Jump to content
Tuts 4 You

BinaryShield (Custom VM)

ra1n

By ra1n
in CrackMe

 Share
Go to solution Solved by Washi,

Recommended Posts

ra1n

ra1n

Posted
Posted (edited)

BinaryShield (Custom VM)

This is my first attempt at a binary protector. Currently, the VM has very little protection, so this should be good for those interested in learning about VM-based obfuscation. I intend on uploading new challenges that feature my protector as I add more features.

BinaryShield source code: https://github.com/connorjaydunn/BinaryShield

GOAL:

- You must find the correct key. Simply patching to get a goodboy message is NOT allowed.
- Bonus points for devirt and explanation of your approach.
- MOST IMPORTANTLY, have fun!

:)

 

Edited by ra1n
  • Like 1
  • Solution
Washi

Washi

Posted
  • Solution
Posted (edited)

Fun and not too difficult challenge. I always like me some VM crackmes :)

Valid keys:

  Reveal hidden contents

Had enough fun reversing this so I made a full writeup with disassembler and devirtualized code:

https://blog.washi.dev/posts/binaryshield-vm-crackme/

Edited by Washi
  • Like 5
  • Thanks 1
ra1n

ra1n

Posted
  • Author
Posted (edited)
  On 9/25/2024 at 2:45 PM, Washi said:

Fun and not too difficult challenge. I always like me some VM crackmes :)

Valid keys:

  Reveal hidden contents

Had enough fun reversing this so I made a full writeup with disassembler and devirtualized code:

https://washi1337.github.io/ctf-writeups/writeups/misc/tuts4you/binaryshield/

Expand  

Bravo! Thank you for the writeup. I apologize for the confusion with the multiple keys—it was only supposed to be one! I mistakenly checked if the input matched those constants instead of the current key calculation. Haha! I look forward to sharing my next upload, which will include anti-debugging features. Once again, amazing work! :)

EDIT: There appears to be a small typo in your lifted disassembly that would imply some of the keys are not correct.

Edited by ra1n
  • Like 1
  • 4 months later...
m0rphine

m0rphine

Posted
Posted

hi, i am new to devirtualization topic and this challenge was very good for beginners and me.

first, my goal was not just obtain the keys but devirtualize whole function automatically and recompile back to be able to patch it.

i lifted handlers to LLVM IR and recompiled in a new binary to analyze it

this is my final output

spacer.png

i know its a little difficult to read, but at least you can see the correct keys clearly if you look at if statements.

sadly, code crashes at runtime, i dont know why. it will probably take really long time to identify the problem. i dont think i will do that. maybe i might try VTIL instead of LLVM.

i would like to see others approaches on fully devirtualizing this vm. great challange again. 

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...