:::: MENU ::::

Code Obfusction | Writing a VM

What is this Blog About ?

It is about a minor project that i recently completed. That is writing a virtual machine to slow down the process of reverse engineering. This is not a tutorial to do the same however I have included the presentation that i used during the final presentation, the PDFs for System Design and Sample Runs and one step by step sample run.

#Presentation


#Design

#Implementation – Sample Runs

#Code

#Sample Run

In this sample run I am going to implement the POC expansion algorithm that was the final program that was written for OIVM.1. Make sure bootrom.txt and OIVM.exe are in the same folder.
2. Open the Bootrom.txt using a Hex Editor (example : Hex Workshop) and write the following hex stream to it.

3F 11 25 00 2F 08 3F 38 3F 38 41 3D 09 1B 3C 4C 21 25 00 2F 14 7C 67 63 55 64 61 38 67 7C 63 38 55 64 61 38 37 41 3D 15 C9 45 3F 11 3F 12 18 68 3C 25 00 2F 08 12 86 C5 38 41 3D 09 00 02 04 06 08

3. Save the file. This is basically in the format of [STUB][Compressed Code]. The stub is 60 Bytes long and extends till the 0x09 in the second line of the hexadecimal stream. The parallel assembly for this code is as follows :

[EXPANSION STUB]
scanf(“%d”,&STACK[SP])
MOV A,STACK[SP]
FLAG=A-ROM[++IP]
JE 8 BYTES
scanf(“%d”,&STACK[SP])
++SP
scanf(“%d”,&STACK[SP])
++SP
–A
JMP -9 BYTES
MOV B,ROM[++IP] //STUB LENGTH
A = fileLen
A=A-B
FLAG=A-ROM[++IP]
JE 14 BYTES
MOV C ,ROM[B]
MOV D,SP
MOV SP,C
MOV C,STACK[SP]
MOV SP,D
MOV STACK[SP],C
++SP
MOV D,SP
MOV C,ROM[B]
MOV SP,C
++SP
MOV C,STACK[SP]
MOV SP,D
MOV STACK[SP],C
++SP
++B
–A
JMP -21 BYTES
ROM=(char *)realloc(ROM,ROM[++IP]) //FILE EXPANDED
scanf(“%d”,&STACK[SP])
MOV A,STACK[SP]
scanf(“%d”,&STACK[SP])
MOV B,STACK[SP]
MOV SP,B
MOV C,ROM[++IP]
FLAG=A-ROM[++IP]
JE 8 BYTES
MOV B,STACK[SP]
MOV ROM[C],B
++C
++SP
–A
JMP -9 BYTES
[COMPRESSED FORM]
00 02 04 06 08

4. Now run the program.If however you dont speak assembly that doesnt matter here is the algorithm for it :

1. Enter the Number of elements in the dictionary.
2. Enter the dictionary.
(Dictionary is stored on the stack)
(The dictionary is looked up for values corresponding to compressed code)
(The new Values are updated over the stack)
3. Enter the New Size.
4. Enter the SP (which could have been hardcoded as well)
(The code expands)
(The execution is now passed on to the expanded program)
5. Enter the first element. Hit Enter.
6. Enter the second element. Hit Enter.
7. The sum is Displayed.
8. OIVM halts.

Results/Output

Output#Thanks

Special thanks to Mr. Atul Alex Cherian, Ms. Nishtha Jatana and Ms. Kritika Sobti.


by Adwiteeya Agrawal

2 Comments

So, what do you think ?