Now I will show you how I solve the vm.exe challenge of
@MalwareTechLab
Analysis of Main Code Flow :
This file will copy a specific area of its code (0x404040) to the allocated heap memory. then It will call the
SubMainCode function that are responsible for the decrypting the FLAG then do md5 hash and show it in the message box.
 |
| figure 1 - the main code flow of this challenge |
Parsing the Mnemonic and opcodes of the VM Instruction:
Inside the said function you can see that it tries to parse the "ram.bin" vm code which consist of 3 bytes (Mnem, opcode1 and opcode2). That will be stored in a local variables and later on push those 3 bytes as a parameter to the
Generate_VMCode function that will generate the vm instruction.
 |
| figure 2 - parsing the vm codes |
The Generate_VMCode will be the responsible for generating the vm instruction to produce the Flag. we can see on screenshot below that it checks whether the Mnemonic code is 1 or 2 or 3. This values has a equivalent vm instruction that will be explain further.
 |
| figure 3 - generate instruction base on the 1st byte of vmcode opcodes |
like what I said each value has a corresponding VM instruction.
1 ==> mov [op1], op2
2 ==> mov byte_404240, [op1]
- note: byte_404240 seems like a global var or maybe a register so you can rename it to R0, R1 or etc ...
3 ==> xor [op1], byte_404240
 |
| figure 4 - vm code equivalent |
Solution with Python:
My approach is to read the ram.bin into 2 part. First part is the encrypted flag and the other part is for parsing the vm code after 0xFF offset start from the beginning of the ram.bin.
Then I print out the simulated vm instruction to know its control flow how it generates the FLAG. the flow is initializing some bytes in memomory array which is the decyption key then read the encrypted flag in offset 0x20 of ram.bin then xor each byte to decrypt the flag.
 |
| figure 5 - portion of generated vm instruction |
below is the part of function I created to produce the flag.
 |
| figure 6 - the function to generate the flag |
the Flag string output.
 |
| figure 7 - flag string output |
Conclusion:
In this challenge It really helps me to improve more my static analysis skill and python scripting. It also help me to explore more on IDApython to solve the stuff I need to do. thanks again to
@MalwareTechLab for this challenge:)
