Back Engineering Labs

Say only that of which is worth more than silence.

When there is a will, there is a way

C/C++ developer & reverse engineer

Compilers, Windows, Obfuscation, x86-64, Hardware Hacking, and everything in-between. CEO & Cofounder of Back Engineering Labs

Anti-cheat programmer @ Ubisoft

Before reading this article I highly recommend studying the following community research on binary deobfuscation.

The integrity of online video games is locked in a perpetual cat-and-mouse battle between anti-cheat developers and cheat engineers. Over the years, we’ve witnessed the rise of increasingly sophisticated evasion tactics, often outpacing those in the antivirus and red-team communities. In this article, we’ll dissect the inner workings of a prominent cheat provider, ring-1.io.

Computer programs take, often transform data, sometimes use it to transform themselves. Other times, the programmer at fault, they can be corrupted by data. If corrupted accidentally, the program may find an untimely end to its execution. But if the flaw is perceived by the skilled eye, the program may turn into an open back door for seizing the entire computer. Knowing this, I had always imagined exploiting a computer program, as it is said, to be a fascinating challenge.

KrakenSvm Project

• Preamble
  • Purpose & Intentions
  • Support
• Terminology

• Overview - KrakenSvm Hypervisor
  • Virtual Machine Control Block (VMCB) - Parts
  • Control Area
  • Save State Area
  • Secure Virtual Machine (SVM) - Semantics
    • Checking Lock/Support Bits
    • Initializing VMCB
    • Setting EFER.SVME
  • Secure Virtual Machine (SVM) - Instruction Set
• Credit - Special Thanks
• Reference - Resource I relied on

There weren’t many, if any AMD hypervisors, therefore I created a Proof Of Concept for educational purposes. There was a lack of resources to start someone off on the right foot. This project was to at least help subside any hardship that’ll come from a lack of resources to rely on.

Repository: https://git.back.engineering/_xeroxz/Theodosius/
Doxygen: https://docs.back.engineering/theo/

• Credits
• Introduction and Preamble
• LLVM IR Level Obfuscation
• Bin2Bin Obfuscation
• Linker Level Obfuscation
• Brief Overview Of Theodosius
  • Decomposition Module
  • Obfuscation Module
  • Recomposition Module
• Theodosius Internals
  • Recursive Symbol Dependency Check
  • Theodosius Internal Passes
    • next_inst_pass_t
    • jcc_rewrite_pass
    • reloc_transform_pass
• Theodosius Example
• Creating A Pass
• Closing Words and Conclusion

• David Torok, reviewing the post and helping me better structure my thoughts.

PERSES’ source code can be found here.

• Introduction
• Hardware Details
  • Notable Components
• SoC - Hi3520DV300
  • TDE - Two Dimensional Engine
  • UART - Universal asynchronous receiver-transmitter
• JTAG - Hardware Debugging
• Hisilicon Source Code
  • Which can be found here, rehosted on my servers…
• Bricking The Device & Bus Pirate
• Flashing SPI NOR Flash Chip (MX25L12835F)
• Custom UBoot & Custom Kernel
• System Startup
  • System startup overview
• Configuring Pinmux’s & Loading Kernel Modules
• SNES9X Port
  • SNES9X Rendering
  • Relevant Graphics Concepts
  • Hardware Accelerated SNES9X with the TDE
• Conclusion

EZVIZ BD-2402B1 is a surveillance system DVR which uses hisilicon SoC’s. My goal was to repurpose the hardware to run a custom fork of snes9x. In order to achieve this a serious amount of reverse engineering, and learning was required. Not only was this a hardware based project, but it was also a software heavy project.

Please note that all the code posted from here on is simply heavily beautified pseudo-code. Sorry in advance for the styling inconsistencies you may find in it; I would like to add it represents in no way the original source code of the program. I do not condone using any of the information gathered from this blog post to produce/write/develop cheats for any sort of game protected by EQU8 or its emulation.

Source Link

This is not an attack on EasyAntiCheat Oy. EasyAntiCheat has done an outstanding job protecting games and will continue to do so for years to come. I gathered this content through private research of EasyAntiCheat’s modules and is not in any way tied to the work of public game hack publishers or other entities. I have no interest in writing cheats, and everything here is simply for educational purposes. Please do not contact me for help with any cheating-related concerns as I will not be responding to any of such requests.

VMProtect 2 Project: github.com/backengineering/vmp2

• Purpose
• Intentions
• Definitions
• VMProtect 2 - Project’s Overview
  • VMHook - Overview
    • VMHook - Example, um-hook
  • VMProfiler - Overview
    • VMProfiler - Virtual Machine Handler Profiling
    • VMProfiler - Virtual Branch Detection Algorithm
  • VMProfiler Qt - Overview
  • VMProfiler CLI - Overview
  • VMEmu - Overview
    • VMEmu - Unicorn Engine, Static Decryption Of Opcodes
    • VMEmu - Virtual Branching
  • VMAssembler - Overview
    • VMAssembler - Assembler Stages
    • VMAssembler - Stage One, Lexical Analysis and Parsing
    • VMAssembler - Stage Two, Virtual Instruction Encoding
    • VMAssembler - Stage Three, Virtual Instruction Encryption
    • VMAssembler - Stage Four, C++ Header Generation
    • VMAssembler - Example
• VTIL - Getting Started
  • VTIL - The Basic Block
  • VTIL - VMProfiler Lifting
• Conclusion - Final Words and Future Work
  • Conclusion - Future Work

