Neohapsis Labs

Here are the slides for the talk I gave at RECON.  The talk was on “Creating Code Obfuscating Virtual Machines”.  The videos of all the talks will also be made available on the RECON website as well.  To get started writing your own virtual machine or programing for the MiniVM you’ll need to download the MiniVM suite (See below).  This has the core CPU (aka VM) under core/minivm.inc.  This file was intended to be compiled by MASM.  You could of course compile this to an object file and link it into your C code.

There is also a directory for compilers.  There is currently just one and it’s Ruby based.  This compiler is easily extensible so you can use this compiler for any VM you decide to create yourself.  This should speed up and give you a lot more flexibility when writing your own VMs.  Both the Compiler and the VM core *should* be able to compile on other platforms but I haven’t tested compiling the core with NASM yet.

These operands are currently support by MiniVM

• MOV r32, r32
• MOV [r1], r32
• MOV r1, [r1]
• MOV r32, value
• CMP r32, value
• INC/DEC r32
• ADD/SUB r32, value
• AND/OR r1
• XOR r32,r32
• PUSH/POP r32
• JMP (Relative address / Direct Address)
• JE, JL, JG value
• CALL r1/value
• EXIT

r32 in most cases means any of the registers.  If you are using the supplied compiler and you enter an unsupported use of an operand it will not only give an error but it will also show you all the possible valid ways to use that operand.

You basically have 4 general purpose registers: r1, r2, r3, and r4.  With r1 being a primary register.  Every operand works with that but not necessarily the others.  You also have the registers IP and SP for Instruction pointer and stack pointer manipulation.  As well as a few others.  See the slides for more information or simply look at the core source.

I will be maintaining both MiniVM and the compiler.  Please send me any patches or updates to either of these.  Also if you write anything really cool for MiniVM I would like to see that as well.  I’m sure the solutions for the Crackme will fill up quick but if you write up a good tutorial send that to me and I’ll post it as well.

Download:

miniVM

Slides

miniVMCrackme1

Send emails to: crag.smith at neoahpsis.com

I will be giving a talk at the RECON conference in Montreal this weekend (June 13-15).  For those of you who haven’t been to RECON it is a fantastic conference.  RECON considers itself a security conference but it is much more than that.  There are many very technical talks that typical involve the different aspects of reverse engineering just about anything.  Perfect for security researchers, the anti-virus community or anybody interested on studying the inner workings of things.

I am very excited to be presenting in Montreal and have some fun tools to release after the talk.  My talk is about writing your own virtual machine for the purposes of code obfuscation.  It should be around Noon-ish on Saturday but that time may change.  The goal of the talk is to not just teach what an embedded virtual machine is or how it works but also to allow you to build your own.  I will be releasing a virtual CPU that you can play with as well as an assembler like language you can use to compile code for your virtual machine.  The compiler is written in Ruby and is easily extended so you can quickly write your own language for your own processor.  I will also have a crackme to release to play with as well

Should be lots of fun!  I’ll be there on Friday but I will be taking off early morning on Sunday to get home for fathers day (Need to support the lil’ Neophites).  So be sure to ‘Hi’ at the party.

–Craig Smith

Updated to include posted link to crackme