" (at least I hope), but as soon as you figure out how the comparison system works it should be fairly easy to figure out.

Anyways, enough of the kind-of hints. Would love any feedback on this. The crack-me element is fairly basic, just entering a password. Would definitely be a first step to solving though, so would like to see how people work on figuring that out.

Good luck!

---

• Submitter
  virtualguard
• Submitted
  12/23/2023
• Category
  UnPackMe (.NET)

 

[Sean the hard worker]

It's difficult to me.

 

Regards.

sean.

[virtualguard]

I would watch out with using de4dot - make sure you preserve the resources (where the bytecode is stored atm), or you will have not much to work with.

[Mr-Toms]

My Devirtualized file 

its not that good about the result because i have some problem while restoring locals

 

you need to see the branch pattern and how they calculate the position, its just need some time to analyze it

VirtualGuard.Tests-virt_NoVG.exe

Edited December 27, 2023 by Mr-Toms

[Sean the hard worker]

@Mr-Toms How did you devirtualize it? Can you publish a tutorial for us?

Thanks in advance.

Regards.

sean.

[Mr-Toms]

1 hour ago, windowbase said:

@Mr-Toms How did you devirtualize it? Can you publish a tutorial for us?

Thanks in advance.

Regards.

sean.

its a longtime journey, you can see my old message in this forum about asking the same thing , but nobody give instant solution

the only thing you need to do is learn from the basic, i've started it by looking at open source devirtualizer

[Sean the hard worker]

Can you link the open source devirtualizer that you started?

Regards.

sean.

[Mr-Toms]

https://github.com/CursedSheep/MemeVM-Devirt

https://github.com/TobitoFatitoRE/HexDevirt

 

[Sean the hard worker]

1 minute ago, Mr-Toms said:

https://github.com/CursedSheep/MemeVM-Devirt

https://github.com/TobitoFatitoRE/HexDevirt

 

Thank you.

Regards.

sean. 

[virtualguard]

Awesome job. Creating a new sample shortly. Should be a bit harder to devirtualize; I've added the functionality for multiple vms to be injected, equally distributing the virtualized methods between them. Should add some difficult not in an re sense, but in the way that it'll force you to write something that automatically identifies dynamic values, ie, handler ids and decryption keys. I guess depending on how many vms there are you could just manually input the values, but oh well. Nothing is unbreakable, however I'll try my best to make it a real pain in the butt :).

[jackyjask]

Could you do nested VM(s)?

a VM that is executing another VM that is....

[virtualguard]

I'll consider it, but nested vms imo are just performance hell. If it was just virtualguard layered on virtualguard, the issue would be that it would be a massive performance cost, for really only the benefit of obfuscating the dynamic constant values. A person already has all the code of the publicly exposed vm that's layered, making it so one would just need to locate the constants within the virtualized vm.

 

I published a new sample which is in the process of being verified as I'm writing this. Should be a good bit more challenging than this one.

[azufo]

On 12/27/2023 at 11:13 AM, windowbase said:

Thank you.

Regards.

sean. 

See this repo https://github.com/mrT4ntr4/VirtualGuard-Devirt

pass for this unpackme is: "olives8"