The purpose of this article is to expound upon the prior work disclosed in the last article titled “VMProtect 2 - Detailed Analysis of the Virtual Machine Architecture”, as well as correct a few mistakes. In addition, this post will focus primarily on the creation of static analysis tools using the knowledge disclosed in the prior post, and providing some detailed, albut unofficial, VTIL documentation. This article will also showcase all projects on githacks.org/vmp2, however, these projects are subject to change.

Download link: VMProtect 2 Reverse Engineering

• Credit - Links to Existing Work
• Preamble - Intentions and Purpose
  • Purpose
  • Intentions
• Terminology
• Introduction
• Obfuscation - Deadstore, Opaque Branching
  • Opaque Branching Obfuscation Example
  • Deadstore Obfuscation Example
• Overview - VMProtect 2 Virtual Machine
  • Rolling Decryption
  • Native Register Usage
    • Non-Volatile Registers - Registers With Specific Usage
    • Volatile Registers - Temp Registers
  • vm_entry - Entering The Virtual Machine
  • calc_jmp - Decryption Of Vm Handler Index
  • vm_exit - Leaving The Virtual Machine
  • check_vsp - relocate scratch registers
  • Virtual Instructions - Opcodes, Operands, Specifications
    • Operand Decryption - Transformations
  • VM Handlers - Specifications
    • LCONST - Load Constant Value Onto Stack
      • LCONSTQ - Load Constant QWORD
      • LCONSTCDQE - Load Constant DWORD Sign Extended to a QWORD
      • LCONSTCBW - Load Constant Byte Convert To Word
      • LCONSTCWDE - Load Constant Word Convert To DWORD
      • LCONSTDW - Load Constant DWORD
    • LREG - Load Scratch Register Value Onto Stack
      • LREGQ - Load Scratch Register QWORD
      • LREGDW - Load Scratch Register DWORD
    • SREG - Set Scratch Register Value
      • SREGQ - Set Scratch Register Value QWORD
      • SREGDW - Set Scratch Register Value DWORD
      • SREGW - Set Scratch Register Value WORD
      • SREGB - Set Scratch Register Value Byte
    • ADD - Add Two Values
      • ADDQ - Add Two QWORD Values
      • ADDW - Add Two WORDS Values
      • ADDB - Add Two Bytes Values
    • MUL - Unsigned Multiplication
      • MULQ - Unsigned Multiplication of QWORD’s
    • DIV - Unsigned Division
      • DIVQ - Unsigned Division Of QWORD’s
    • READ - Read Memory
      • READQ - Read QWORD
      • READDW - Read DWORD
      • READW - Read Word
    • WRITE - Write Memory
      • WRITEQ - Write Memory QWORD
      • WRITEDW - Write DWORD
      • WRITEW - Write WORD
      • WRITEB - Write Byte
    • SHL - Shift Left
      • SHLCBW - Shift Left Convert Result To WORD
      • SHLW - Shift Left WORD
      • SHLDW - Shift Left DWORD
      • SHLQ - Shift Left QWORD
    • SHLD - Shift Left Double Precision
      • SHLDQ - Shift Left Double Precision QWORD
      • SHLDDW - Shift Left Double Precision DWORD
    • SHR - Shift Right
      • SHRQ - Shift Right QWORD
    • SHRD - Double Precision Shift Right
      • SHRDQ - Double Precision Shift Right QWORD
      • SHRDDW - Double Precision Shift Right DWORD
    • NAND - Not Then And
      • NANDW - Not Then And WORD’s
    • READCR3 - Read Control Register Three
    • WRITECR3 - Write Control Register Three
    • PUSHVSP - Push Virtual Stack Pointer
      • PUSHVSPQ - Push Virtual Stack Pointer QWORD
      • PUSHVSPDW - Push Virtual Stack Pointer DWORD
      • PUSVSPW - Push Virtual Stack Pointer WORD
    • LVSP - Load Virtual Stack Pointer
      • LVSPW - Load Virtual Stack Pointer Word
      • LVSPDW - Load Virtual Stack Pointer DWORD
    • LRFLAGS - Load RFLAGS
    • JMP - Virtual Jump Instruction
    • CALL - Virtual Call Instruction
• Significant Virtual Machine Signatures - Static Analysis
  • Locating VM Handler Table
  • Locating VM Handler Table Entry Decryption
  • Handling Transformations - Templated Lambdas and Maps
    • Extracting Transformations - Static Analysis Continued
  • Static Analysis Dilemma - Static Analysis Conclusion
• vmtracer - Tracing Virtual Instructions
• vmprofile-cli - Static Analysis Using Runtime Traces
• Displaying Trace Information - vmprofiler-qt
• Virtual Machine Behavior
• Demo - Creating and Inspecting A Virtual Trace
• