自写的玩具VM CrackMe一枚

二娃 · 发表于 2020-7-19 02:45

本帖最后由二娃于 2020-7-19 02:46 编辑

折腾了一段时间终于大概写了个满是bug的vm框架出来，勉强可以vm一个十几行代码的函数了
CM原文件的核心代码就十几行，并且vm模拟的指令还很少，基本上都是以原指令的形式出现，所以只要找到关键地方应该还是很好看出来的。

成功界面

该文件仅在win10 x64下测试过，其他系统暂时不清楚，好像有很小的概率会打开后就崩溃，暂时不明原因，再重新打开就好了，如果一直打不开的话请留言一下你的系统。

（框架写得有点乱，基本都是随想随写，如果有大佬愿意逆向的话希望不要喷我的代码

）

yjcjc · 发表于 2020-7-19 11:19

谢谢分享

solly · 发表于 2020-7-19 17:56

本帖最后由 solly 于 2020-7-19 18:03 编辑

VM 分析：

[Shell] 纯文本查看 复制代码

                   
000000014002D000  04 04 00 00 48 83 EC 38                           opcode=04, size=0x04, x64opcode = 48 83 EC 38 (sub rsp,0x38)
000000014002D008  04 09 00 00 48 C7 44 24 20 00 00 00 00            opcode=04, size=0x09, x64opcode = 48 C7 44 24 20 00 00 00 00 (mov qword ptr ss:[rsp+20],0x0)
000000014002D015  01 55 00 00 20 02 00                              opcode1=01, opcode2=0x55, value=0x00, var_val=0x00022000, var_alloc, var==> buff
000000014002D01C  01 57                                             opcode1=01, opcode2=0x57, value=0x0000000140000000, var_init, var = 0 or null
000000014002D01E  05 10                                             opcode1=05, param1=0x10, [param1] = 0x00022000, var_set, var ==>"password:"
000000014002D020  01 10                                             opcode1=01, param1=0x10, [param1] = 0x00022000, var_ref, var ==>"password:"
000000014002D022  02 01                                             opcode1=02, param1=0x01, [param1] = 0x00022000, var_push, var ==>"password:" 
000000014002D024  03 55 20 10 00 00                                 opcode1=03, param1=0x55, param2 = 0x00001020, [00001020] ==> msg, call_api, printf(msg)
000000014002D02A  04 05 00 00 48 8D 54 24 20                        opcode=04, size=0x04, x64opcode = 48 8D 54 24 20 (lea rdx,qword ptr ss:[rsp+20])
000000014002D033  01 55 00 0C 20 02 00                              opcode1=01, opcode2=0x55, value=0x00, var_val=0x0002200C, var_alloc, var==> buff 
000000014002D03A  01 57                                             opcode1=01, opcode2=0x57, value=0x0000000140000000, var_init, var = 0 or null
000000014002D03C  05 10                                             opcode1=05, param1=0x10, [param1] = 0x0002200C, var_set, var ==>"%d"
000000014002D03E  01 10                                             opcode1=01, param1=0x10, [param1] = 0x0002200C, var_ref, var ==>"%d"  
000000014002D040  02 01                                             opcode1=02, param1=0x01, [param1] = 0x0002200C, var_push, var ==>"%d"  
;input
000000014002D042  03 55 80 10 00 00                                 opcode1=03, param1=0x55, param2 = 0x00001080, [00001080] ==> fmt, call_api, scanf(fmt) 
000000014002D047  04 05 00 00 48 8B 44 24 20                        opcode=04, size=0x05, x64opcode = 48 8B 44 24 20 (mov rax,qword ptr ss:[rsp+20])，get integer with scanf
;compare
000000014002D051  04 06 00 00 48 2D 78 56 34 12                     opcode=04, size=0x06, x64opcode = 48 2D 78 56 34 12 (sub rax,12345678), sub
000000014002D05B  04 06 00 00 48 35 96 43 96 43                     opcode=04, size=0x06, x64opcode = 48 35 96 43 96 43 (xor rax,43964396), xor 
000000014002D065  04 05 00 00 48 89 44 24 28                        opcode=04, size=0x05, x64opcode = 48 89 44 24 28 (mov qword ptr ss:[rsp+28],rax), save
000000014002D06E  04 09 00 00 48 81 7C 24 28 FD 5F 97 4A            opcode=04, size=0x09, x64opcode = 48 81 7C 24 28 FD 5F 97 4A (cmp qword ptr ss:[rsp+28],4A975FFD), compare
000000014002D07B  00 10 1B 00 00 00                                 opcode=00, opcode2=0x10(jne), param1=0x0000001B, true: rip = $+2+4+param1 (0x1F, rip=000000014002D09C), false: rip = $+2+4 (0x6, rip=000000014002D081)
;success
000000014002D081  01 55 00 10 20 02 00                              (var_alloc)
000000014002D088  01 57 
000000014002D08A  05 10 
000000014002D08C  01 10 
000000014002D08E  02 01  
000000014002D090  03 55 20 10 00 00                                 (printf("good job!"))
000000014002D096  00 1F 15 00 00 00                                 (jmp 000000014002D0B1)
;failure
000000014002D09C  01 55 00 20 20 02 00                              (var_alloc)
000000014002D0A3  01 57 
000000014002D0A5  05 10 
000000014002D0A7  01 10 
000000014002D0A9  02 01 
000000014002D0AB  03 55 20 10 00 00                                 (printf("error!"))
;exit
000000014002D0B1  01 55 00 28 20 02 00                              (var_alloc) 
000000014002D0B8  01 57 
000000014002D0BA  05 10 
000000014002D0BC  01 10 
000000014002D0BE  02 01                                            (msg = "pause")
000000014002D0C0  06                                               (system("pause"), output "请按任意键继续. . ." and pause)
000000014002D0C1  3C 11 00 00 00 00 00 00 00 00 00 00 00 00 00

1、正确码：

2、暴破：

[Shell] 纯文本查看 复制代码

000000014002D07B  00 10 1B 00 00 00            (jne $+0x1B)
改为：
000000014002D07B  00 10 00 00 00 00            (jne $+0x00，即不跳转)

Sound · 发表于 2020-7-19 20:48

跟花指令一样。。

TL90 · 发表于 2020-7-19 21:00

本帖最后由 TL90 于 2020-7-19 21:02 编辑

膜拜大佬！随随便便就能写出个crackme

二娃 · 发表于 2020-7-19 21:49

solly 发表于 2020-7-19 17:56
VM 分析：
[mw_shl_code=shell,true]
000000014002D000 04 04 00 00 48 83 EC 38 ...

还真的有人愿意逆我这坨乱七八糟的代码，膜拜膜拜

二娃 · 发表于 2020-7-19 21:50

Sound 发表于 2020-7-19 20:48
跟花指令一样。。

不好意思献丑了，第一次写vm，很多东西都是随想随写的，现在看起来我自己也觉得乱，写这种东西还是要先好好构思一下比较好

cszlj1024 · 发表于 2020-7-22 20:59

膜拜大佬！
学习了，谢谢楼主分享！

帐号		自动登录	找回密码
密码			注册[Register]

[CrackMe] 自写的玩具VM CrackMe一枚

本帖子中包含更多资源

免费评分

免费评分

本帖子中包含更多资源

免费评分

免费评分