Here are the slides for the talk I gave at RECON. The talk was on “Creating Code Obfuscating Virtual Machines”. The videos of all the talks will also be made available on the RECON website as well. To get started writing your own virtual machine or programing for the MiniVM you’ll need to download the MiniVM suite (See below). This has the core CPU (aka VM) under core/minivm.inc. This file was intended to be compiled by MASM. You could of course compile this to an object file and link it into your C code.
There is also a directory for compilers. There is currently just one and it’s Ruby based. This compiler is easily extensible so you can use this compiler for any VM you decide to create yourself. This should speed up and give you a lot more flexibility when writing your own VMs. Both the Compiler and the VM core *should* be able to compile on other platforms but I haven’t tested compiling the core with NASM yet.
These operands are currently support by MiniVM
- MOV r32, r32
- MOV [r1], r32
- MOV r1, [r1]
- MOV r32, value
- CMP r32, value
- INC/DEC r32
- ADD/SUB r32, value
- AND/OR r1
- XOR r32,r32
- PUSH/POP r32
- JMP (Relative address / Direct Address)
- JE, JL, JG value
- CALL r1/value
- EXIT
r32 in most cases means any of the registers. If you are using the supplied compiler and you enter an unsupported use of an operand it will not only give an error but it will also show you all the possible valid ways to use that operand.
You basically have 4 general purpose registers: r1, r2, r3, and r4. With r1 being a primary register. Every operand works with that but not necessarily the others. You also have the registers IP and SP for Instruction pointer and stack pointer manipulation. As well as a few others. See the slides for more information or simply look at the core source.
I will be maintaining both MiniVM and the compiler. Please send me any patches or updates to either of these. Also if you write anything really cool for MiniVM I would like to see that as well. I’m sure the solutions for the Crackme will fill up quick but if you write up a good tutorial send that to me and I’ll post it as well.
Download:
Send emails to: crag.smith at neoahpsis.com
July 2, 2008 at 7:58 pm
[...] Craig Smith from Neohapsis presented on using virtual machine to implement code obfuscation. Don’t think VMWare virtual machines here. Instead think custom instruction sets and a runtime interpreter. He covered the basics of this technique which were popularized by honeynet SOTM32 challenge. The idea is to create a custom instruction set and then use it to implement the logic you want obfuscated. You can apply this approach to hide system calls or important calculations. The bottom line is that a small effort on the developers part can create a lot more work for the reverser. More details and his sample code can be found on the Neohapsis blog. [...]