Skip to content

Instantly share code, notes, and snippets.

@zachriggle
Last active August 29, 2019 09:21
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save zachriggle/9302481 to your computer and use it in GitHub Desktop.
Save zachriggle/9302481 to your computer and use it in GitHub Desktop.
RARverseme
0000 VM_JMP a3
0001 VM_PUSH r6
0002 VM_MOV r6, r7
0003 VM_XOR r0, r0
0004 VM_MOV r1, [r6+08h]
0005 VM_SHR r1, 0x18h
0006 VM_AND r1, 0xffh
0007 VM_OR r0, r1
0008 VM_MOV r1, [r6+08h]
0009 VM_SHR r1, 0x8h
000a VM_AND r1, 0xff00h
000b VM_OR r0, r1
000c VM_MOV r1, [r6+08h]
000d VM_SHL r1, 0x8h
000e VM_AND r1, 0xff0000h
000f VM_OR r0, r1
0010 VM_MOV r1, [r6+08h]
0011 VM_SHL r1, 0x18h
0012 VM_AND r1, 0xff000000h
0013 VM_OR r0, r1
0014 VM_MOV r7, r6
0015 VM_POP r6
0016 VM_RET
0017 VM_JMP 3ff00
0018 VM_JMP 18
0019 VM_PUSH r6
001a VM_MOV r6, r7
001b VM_MOV r0, [r6+08h]
001c VM_MOV r1, [r6+08h]
001d VM_MOV r2, [r6+0ch]
001e VM_DIV r1, r2
001f VM_MUL r1, r2
0020 VM_SUB r0, r1
0021 VM_MOV r7, r6
0022 VM_POP r6
0023 VM_RET
0024 VM_PUSH r6
0025 VM_MOV r6, r7
0026 VM_MOV r1, 0x1h
0027 VM_MOV r2, 0h
0028 VM_JMP 2c
0029 VM_ADD r0, r1
002a VM_NEG r1,
002b VM_ADD r1, r0
002c VM_DEC [r6+08h],
002d VM_JNS 29
002e VM_POP r6
002f VM_RET
0030 VM_PUSH r6
0031 VM_MOV r6, r7
0032 VM_MOV r3, 0xffffffffh
0033 VM_MOV r1, [r6+08h]
0034 VM_MOV r5, [r6+0ch]
0035 VM_MOV r0, [r1+00h]
0036 VM_AND r0, 0xffh
0037 VM_XOR r3, r0
0038 VM_MOV r4, 0x8h
0039 VM_SHR r3, 0x1h
003a VM_JAE 3c
003b VM_XOR r3, 0xedb88320h # ...
003c VM_DEC r4,
003d VM_JNZ 39
003e VM_INC r1,
003f VM_DEC r5,
0040 VM_JNZ 35
0041 VM_MOV r0, r3
0042 VM_MOV r7, r6
0043 VM_POP r6
0044 VM_RET
0045 VM_PUSH r6
0046 VM_MOV r6, r7
0047 VM_XOR r0, r0
0048 VM_MOV r1, [r6+08h]
0049 VM_XOR r2, r2
004a VM_MOV r3, r1
004b VM_SHR r3, r2
004c VM_AND r3, 0xffh
004d VM_MOV r4, r3
004e VM_MUL r3, 0x802h
004f VM_MUL r4, 0x8020h # ...
0050 VM_AND r3, 0x22110h # ..!.
0051 VM_AND r4, 0x88440h # ...@
0052 VM_OR r3, r4
0053 VM_MUL r3, 0x10101h
0054 VM_SHR r3, 0x10h
0055 VM_AND r3, 0xffh
0056 VM_SHL r3, r2
0057 VM_OR r0, r3
0058 VM_ADD r2, 0x8h
0059 VM_CMP r2, 0x20h # ...
005a VM_JNZ 4a
005b VM_MOV r7, r6
005c VM_POP r6
005d VM_RET
005e VM_PUSH r6
005f VM_MOV r6, r7
0060 VM_PUSH [r6+08h]
0061 VM_CALL 45
0062 VM_PUSH r0
0063 VM_CALL 1
0064 VM_MOV [r6+08h], r0
0065 VM_TEST [r6+0ch], [r6+0ch]
0066 VM_JS 6c
0067 VM_DEC [r6+0ch],
0068 VM_PUSH [r6+08h]
0069 VM_CALL 71
006a VM_MOV [r6+08h], r0
006b VM_JMP 65
006c VM_PUSH [r6+08h]
006d VM_CALL 45
006e VM_MOV r7, r6
006f VM_POP r6
0070 VM_RET
0071 VM_PUSH r6
0072 VM_MOV r6, r7
0073 VM_SUB r7, 0x10h
0074 VM_MOV [r6-04h], 0h
0075 VM_MOV [r6-08h], 0x1h
0076 VM_MOV [r6-0ch], 0x4c11db7h
0077 VM_MOV [r6-010h], 0x1h
0078 VM_TEST [r6+08h], [r6-010h]
0079 VM_JZ 7c
007a VM_XOR [r6-04h], [r6-08h]
007b VM_XOR [r6+08h], [r6-0ch]
007c VM_MOV r1, [r6-08h]
007d VM_MOV r2, [r6-0ch]
007e VM_SHL r1, 0x1h
007f VM_SHR r2, 0x1fh
0080 VM_ADD r1, r2
0081 VM_MOV [r6-08h], r1
0082 VM_SHL [r6-0ch], 0x1h
0083 VM_SHL [r6-010h], 0x1h
0084 VM_JNZ 78
0085 VM_MOV r0, [r6-04h]
0086 VM_MOV r7, r6
0087 VM_POP r6
0088 VM_RET
0089 VM_PUSH r6
008a VM_MOV r6, r7
008b VM_SUB r7, 0x4h
008c VM_PUSH [r6+0ch]
008d VM_PUSH [r6+08h]
008e VM_CALL 30
008f VM_XOR [r6+010h], r0
0090 VM_PUSH 0x4h
0091 VM_PUSH [r6+0ch]
0092 VM_CALL 19
0093 VM_MOV [r6-04h], r0
0094 VM_SUB [r6+0ch], [r6-04h]
0095 VM_DIV [r6+0ch], 0x4h
0096 VM_SUB [r6+0ch], 0x1h
0097 VM_PUSH [r6+0ch]
0098 VM_PUSH [r6+010h]
0099 VM_CALL 5e
009a VM_PUSH r0
009b VM_CALL 1
009c VM_ADD [r6+08h], [r6-04h]
009d VM_MOV r1, [r6+08h]
009e VM_XOR [r1+00h], r0
009f VM_XOR r0, r0
00a0 VM_MOV r7, r6
00a1 VM_POP r6
00a2 VM_RET
00a3 VM_MOV r3, 0x2000h # .. .
