Official vmcrack Discussion

Official discussion thread for vmcrack. Please do not post any spoilers or big hints.

Just wanted to thank author @st4ckh0und for making such great challenge.
Took me 3 days straight to analyze. Lots of notepad text and will probably have
to replace F8 on the keyboard :slight_smile:

1 Like

You’re very welcome! Glad you liked it :slight_smile:

Any suggested reading/articles to help crack this beast?

Throw it in Windbg and start researching malware

So I’ve spent some more time on this, I have some questions about anti debug techniques. If there is no debugger attached will an INT1 instruction trigger an exception? Will Windows walk the SEH? What about INT3? In other words, without a debugger attached are these instructions essentially NOPs? Or does normal exception handling occur?

Similarly, if we set the TF flag in EFLAGS with no debugger detached, is a single-step exception still thrown? Or does setting that without a debugger attached have no effect?

I’ve had some more time to work on this, I think I’ll have a solve soon. Unicorn engine has been invaluable for dynamic analysis, there probably won’t be anything you can read online about how to solve this, just a lot of RE. As a hint, try understanding the interaction between the .pcode, .vmrun, and .vm sections.

Finally solved! Awesome problem, thanks! Will make a writeup when it closes

Hi people!
I have bypassed the anti-debugging mechanisms in tlscallback for now.

But I don’t see the relationship between pcode, vmrun and vm sections. The only thing that I found was a set of functions that allows me to move data (most often, data is the addresses of the executable code) between sections and go to these addresses to execute the code. But to my regret, there is a very long chain of transitions to these addresses and I lose the logical thread of what is happening - it confuses me.

My idea is simple (or even stupid) - I am trying to find code that will have a loop with a simple “xor” instruction that will give me a flag. As I noticed, this task is very similar to a malicious sample. But I am missing my experience.

maybe I missed something?
does it make sense to fix the values ​​returned by anti-debugging mechanisms?
give a hint or write me a pm.

my head is boiling))

1 Like

And so,
I was able to advance. By analogy with other protectors based on virtual machines, I was looking for something similar to initializing the stack, on the kernel of a virtual machine, looking for functions for working with the stack … And I kind of found it. But I still can’t debug the virtual machine :neutral:

this is a cool task

That was a incredible challenge. Congrats to @st4ckh0und!

But I have to admit, I’m a Ghidra fan. And with a 2nd stage disassembly, the code reveals.

And so, today I can already read a message about “freezing something, including me at some distance from the epicenter”, but then, when executing the next part of the code of the virtual machine, I crash when called at the address in “eax” …

It is worth noting that I see a connection between the “.pcode” and “.vm” sections. But I do not see a connection with the “.vmrun” section - is it worth looking for a relationship here?

Give a hint who solved this task or advanced further than me.

And so I tried to read all the texts that begin to be visible after each start of the virtual machine, but they only contain quotes that say that everything is “bad”. No text or that byte array looked like a flag ‘__’

I noticed an interesting thing: before each initialization of the virtual machine, something similar to a key is transmitted… there are about 9 of them … maybe I should try all the permutations of keys and initializations of the virtual machine ??

support me a little))))

So, there are new questions :\

What is the meaning of cryptographic modules (I can figure it out)?

In one of several launches of the virtual machine, it reveals a corrupted byte array - it is not readable and I do not know what can be done with it. What do you think? Have an idea: decrypt twice …)

@flamtaps said:
Finally solved! Awesome problem, thanks! Will make a writeup when it closes

Glad you enjoyed it! :slight_smile:

@mysteriousP said:
That was a incredible challenge. Congrats to @st4ckh0und!

But I have to admit, I’m a Ghidra fan. And with a 2nd stage disassembly, the code reveals.

Yeah, well, any technique is permitted :slight_smile:

Oh boy what a ride. Found my skills a bit rusty after a 3 years break on reversing, but it was a good way to get back on track. Thanks #st4ckh0und for it.

Thank you for this fun challenge. It was quite a ride, and after a few days of staring at virtualized code, I finally got the flag. Awesome challenge. :slight_smile:

Im kinda new to reversing so pls help me:
The prog has 2 modes I think and based on processor features it seems to be deciding on which set of instructions to run?
The prog has a pattern of initializing 14 threads and using a source string \x01 \x7 abcd… etc etc ,
with start and end from \x01 to \x01 for a section I think, the 14 count seems suspect(AES? Rc4? idk), its like the source string is being split into 2, and mapped to each other, after mapping its like top half of string before mapping is used for set of functions and then both parts are used for a set of functions. the tlscallback role seems to exist to keep calling the function in the same order.
Did i miss something? I dont know what Im looking for basically. Pls help

First of all, thanks to the author, had fun doing this.

There are several ways to solve this, but as an exercise I went the fully static analysis way, and it is not that difficult (but took me a couple of days and tens of hand-written papers to finish). As usual, once you locate the virtual machine, try to figure out the big picture first and don’t get bogged down by individual details. Reversing the entire thing then becomes fairly straightforward.

If you go the dynamic analysis way, I strongly recommend the Anti-Debugging chapter from the Practical Malware Analysis book (in fact I recommend the entire book, if you want to learn basic reverse engineering), pretty much all the techniques are used here.