Official discussion thread for vmcrack. Please do not post any spoilers or big hints.
Just wanted to thank author @st4ckh0und for making such great challenge.
Took me 3 days straight to analyze. Lots of notepad text and will probably have
to replace F8 on the keyboard 
1 Like
Youāre very welcome! Glad you liked it
Any suggested reading/articles to help crack this beast?
Throw it in Windbg and start researching malware
So Iāve spent some more time on this, I have some questions about anti debug techniques. If there is no debugger attached will an INT1 instruction trigger an exception? Will Windows walk the SEH? What about INT3? In other words, without a debugger attached are these instructions essentially NOPs? Or does normal exception handling occur?
Similarly, if we set the TF flag in EFLAGS with no debugger detached, is a single-step exception still thrown? Or does setting that without a debugger attached have no effect?
Iāve had some more time to work on this, I think Iāll have a solve soon. Unicorn engine has been invaluable for dynamic analysis, there probably wonāt be anything you can read online about how to solve this, just a lot of RE. As a hint, try understanding the interaction between the .pcode, .vmrun, and .vm sections.
Finally solved! Awesome problem, thanks! Will make a writeup when it closes
Hi people!
I have bypassed the anti-debugging mechanisms in tlscallback for now.
But I donāt see the relationship between pcode, vmrun and vm sections. The only thing that I found was a set of functions that allows me to move data (most often, data is the addresses of the executable code) between sections and go to these addresses to execute the code. But to my regret, there is a very long chain of transitions to these addresses and I lose the logical thread of what is happening - it confuses me.
My idea is simple (or even stupid) - I am trying to find code that will have a loop with a simple āxorā instruction that will give me a flag. As I noticed, this task is very similar to a malicious sample. But I am missing my experience.
maybe I missed something?
does it make sense to fix the values āāreturned by anti-debugging mechanisms?
give a hint or write me a pm.
my head is boiling))
1 Like
And so,
I was able to advance. By analogy with other protectors based on virtual machines, I was looking for something similar to initializing the stack, on the kernel of a virtual machine, looking for functions for working with the stack ā¦ And I kind of found it. But I still canāt debug the virtual machine :neutral:
this is a cool task
That was a incredible challenge. Congrats to @st4ckh0und!
But I have to admit, Iām a Ghidra fan. And with a 2nd stage disassembly, the code reveals.
Hello
And so, today I can already read a message about āfreezing something, including me at some distance from the epicenterā, but then, when executing the next part of the code of the virtual machine, I crash when called at the address in āeaxā ā¦
It is worth noting that I see a connection between the ā.pcodeā and ā.vmā sections. But I do not see a connection with the ā.vmrunā section - is it worth looking for a relationship here?
Give a hint who solved this task or advanced further than me.
And so I tried to read all the texts that begin to be visible after each start of the virtual machine, but they only contain quotes that say that everything is ābadā. No text or that byte array looked like a flag ā__ā
I noticed an interesting thing: before each initialization of the virtual machine, something similar to a key is transmittedā¦ there are about 9 of them ā¦ maybe I should try all the permutations of keys and initializations of the virtual machine ??
support me a little))))
So, there are new questions :\
What is the meaning of cryptographic modules (I can figure it out)?
In one of several launches of the virtual machine, it reveals a corrupted byte array - it is not readable and I do not know what can be done with it. What do you think? Have an idea: decrypt twice ā¦)
@flamtaps said:
Finally solved! Awesome problem, thanks! Will make a writeup when it closes
Glad you enjoyed it!
@mysteriousP said:
That was a incredible challenge. Congrats to @st4ckh0und!But I have to admit, Iām a Ghidra fan. And with a 2nd stage disassembly, the code reveals.
Yeah, well, any technique is permitted
Oh boy what a ride. Found my skills a bit rusty after a 3 years break on reversing, but it was a good way to get back on track. Thanks #st4ckh0und for it.
Thank you for this fun challenge. It was quite a ride, and after a few days of staring at virtualized code, I finally got the flag. Awesome challenge.
Im kinda new to reversing so pls help me:
The prog has 2 modes I think and based on processor features it seems to be deciding on which set of instructions to run?
The prog has a pattern of initializing 14 threads and using a source string \x01 \x7 abcdā¦ etc etc ,
with start and end from \x01 to \x01 for a section I think, the 14 count seems suspect(AES? Rc4? idk), its like the source string is being split into 2, and mapped to each other, after mapping its like top half of string before mapping is used for set of functions and then both parts are used for a set of functions. the tlscallback role seems to exist to keep calling the function in the same order.
Did i miss something? I dont know what Im looking for basically. Pls help
First of all, thanks to the author, had fun doing this.
There are several ways to solve this, but as an exercise I went the fully static analysis way, and it is not that difficult (but took me a couple of days and tens of hand-written papers to finish). As usual, once you locate the virtual machine, try to figure out the big picture first and donāt get bogged down by individual details. Reversing the entire thing then becomes fairly straightforward.
If you go the dynamic analysis way, I strongly recommend the Anti-Debugging chapter from the Practical Malware Analysis book (in fact I recommend the entire book, if you want to learn basic reverse engineering), pretty much all the techniques are used here.