00a4 VM_MOV [r3+00h], 0x796f7572h # your
00a5 VM_MOV [r3+04h], 0x666c6167h # flag
00a6 VM_MOV [r3+08h], 0x676f6573h # goes
00a7 VM_MOV [r3+0ch], 0x68657275h # heru
00a8 VM_MOV r4, 0x5000h # ..P.
00a9 VM_MOV [r4+00h], 0x31337357h # 13sW
00aa VM_MOV [r4+04h], 0x63561227h # cV.'
00ab VM_MOV [r4+08h], 0x6666654ah # ffeJ
00ac VM_MOV [r4+0ch], 0x78584148h # xXAH
00ad VM_JMP ae
00ae VM_MOV r2, [r3+00h]
00af VM_AND r2, 0xffh
00b0 VM_MOV r5, [r4+00h]
00b1 VM_AND r5, 0xffh
00b2 VM_MUL r2, r5
00b3 VM_MOV r1, r2
00b4 VM_MOV r2, [r3+00h]
00b5 VM_SHR r2, 0x8h
00b6 VM_AND r2, 0xffh
00b7 VM_MOV r5, [r4+04h]
00b8 VM_AND r5, 0xffh
00b9 VM_MUL r2, r5
00ba VM_ADD r1, r2
00bb VM_MOV r2, [r3+00h]
00bc VM_SHR r2, 0x10h
00bd VM_AND r2, 0xffh
00be VM_MOV r5, [r4+08h]
00bf VM_AND r5, 0xffh
00c0 VM_MUL r2, r5
00c1 VM_ADD r1, r2
00c2 VM_MOV r2, [r3+00h]
00c3 VM_SHR r2, 0x18h
00c4 VM_AND r2, 0xffh
00c5 VM_MOV r5, [r4+0ch]
00c6 VM_AND r5, 0xffh
00c7 VM_MUL r2, r5
00c8 VM_ADD r1, r2
00c9 VM_CMP r1, 0x706fh # ..po
# Neutuered JNZ 2C9
00ca VM_JMP cb
00cb VM_PUSH r1
00cc VM_MOV r2, [r3+00h]
00cd VM_AND r2, 0xffh
00ce VM_MOV r5, [r4+00h]
00cf VM_SHR r5, 0x8h
00d0 VM_AND r5, 0xffh
00d1 VM_MUL r2, r5
00d2 VM_MOV r1, r2
00d3 VM_MOV r2, [r3+00h]
00d4 VM_SHR r2, 0x8h
00d5 VM_AND r2, 0xffh
00d6 VM_MOV r5, [r4+04h]
00d7 VM_SHR r5, 0x8h
00d8 VM_AND r5, 0xffh
00d9 VM_MUL r2, r5
00da VM_ADD r1, r2
00db VM_MOV r2, [r3+00h]
00dc VM_SHR r2, 0x10h
00dd VM_AND r2, 0xffh
00de VM_MOV r5, [r4+08h]
00df VM_SHR r5, 0x8h
00e0 VM_AND r5, 0xffh
00e1 VM_MUL r2, r5
00e2 VM_ADD r1, r2
00e3 VM_MOV r2, [r3+00h]
00e4 VM_SHR r2, 0x18h
00e5 VM_AND r2, 0xffh
00e6 VM_MOV r5, [r4+0ch]
00e7 VM_SHR r5, 0x8h
00e8 VM_AND r5, 0xffh
00e9 VM_MUL r2, r5
00ea VM_ADD r1, r2
00eb VM_CMP r1, 0x7972h # ..yr
# Neutuered JNZ 2C9
00ec VM_JMP ed
00ed VM_PUSH r1
00ee VM_MOV r2, [r3+00h]
00ef VM_AND r2, 0xffh
00f0 VM_MOV r5, [r4+00h]
00f1 VM_SHR r5, 0x10h
00f2 VM_AND r5, 0xffh
00f3 VM_MUL r2, r5
00f4 VM_MOV r1, r2
00f5 VM_MOV r2, [r3+00h]
00f6 VM_SHR r2, 0x8h
00f7 VM_AND r2, 0xffh
00f8 VM_MOV r5, [r4+04h]
00f9 VM_SHR r5, 0x10h
00fa VM_AND r5, 0xffh
00fb VM_MUL r2, r5
00fc VM_ADD r1, r2
00fd VM_MOV r2, [r3+00h]
00fe VM_SHR r2, 0x10h
00ff VM_AND r2, 0xffh
0100 VM_MOV r5, [r4+08h]
0101 VM_SHR r5, 0x10h
0102 VM_AND r5, 0xffh
0103 VM_MUL r2, r5
0104 VM_ADD r1, r2
0105 VM_MOV r2, [r3+00h]
0106 VM_SHR r2, 0x18h
0107 VM_AND r2, 0xffh
0108 VM_MOV r5, [r4+0ch]
0109 VM_SHR r5, 0x10h
010a VM_AND r5, 0xffh
010b VM_MUL r2, r5
010c VM_ADD r1, r2
010d VM_CMP r1, 0x89d1h
# Neutuered JNZ 2C9
010e VM_JMP 10f
010f VM_PUSH r1
0110 VM_MOV r2, [r3+00h]
0111 VM_AND r2, 0xffh
0112 VM_MOV r5, [r4+00h]
0113 VM_SHR r5, 0x18h
0114 VM_AND r5, 0xffh
0115 VM_MUL r2, r5
0116 VM_MOV r1, r2
0117 VM_MOV r2, [r3+00h]
0118 VM_SHR r2, 0x8h
0119 VM_AND r2, 0xffh
011a VM_MOV r5, [r4+04h]
011b VM_SHR r5, 0x18h
011c VM_AND r5, 0xffh
011d VM_MUL r2, r5
011e VM_ADD r1, r2
011f VM_MOV r2, [r3+00h]
0120 VM_SHR r2, 0x10h
0121 VM_AND r2, 0xffh
0122 VM_MOV r5, [r4+08h]
0123 VM_SHR r5, 0x18h
0124 VM_AND r5, 0xffh
0125 VM_MUL r2, r5
0126 VM_ADD r1, r2
0127 VM_MOV r2, [r3+00h]
