Official vmcrack Discussion

Official discussion thread for vmcrack. Please do not post any spoilers or big hints.

Comments

  • Just wanted to thank author @st4ckh0und for making such great challenge.
    Took me 3 days straight to analyze. Lots of notepad text and will probably have
    to replace F8 on the keyboard :)

  • You're very welcome! Glad you liked it :)

  • Any suggested reading/articles to help crack this beast?

  • Throw it in Windbg and start researching malware

  • So I've spent some more time on this, I have some questions about anti debug techniques. If there is no debugger attached will an INT1 instruction trigger an exception? Will Windows walk the SEH? What about INT3? In other words, without a debugger attached are these instructions essentially NOPs? Or does normal exception handling occur?

  • Similarly, if we set the TF flag in EFLAGS with no debugger detached, is a single-step exception still thrown? Or does setting that without a debugger attached have no effect?

  • I've had some more time to work on this, I think I'll have a solve soon. Unicorn engine has been invaluable for dynamic analysis, there probably won't be anything you can read online about how to solve this, just a lot of RE. As a hint, try understanding the interaction between the .pcode, .vmrun, and .vm sections.

  • Finally solved! Awesome problem, thanks! Will make a writeup when it closes

  • Hi people!
    I have bypassed the anti-debugging mechanisms in tlscallback for now.

    But I don't see the relationship between pcode, vmrun and vm sections. The only thing that I found was a set of functions that allows me to move data (most often, data is the addresses of the executable code) between sections and go to these addresses to execute the code. But to my regret, there is a very long chain of transitions to these addresses and I lose the logical thread of what is happening - it confuses me.

    My idea is simple (or even stupid) - I am trying to find code that will have a loop with a simple "xor" instruction that will give me a flag. As I noticed, this task is very similar to a malicious sample. But I am missing my experience.

    maybe I missed something?
    does it make sense to fix the values ​​returned by anti-debugging mechanisms?
    give a hint or write me a pm.

    my head is boiling))

  • And so,
    I was able to advance. By analogy with other protectors based on virtual machines, I was looking for something similar to initializing the stack, on the kernel of a virtual machine, looking for functions for working with the stack .. And I kind of found it. But I still can't debug the virtual machine :neutral:

    this is a cool task

  • That was a incredible challenge. Congrats to @st4ckh0und!

    But I have to admit, I'm a Ghidra fan. And with a 2nd stage disassembly, the code reveals.

  • Hello
    And so, today I can already read a message about "freezing something, including me at some distance from the epicenter", but then, when executing the next part of the code of the virtual machine, I crash when called at the address in "eax" ..

    It is worth noting that I see a connection between the ".pcode" and ".vm" sections. But I do not see a connection with the ".vmrun" section - is it worth looking for a relationship here?

    Give a hint who solved this task or advanced further than me.

  • And so I tried to read all the texts that begin to be visible after each start of the virtual machine, but they only contain quotes that say that everything is "bad". No text or that byte array looked like a flag '__'

    I noticed an interesting thing: before each initialization of the virtual machine, something similar to a key is transmitted... there are about 9 of them ... maybe I should try all the permutations of keys and initializations of the virtual machine ??

    support me a little))))

  • So, there are new questions :\

    What is the meaning of cryptographic modules (I can figure it out)?

    In one of several launches of the virtual machine, it reveals a corrupted byte array - it is not readable and I do not know what can be done with it. What do you think? Have an idea: decrypt twice ...)

  • edited May 25

    @flamtaps said:
    Finally solved! Awesome problem, thanks! Will make a writeup when it closes

    Glad you enjoyed it! :)

    @mysteriousP said:
    That was a incredible challenge. Congrats to @st4ckh0und!

    But I have to admit, I'm a Ghidra fan. And with a 2nd stage disassembly, the code reveals.

    Yeah, well, any technique is permitted :)

  • Oh boy what a ride. Found my skills a bit rusty after a 3 years break on reversing, but it was a good way to get back on track. Thanks #st4ckh0und for it.

    Hack The Box

Sign In to comment.