Jump to content
Tuts 4 You

VirtualGuard v1.0


Go to solution Solved by Mr-Toms,

Recommended Posts

Posted

VirtualGuard v1.0


This file is protected by the first version of VirtualGuard. VirtualGuard is an obfuscator I develop that I am trying to receive some stress testing on :)

I hope this VM makes people think at least a little bit; It's fairly close to 1:1, however I do believe I do some interesting things with comparisons and branching. Haven't seen it anywhere else. Let the record state this is not a "mod" of any other vm, so if you are interested in seeing some new stuff this is for you.

This sample contains some fairly simple branch offset mutations, at first glance it may be a slight "wtf moment" (at least I hope), but as soon as you figure out how the comparison system works it should be fairly easy to figure out.

Anyways, enough of the kind-of hints. Would love any feedback on this. The crack-me element is fairly basic, just entering a password. Would definitely be a first step to solving though, so would like to see how people work on figuring that out.

Good luck!


 

Sean Park - Lovejoy
Posted

It's difficult to me.

7343.png.41cad8886e9cd4032ea6159dbdf75cc9.png

 

Regards.

sean.

  • Like 1
Posted

I would watch out with using de4dot - make sure you preserve the resources (where the bytecode is stored atm), or you will have not much to work with.

  • Thanks 1
  • Solution
Posted (edited)

My Devirtualized file 

its not that good about the result because i have some problem while restoring locals

 

you need to see the branch pattern and how they calculate the position, its just need some time to analyze it

VirtualGuard.Tests-virt_NoVG.exe

Edited by Mr-Toms
  • Like 1
Sean Park - Lovejoy
Posted

@Mr-Toms How did you devirtualize it? Can you publish a tutorial for us?

Thanks in advance.

Regards.

sean.

  • Like 1
Posted
1 hour ago, windowbase said:

@Mr-Toms How did you devirtualize it? Can you publish a tutorial for us?

Thanks in advance.

Regards.

sean.

its a longtime journey, you can see my old message in this forum about asking the same thing , but nobody give instant solution

the only thing you need to do is learn from the basic, i've started it by looking at open source devirtualizer

  • Like 1
Sean Park - Lovejoy
Posted

Can you link the open source devirtualizer that you started?

Regards.

sean.

  • Like 1
Posted

Awesome job. Creating a new sample shortly. Should be a bit harder to devirtualize; I've added the functionality for multiple vms to be injected, equally distributing the virtualized methods between them. Should add some difficult not in an re sense, but in the way that it'll force you to write something that automatically identifies dynamic values, ie, handler ids and decryption keys. I guess depending on how many vms there are you could just manually input the values, but oh well. Nothing is unbreakable, however I'll try my best to make it a real pain in the butt :).

Posted

Could you do nested VM(s)?

a VM that is executing another VM that is....

Posted

I'll consider it, but nested vms imo are just performance hell. If it was just virtualguard layered on virtualguard, the issue would be that it would be a massive performance cost, for really only the benefit of obfuscating the dynamic constant values. A person already has all the code of the publicly exposed vm that's layered, making it so one would just need to locate the constants within the virtualized vm.

 

I published a new sample which is in the process of being verified as I'm writing this. Should be a good bit more challenging than this one. :)

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...