0128 VM_SHR r2, 0x18h
0129 VM_AND r2, 0xffh
012a VM_MOV r5, [r4+0ch]
012b VM_SHR r5, 0x18h
012c VM_AND r5, 0xffh
012d VM_MUL r2, r5
012e VM_ADD r1, r2
012f VM_CMP r1, 0x9cc5h
# Neutuered JNZ 2C9
0130 VM_JMP 131
0131 VM_PUSH r1
0132 VM_JMP 133
0133 VM_MOV r2, [r3+04h]
0134 VM_AND r2, 0xffh
0135 VM_MOV r5, [r4+00h]
0136 VM_AND r5, 0xffh
0137 VM_MUL r2, r5
0138 VM_MOV r1, r2
0139 VM_MOV r2, [r3+04h]
013a VM_SHR r2, 0x8h
013b VM_AND r2, 0xffh
013c VM_MOV r5, [r4+04h]
013d VM_AND r5, 0xffh
013e VM_MUL r2, r5
013f VM_ADD r1, r2
0140 VM_MOV r2, [r3+04h]
0141 VM_SHR r2, 0x10h
0142 VM_AND r2, 0xffh
0143 VM_MOV r5, [r4+08h]
0144 VM_AND r5, 0xffh
0145 VM_MUL r2, r5
0146 VM_ADD r1, r2
0147 VM_MOV r2, [r3+04h]
0148 VM_SHR r2, 0x18h
0149 VM_AND r2, 0xffh
014a VM_MOV r5, [r4+0ch]
014b VM_AND r5, 0xffh
014c VM_MUL r2, r5
014d VM_ADD r1, r2
014e VM_CMP r1, 0x720eh # ..r.
# Neutuered JNZ 2C9
014f VM_JMP 150
0150 VM_PUSH r1
0151 VM_MOV r2, [r3+04h]
0152 VM_AND r2, 0xffh
0153 VM_MOV r5, [r4+00h]
0154 VM_SHR r5, 0x8h
0155 VM_AND r5, 0xffh
0156 VM_MUL r2, r5
0157 VM_MOV r1, r2
0158 VM_MOV r2, [r3+04h]
0159 VM_SHR r2, 0x8h
015a VM_AND r2, 0xffh
015b VM_MOV r5, [r4+04h]
015c VM_SHR r5, 0x8h
015d VM_AND r5, 0xffh
015e VM_MUL r2, r5
015f VM_ADD r1, r2
0160 VM_MOV r2, [r3+04h]
0161 VM_SHR r2, 0x10h
0162 VM_AND r2, 0xffh
0163 VM_MOV r5, [r4+08h]
0164 VM_SHR r5, 0x8h
0165 VM_AND r5, 0xffh
0166 VM_MUL r2, r5
0167 VM_ADD r1, r2
0168 VM_MOV r2, [r3+04h]
0169 VM_SHR r2, 0x18h
016a VM_AND r2, 0xffh
016b VM_MOV r5, [r4+0ch]
016c VM_SHR r5, 0x8h
016d VM_AND r5, 0xffh
016e VM_MUL r2, r5
016f VM_ADD r1, r2
0170 VM_CMP r1, 0x7bfch # ..{.
# Neutuered JNZ 2C9
0171 VM_JMP 172
0172 VM_PUSH r1
0173 VM_MOV r2, [r3+04h]
0174 VM_AND r2, 0xffh
0175 VM_MOV r5, [r4+00h]
0176 VM_SHR r5, 0x10h
0177 VM_AND r5, 0xffh
0178 VM_MUL r2, r5
0179 VM_MOV r1, r2
017a VM_MOV r2, [r3+04h]
017b VM_SHR r2, 0x8h
017c VM_AND r2, 0xffh
017d VM_MOV r5, [r4+04h]
017e VM_SHR r5, 0x10h
017f VM_AND r5, 0xffh
0180 VM_MUL r2, r5
0181 VM_ADD r1, r2
0182 VM_MOV r2, [r3+04h]
0183 VM_SHR r2, 0x10h
0184 VM_AND r2, 0xffh
0185 VM_MOV r5, [r4+08h]
0186 VM_SHR r5, 0x10h
0187 VM_AND r5, 0xffh
0188 VM_MUL r2, r5
0189 VM_ADD r1, r2
018a VM_MOV r2, [r3+04h]
018b VM_SHR r2, 0x18h
018c VM_AND r2, 0xffh
018d VM_MOV r5, [r4+0ch]
018e VM_SHR r5, 0x10h
018f VM_AND r5, 0xffh
0190 VM_MUL r2, r5
0191 VM_ADD r1, r2
0192 VM_CMP r1, 0x88d7h
# Neutuered JNZ 2C9
0193 VM_JMP 194
0194 VM_PUSH r1
0195 VM_MOV r2, [r3+04h]
0196 VM_AND r2, 0xffh
0197 VM_MOV r5, [r4+00h]
0198 VM_SHR r5, 0x18h
0199 VM_AND r5, 0xffh
019a VM_MUL r2, r5
019b VM_MOV r1, r2
019c VM_MOV r2, [r3+04h]
019d VM_SHR r2, 0x8h
019e VM_AND r2, 0xffh
019f VM_MOV r5, [r4+04h]
01a0 VM_SHR r5, 0x18h
01a1 VM_AND r5, 0xffh
01a2 VM_MUL r2, r5
01a3 VM_ADD r1, r2
01a4 VM_MOV r2, [r3+04h]
01a5 VM_SHR r2, 0x10h
01a6 VM_AND r2, 0xffh
01a7 VM_MOV r5, [r4+08h]
01a8 VM_SHR r5, 0x18h
01a9 VM_AND r5, 0xffh
01aa VM_MUL r2, r5
01ab VM_ADD r1, r2
01ac VM_MOV r2, [r3+04h]
01ad VM_SHR r2, 0x18h
01ae VM_AND r2, 0xffh
01af VM_MOV r5, [r4+0ch]
01b0 VM_SHR r5, 0x18h
01b1 VM_AND r5, 0xffh
01b2 VM_MUL r2, r5
01b3 VM_ADD r1, r2
01b4 VM_CMP r1, 0x9be0h
# Neutuered JNZ 2C9
01b5 VM_JMP 1b6
01b6 VM_PUSH r1
01b7 VM_JMP 1b8
01b8 VM_MOV r2, [r3+08h]
01b9 VM_AND r2, 0xffh
01ba VM_MOV r5, [r4+00h]
01bb VM_AND r5, 0xffh
01bc VM_MUL r2, r5
01bd VM_MOV r1, r2
01be VM_MOV r2, [r3+08h]
01bf VM_SHR r2, 0x8h
01c0 VM_AND r2, 0xffh
01c1 VM_MOV r5, [r4+04h]
01c2 VM_AND r5, 0xffh
01c3 VM_MUL r2, r5
01c4 VM_ADD r1, r2
01c5 VM_MOV r2, [r3+08h]
01c6 VM_SHR r2, 0x10h
01c7 VM_AND r2, 0xffh
01c8 VM_MOV r5, [r4+08h]
01c9 VM_AND r5, 0xffh
01ca VM_MUL r2, r5
01cb VM_ADD r1, r2
01cc VM_MOV r2, [r3+08h]
01cd VM_SHR r2, 0x18h
01ce VM_AND r2, 0xffh
01cf VM_MOV r5, [r4+0ch]
01d0 VM_AND r5, 0xffh
01d1 VM_MUL r2, r5
01d2 VM_ADD r1, r2
01d3 VM_CMP r1, 0x6babh # ..k.
# Neutuered JNZ 2C9
01d4 VM_JMP 1d5
01d5 VM_PUSH r1
01d6 VM_MOV r2, [r3+08h]
01d7 VM_AND r2, 0xffh
01d8 VM_MOV r5, [r4+00h]
01d9 VM_SHR r5, 0x8h
01da VM_AND r5, 0xffh
01db VM_MUL r2, r5
01dc VM_MOV r1, r2
01dd VM_MOV r2, [r3+08h]
01de VM_SHR r2, 0x8h
01df VM_AND r2, 0xffh
01e0 VM_MOV r5, [r4+04h]
01e1 VM_SHR r5, 0x8h
01e2 VM_AND r5, 0xffh
01e3 VM_MUL r2, r5
01e4 VM_ADD r1, r2
01e5 VM_MOV r2, [r3+08h]
01e6 VM_SHR r2, 0x10h
01e7 VM_AND r2, 0xffh
01e8 VM_MOV r5, [r4+08h]
01e9 VM_SHR r5, 0x8h
01ea VM_AND r5, 0xffh
01eb VM_MUL r2, r5
01ec VM_ADD r1, r2
01ed VM_MOV r2, [r3+08h]
01ee VM_SHR r2, 0x18h
01ef VM_AND r2, 0xffh
01f0 VM_MOV r5, [r4+0ch]
01f1 VM_SHR r5, 0x8h
01f2 VM_AND r5, 0xffh
01f3 VM_MUL r2, r5
01f4 VM_ADD r1, r2
01f5 VM_CMP r1, 0x7a0ah # ..z.
# Neutuered JNZ 2C9
01f6 VM_JMP 1f7
01f7 VM_PUSH r1
01f8 VM_MOV r2, [r3+08h]
01f9 VM_AND r2, 0xffh
01fa VM_MOV r5, [r4+00h]
01fb VM_SHR r5, 0x10h
01fc VM_AND r5, 0xffh
01fd VM_MUL r2, r5
01fe VM_MOV r1, r2
01ff VM_MOV r2, [r3+08h]
0200 VM_SHR r2, 0x8h
0201 VM_AND r2, 0xffh
0202 VM_MOV r5, [r4+04h]
0203 VM_SHR r5, 0x10h
0204 VM_AND r5, 0xffh
0205 VM_MUL r2, r5
0206 VM_ADD r1, r2
0207 VM_MOV r2, [r3+08h]
0208 VM_SHR r2, 0x10h
0209 VM_AND r2, 0xffh
020a VM_MOV r5, [r4+08h]
020b VM_SHR r5, 0x10h
020c VM_AND r5, 0xffh
020d VM_MUL r2, r5
020e VM_ADD r1, r2
020f VM_MOV r2, [r3+08h]
0210 VM_SHR r2, 0x18h
0211 VM_AND r2, 0xffh
0212 VM_MOV r5, [r4+0ch]
0213 VM_SHR r5, 0x10h
0214 VM_AND r5, 0xffh
0215 VM_MUL r2, r5
0216 VM_ADD r1, r2
0217 VM_CMP r1, 0x7f9ah
# Neutuered JNZ 2C9
0218 VM_JMP 219
0219 VM_PUSH r1
021a VM_MOV r2, [r3+08h]
021b VM_AND r2, 0xffh
021c VM_MOV r5, [r4+00h]
021d VM_SHR r5, 0x18h
021e VM_AND r5, 0xffh
021f VM_MUL r2, r5
0220 VM_MOV r1, r2
0221 VM_MOV r2, [r3+08h]
0222 VM_SHR r2, 0x8h
0223 VM_AND r2, 0xffh
0224 VM_MOV r5, [r4+04h]
0225 VM_SHR r5, 0x18h
0226 VM_AND r5, 0xffh
0227 VM_MUL r2, r5
0228 VM_ADD r1, r2
0229 VM_MOV r2, [r3+08h]
022a VM_SHR r2, 0x10h
022b VM_AND r2, 0xffh
022c VM_MOV r5, [r4+08h]
022d VM_SHR r5, 0x18h
022e VM_AND r5, 0xffh
022f VM_MUL r2, r5
0230 VM_ADD r1, r2
0231 VM_MOV r2, [r3+08h]
0232 VM_SHR r2, 0x18h
0233 VM_AND r2, 0xffh
0234 VM_MOV r5, [r4+0ch]
0235 VM_SHR r5, 0x18h
0236 VM_AND r5, 0xffh
0237 VM_MUL r2, r5
0238 VM_ADD r1, r2
0239 VM_CMP r1, 0x8c17h
# Neutuered JNZ 2C9
023a VM_JMP 23b
023b VM_PUSH r1
023c VM_JMP 23d
023d VM_MOV r2, [r3+0ch]
023e VM_AND r2, 0xffh
023f VM_MOV r5, [r4+00h]
0240 VM_AND r5, 0xffh
0241 VM_MUL r2, r5
0242 VM_MOV r1, r2
0243 VM_MOV r2, [r3+0ch]
0244 VM_SHR r2, 0x8h
0245 VM_AND r2, 0xffh
0246 VM_MOV r5, [r4+04h]
0247 VM_AND r5, 0xffh
0248 VM_MUL r2, r5
0249 VM_ADD r1, r2
024a VM_MOV r2, [r3+0ch]
024b VM_SHR r2, 0x10h
024c VM_AND r2, 0xffh
024d VM_MOV r5, [r4+08h]
024e VM_AND r5, 0xffh
024f VM_MUL r2, r5
0250 VM_ADD r1, r2
0251 VM_MOV r2, [r3+0ch]
0252 VM_SHR r2, 0x18h
0253 VM_AND r2, 0xffh
0254 VM_MOV r5, [r4+0ch]
0255 VM_AND r5, 0xffh
0256 VM_MUL r2, r5
0257 VM_ADD r1, r2
0258 VM_CMP r1, 0x6be4h # ..k.
# Neutuered JNZ 2C9
0259 VM_JMP 25a
025a VM_PUSH r1
025b VM_MOV r2, [r3+0ch]
025c VM_AND r2, 0xffh
025d VM_MOV r5, [r4+00h]
025e VM_SHR r5, 0x8h
025f VM_AND r5, 0xffh
0260 VM_MUL r2, r5
0261 VM_MOV r1, r2
0262 VM_MOV r2, [r3+0ch]
0263 VM_SHR r2, 0x8h
0264 VM_AND r2, 0xffh
0265 VM_MOV r5, [r4+04h]
0266 VM_SHR r5, 0x8h
0267 VM_AND r5, 0xffh
0268 VM_MUL r2, r5
0269 VM_ADD r1, r2
026a VM_MOV r2, [r3+0ch]
026b VM_SHR r2, 0x10h
026c VM_AND r2, 0xffh
026d VM_MOV r5, [r4+08h]
026e VM_SHR r5, 0x8h
026f VM_AND r5, 0xffh
0270 VM_MUL r2, r5
0271 VM_ADD r1, r2
0272 VM_MOV r2, [r3+0ch]
0273 VM_SHR r2, 0x18h
0274 VM_AND r2, 0xffh
0275 VM_MOV r5, [r4+0ch]
0276 VM_SHR r5, 0x8h
0277 VM_AND r5, 0xffh
0278 VM_MUL r2, r5
0279 VM_ADD r1, r2
027a VM_CMP r1, 0x7a0ah # ..z.
# Neutuered JNZ 2C9
027b VM_JMP 27c
027c VM_PUSH r1
027d VM_MOV r2, [r3+0ch]
027e VM_AND r2, 0xffh
027f VM_MOV r5, [r4+00h]
0280 VM_SHR r5, 0x10h
0281 VM_AND r5, 0xffh
0282 VM_MUL r2, r5
0283 VM_MOV r1, r2
0284 VM_MOV r2, [r3+0ch]
0285 VM_SHR r2, 0x8h
0286 VM_AND r2, 0xffh
0287 VM_MOV r5, [r4+04h]
0288 VM_SHR r5, 0x10h
0289 VM_AND r5, 0xffh
028a VM_MUL r2, r5
028b VM_ADD r1, r2
028c VM_MOV r2, [r3+0ch]
028d VM_SHR r2, 0x10h
028e VM_AND r2, 0xffh
028f VM_MOV r5, [r4+08h]
0290 VM_SHR r5, 0x10h
0291 VM_AND r5, 0xffh
0292 VM_MUL r2, r5
0293 VM_ADD r1, r2
0294 VM_MOV r2, [r3+0ch]
0295 VM_SHR r2, 0x18h
0296 VM_AND r2, 0xffh
0297 VM_MOV r5, [r4+0ch]
0298 VM_SHR r5, 0x10h
0299 VM_AND r5, 0xffh
029a VM_MUL r2, r5
029b VM_ADD r1, r2
029c VM_CMP r1, 0x80dch
# Neutuered JNZ 2C9
029d VM_JMP 29e
029e VM_PUSH r1
029f VM_MOV r2, [r3+0ch]
02a0 VM_AND r2, 0xffh
02a1 VM_MOV r5, [r4+00h]
02a2 VM_SHR r5, 0x18h
02a3 VM_AND r5, 0xffh
02a4 VM_MUL r2, r5
02a5 VM_MOV r1, r2
02a6 VM_MOV r2, [r3+0ch]
02a7 VM_SHR r2, 0x8h
02a8 VM_AND r2, 0xffh
02a9 VM_MOV r5, [r4+04h]
02aa VM_SHR r5, 0x18h
02ab VM_AND r5, 0xffh
02ac VM_MUL r2, r5
02ad VM_ADD r1, r2
02ae VM_MOV r2, [r3+0ch]
02af VM_SHR r2, 0x10h
02b0 VM_AND r2, 0xffh
02b1 VM_MOV r5, [r4+08h]
02b2 VM_SHR r5, 0x18h
02b3 VM_AND r5, 0xffh
02b4 VM_MUL r2, r5
02b5 VM_ADD r1, r2
02b6 VM_MOV r2, [r3+0ch]
02b7 VM_SHR r2, 0x18h
02b8 VM_AND r2, 0xffh
02b9 VM_MOV r5, [r4+0ch]
02ba VM_SHR r5, 0x18h
02bb VM_AND r5, 0xffh
02bc VM_MUL r2, r5
02bd VM_ADD r1, r2
02be VM_CMP r1, 0x8d54h # ...T
# Neutuered JNZ 2C9
02bf VM_JMP 2c0
02c0 VM_PUSH r1
02c1 VM_JMP 2c2
02c2 VM_MOV r3, 0x1000h
02c3 VM_MOV [r3+00h], 0x2d3a3c2ah # -:<*
02c4 VM_MOV [r3+04h], 0xa29h # ...)
02c5 VM_MOV [r0+03c020h], r3
02c6 VM_MOV [r0+03c01ch], 0x7h
02c7 VM_CALL 17
02c8 VM_JMP 2d0
02c9 VM_MOV r3, 0x1000h
02ca VM_MOV [r3+00h], 0x2d3a3c2ah # -:<*
02cb VM_MOV [r3+04h], 0xa28h # ...(
02cc VM_MOV [r0+03c020h], r3
02cd VM_MOV [r0+03c01ch], 0x7h
02ce VM_CALL 17
02cf VM_JMP 2c2
02d0 VM_MOV 0h, 0h
RARVM reversible/patchme
Modified 'unrar' source to dump context and disassembly.
Wrote two separate solvers since the challenge was broken.
To build the disassembler/debugger:
- unzip unrar-src-disassembler.zip -d unrar
- cd unrar
- make
- ./unrar p -inul ./rarverseme-67da2b0c60e58e47dc38aa36b329b18b.rar | less
#!/usr/bin/env python
"""SOLVE ME BR0"""
import re
from z3 import *
## Trim off the lines we don't need
lines = open('disasm').readlines()
begin = None
end = None
for idx,line in enumerate(lines):
offset = line[:4]
if line.startswith('00ae'): begin = idx
if line.startswith('02bf'): end = idx
lines = lines[begin:end]
## Drop the broken block
for idx,line in enumerate(lines):
if line.startswith('025a'): begin = idx
if line.startswith('027b'): end = idx
lines = lines[:begin] + lines[end:]
## Set up our state
## R3 has symbolic data
## R4 has concrete data
s = Solver()
regs = [None]*8
regs[3] = {
0x00: BitVec('r3_00', 32),
0x04: BitVec('r3_04', 32),
0x08: BitVec('r3_08', 32),
0x0c: BitVec('r3_0c', 32)
}
regs[4] = {
0x00: 0x31337357, # 00a9 VM_MOV [r4+00h], 0x31337357h # 13sW
0x04: 0x63561227, # 00aa VM_MOV [r4+04h], 0x63561227h # cV.'
0x08: 0x6666654a, # 00ab VM_MOV [r4+08h], 0x6666654ah # ffeJ
0x0c: 0x78584148, # 00ac VM_MOV [r4+0ch], 0x78584148h # xXAH
}
## Helper routines to turn "r1" into "1"
## and "0x1234h" into 0x1234
def op(g,i):
return get(g[i])
def get(o):
if o.startswith('r'): return int(o[1:3])
if o.startswith('0x'): return int(o.split('h')[0], 16)
# print "FAILED: %r" % o
raise Exception
## Regex
expr = r"\S+ +VM_(\S+) +(r\d)(?:, (.+))"
for line in lines:
# Skip comments, jumps, pushes, and empty lines
if line.startswith('#'): continue
if 'VM_JMP' in line: continue
if 'VM_PUSH' in line: continue
if not len(line.strip()):continue
# Match the regex
m = re.match(expr, line)
g = m.groups()
print line.strip()
print g
# Clear VM state
opcode = op1 = op2 = None
# Get opcode and OP1
opcode = g[0]
op1 = get(g[1])
# Only sometimes have op2
try: op2 = get(g[2])
except: pass
# Depending on the opcode...
if opcode == 'MOV':
if g[2].startswith('['):
r,o = g[2].split('+')
r = r[1:]
o = '0x' + o
x = regs[op1] = regs[get(r)][get(o)]
else:
x = regs[op1] = regs[op2]
if opcode == 'AND':
x = regs[op1] = regs[op1] & op2
if opcode == 'SHR':
x = regs[op1] = regs[op1] >> op2
if opcode == 'MUL':
x = regs[op1] = regs[op1] * regs[op2]
if opcode == 'ADD':
x = regs[op1] = regs[op1] + regs[op2]
if opcode == 'CMP':
x = (regs[op1] == op2)
s.add(x)
print x
print
### Stop as soon as we can't make a model
print s.check()
if s.check() == unsat:
print 'UNSAT'
break
### Print out the state of the solver
print s
from struct import pack
if sat == s.check():
m = s.model()
r3 = regs[3]
print ''.join(pack('i',int(str(m[r3[i]]))) for i in range(0,0x10,4))
from z3 import *
from binascii import *
from struct import *
s = Solver()
r3 = BitVecs('a0 a1 a2 a3', 32)
r4 = [
0x31337357, # 00a9 VM_MOV [r4+00h], 0x31337357h # 13sW
0x63561227, # 00aa VM_MOV [r4+04h], 0x63561227h # cV.'
0x6666654a, # 00ab VM_MOV [r4+08h], 0x6666654ah # ffeJ
0x78584148, # 00ac VM_MOV [r4+0ch], 0x78584148h # xXAH
]
def B(x): return (x&0xff)
def key():
if sat == s.check():
m = s.model()
print m
print ''.join(pack('i',int(str(m[r3[i]]))) for i in range(4))
########################################################################################
## block 00ae
## #1
s.add ( Sum(
# 00ae VM_MOV r2, [r3+00h]
# 00af VM_AND r2, 0xffh
# 00b0 VM_MOV r5, [r4+00h]
# 00b1 VM_AND r5, 0xffh
# 00b2 VM_MUL r2, r5
# 00b3 VM_MOV r1, r2
B(r3[0] >> 0x00) * B(r4[0]),
# 00b4 VM_MOV r2, [r3+00h]
# 00b5 VM_SHR r2, 0x8h
# 00b6 VM_AND r2, 0xffh
# 00b7 VM_MOV r5, [r4+04h]
# 00b8 VM_AND r5, 0xffh
# 00b9 VM_MUL r2, r5
# 00ba VM_ADD r1, r2
B(r3[0] >> 0x08) * B(r4[1]),
# 00bb VM_MOV r2, [r3+00h]
# 00bc VM_SHR r2, 0x10h
# 00bd VM_AND r2, 0xffh
# 00be VM_MOV r5, [r4+08h]
# 00bf VM_AND r5, 0xffh
# 00c0 VM_MUL r2, r5
# 00c1 VM_ADD r1, r2
B(r3[0] >> 0x10) * B(r4[2]),
# 00c2 VM_MOV r2, [r3+00h]
# 00c3 VM_SHR r2, 0x18h
# 00c4 VM_AND r2, 0xffh
# 00c5 VM_MOV r5, [r4+0ch]
# 00c6 VM_AND r5, 0xffh
# 00c7 VM_MUL r2, r5
# 00c8 VM_ADD r1, r2
B(r3[0] >> 0x18) * B(r4[3]),
# 00c9 VM_CMP r1, 0x706fh # ..po
) == 0x706f )
## block 00cb
## #2
s.add( Sum(
# 00cb VM_PUSH r1 <-------- ???
# 00cc VM_MOV r2, [r3+00h]
# 00cd VM_AND r2, 0xffh
# 00ce VM_MOV r5, [r4+00h]
# 00cf VM_SHR r5, 0x8h
# 00d0 VM_AND r5, 0xffh
# 00d1 VM_MUL r2, r5
# 00d2 VM_MOV r1, r2
B(r3[0] >> 0x00) * B(r4[0] >> 0x08),
# 00d3 VM_MOV r2, [r3+00h]
# 00d4 VM_SHR r2, 0x8h
# 00d5 VM_AND r2, 0xffh
# 00d6 VM_MOV r5, [r4+04h]
# 00d7 VM_SHR r5, 0x8h
# 00d8 VM_AND r5, 0xffh
# 00d9 VM_MUL r2, r5
# 00da VM_ADD r1, r2
B(r3[0] >> 0x08) * B(r4[1] >> 0x08),
# 00db VM_MOV r2, [r3+00h]
# 00dc VM_SHR r2, 0x10h
# 00dd VM_AND r2, 0xffh
# 00de VM_MOV r5, [r4+08h]
# 00df VM_SHR r5, 0x8h
# 00e0 VM_AND r5, 0xffh
# 00e1 VM_MUL r2, r5
# 00e2 VM_ADD r1, r2
B(r3[0] >> 0x10) * B(r4[2] >> 0x08),
# 00e3 VM_MOV r2, [r3+00h]
# 00e4 VM_SHR r2, 0x18h
# 00e5 VM_AND r2, 0xffh
# 00e6 VM_MOV r5, [r4+0ch]
# 00e7 VM_SHR r5, 0x8h
# 00e8 VM_AND r5, 0xffh
# 00e9 VM_MUL r2, r5
# 00ea VM_ADD r1, r2
B(r3[0] >> 0x18) * B(r4[3] >> 0x08),
# 00eb VM_CMP r1, 0x7972h # ..yr
) == 0x7972 )
## block 00ed
## #3
s.add ( Sum(
# 00ed VM_PUSH r1
# 00ee VM_MOV r2, [r3+00h]
# 00ef VM_AND r2, 0xffh
# 00f0 VM_MOV r5, [r4+00h]
# 00f1 VM_SHR r5, 0x10h
# 00f2 VM_AND r5, 0xffh
# 00f3 VM_MUL r2, r5
# 00f4 VM_MOV r1, r2
B(r3[0] >> 0x00) * B(r4[0] >> 0x10),
# 00f5 VM_MOV r2, [r3+00h]
# 00f6 VM_SHR r2, 0x8h
# 00f7 VM_AND r2, 0xffh
# 00f8 VM_MOV r5, [r4+04h]
# 00f9 VM_SHR r5, 0x10h
# 00fa VM_AND r5, 0xffh
# 00fb VM_MUL r2, r5
# 00fc VM_ADD r1, r2
B(r3[0] >> 0x08) * B(r4[1] >> 0x10),
# 00fd VM_MOV r2, [r3+00h]
# 00fe VM_SHR r2, 0x10h
# 00ff VM_AND r2, 0xffh
# 0100 VM_MOV r5, [r4+08h]
# 0101 VM_SHR r5, 0x10h
# 0102 VM_AND r5, 0xffh
# 0103 VM_MUL r2, r5
# 0104 VM_ADD r1, r2
B(r3[0] >> 0x10) * B(r4[2] >> 0x10),
# 0105 VM_MOV r2, [r3+00h]
# 0106 VM_SHR r2, 0x18h
# 0107 VM_AND r2, 0xffh
# 0108 VM_MOV r5, [r4+0ch]
# 0109 VM_SHR r5, 0x10h
# 010a VM_AND r5, 0xffh
# 010b VM_MUL r2, r5
# 010c VM_ADD r1, r2
B(r3[0] >> 0x18) * B(r4[3] >> 0x10),
# 010d VM_CMP r1, 0x89d1h
) == 0x89d1 )
## block 010f
## #4
s.add ( Sum(
# 010f VM_PUSH r1
# 0110 VM_MOV r2, [r3+00h]
# 0111 VM_AND r2, 0xffh
# 0112 VM_MOV r5, [r4+00h]
# 0113 VM_SHR r5, 0x18h
# 0114 VM_AND r5, 0xffh
# 0115 VM_MUL r2, r5
# 0116 VM_MOV r1, r2
B(r3[0] >> 0x00) * B(r4[0] >> 0x18),
# 0117 VM_MOV r2, [r3+00h]
# 0118 VM_SHR r2, 0x8h
# 0119 VM_AND r2, 0xffh
# 011a VM_MOV r5, [r4+04h]
# 011b VM_SHR r5, 0x18h
# 011c VM_AND r5, 0xffh
# 011d VM_MUL r2, r5
# 011e VM_ADD r1, r2
B(r3[0] >> 0x08) * B(r4[1] >> 0x18),
# 011f VM_MOV r2, [r3+00h]
# 0120 VM_SHR r2, 0x10h
# 0121 VM_AND r2, 0xffh
# 0122 VM_MOV r5, [r4+08h]
# 0123 VM_SHR r5, 0x18h
# 0124 VM_AND r5, 0xffh
# 0125 VM_MUL r2, r5
# 0126 VM_ADD r1, r2
B(r3[0] >> 0x10) * B(r4[2] >> 0x18),
# 0127 VM_MOV r2, [r3+00h]
# 0128 VM_SHR r2, 0x18h
# 0129 VM_AND r2, 0xffh
# 012a VM_MOV r5, [r4+0ch]
# 012b VM_SHR r5, 0x18h
# 012c VM_AND r5, 0xffh
# 012d VM_MUL r2, r5
# 012e VM_ADD r1, r2
B(r3[0] >> 0x18) * B(r4[3] >> 0x18),
# 012f VM_CMP r1, 0x9cc5h
) == 0x9cc5)
########################################################################################
## block 133
## #1
s.add ( Sum(
B(r3[1] >> 0x00) * B(r4[0]),
B(r3[1] >> 0x08) * B(r4[1]),
B(r3[1] >> 0x10) * B(r4[2]),
B(r3[1] >> 0x18) * B(r4[3]),
) == 0x720e )
## block 150
## #2
s.add( Sum(
B(r3[1] >> 0x00) * B(r4[0] >> 0x08),
B(r3[1] >> 0x08) * B(r4[1] >> 0x08),
B(r3[1] >> 0x10) * B(r4[2] >> 0x08),
B(r3[1] >> 0x18) * B(r4[3] >> 0x08),
) == 0x7bfc )
## block 172
## #2
s.add ( Sum(
B(r3[1] >> 0x00) * B(r4[0] >> 0x10),
B(r3[1] >> 0x08) * B(r4[1] >> 0x10),
B(r3[1] >> 0x10) * B(r4[2] >> 0x10),
B(r3[1] >> 0x18) * B(r4[3] >> 0x10),
) == 0x88d7 )
## block 194
## #4
s.add ( Sum(
B(r3[1] >> 0x00) * B(r4[0] >> 0x18),
B(r3[1] >> 0x08) * B(r4[1] >> 0x18),
B(r3[1] >> 0x10) * B(r4[2] >> 0x18),
B(r3[1] >> 0x18) * B(r4[3] >> 0x18),
) == 0x9be0)
########################################################################################
## block 1b8
## #1
s.add ( Sum(
B(r3[2] >> 0x00) * B(r4[0]),
B(r3[2] >> 0x08) * B(r4[1]),
B(r3[2] >> 0x10) * B(r4[2]),
B(r3[2] >> 0x18) * B(r4[3]),
) == 0x6bab )
## block 1d5
## #2
s.add( Sum(
B(r3[2] >> 0x00) * B(r4[0] >> 0x08),
B(r3[2] >> 0x08) * B(r4[1] >> 0x08),
B(r3[2] >> 0x10) * B(r4[2] >> 0x08),
B(r3[2] >> 0x18) * B(r4[3] >> 0x08),
) == 0x7a0a )
## block 1f7
## #2
s.add ( Sum(
B(r3[2] >> 0x00) * B(r4[0] >> 0x10),
B(r3[2] >> 0x08) * B(r4[1] >> 0x10),
B(r3[2] >> 0x10) * B(r4[2] >> 0x10),
B(r3[2] >> 0x18) * B(r4[3] >> 0x10),
) == 0x7f9a )
## block 219
## #4
s.add ( Sum(
B(r3[2] >> 0x00) * B(r4[0] >> 0x18),
B(r3[2] >> 0x08) * B(r4[1] >> 0x18),
B(r3[2] >> 0x10) * B(r4[2] >> 0x18),
B(r3[2] >> 0x18) * B(r4[3] >> 0x18),
) == 0x8c17)
########################################################################################
## block 23d
## #1
s.add ( Sum(
B(r3[3] >> 0x00) * B(r4[0]),
B(r3[3] >> 0x08) * B(r4[1]),
B(r3[3] >> 0x10) * B(r4[2]),
B(r3[3] >> 0x18) * B(r4[3]),
) == 0x6be4 )
# This group was broken
#
# ## block 25a
# ## #2
# s.add( Sum(
# B(r3[3] >> 0x00) * B(r4[0] >> 0x08),
# B(r3[3] >> 0x08) * B(r4[1] >> 0x08),
# B(r3[3] >> 0x10) * B(r4[2] >> 0x08),
# B(r3[3] >> 0x18) * B(r4[3] >> 0x08),
# ) == 0x7a0a )
## block 27c
## #2
s.add ( Sum(
B(r3[3] >> 0x00) * B(r4[0] >> 0x10),
B(r3[3] >> 0x08) * B(r4[1] >> 0x10),
B(r3[3] >> 0x10) * B(r4[2] >> 0x10),
B(r3[3] >> 0x18) * B(r4[3] >> 0x10),
) == 0x80dc )
## block 29e
## #4
s.add ( Sum(
B(r3[3] >> 0x00) * B(r4[0] >> 0x18),
B(r3[3] >> 0x08) * B(r4[1] >> 0x18),
B(r3[3] >> 0x10) * B(r4[2] >> 0x18),
B(r3[3] >> 0x18) * B(r4[3] >> 0x18),
) == 0x8d54)
key()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment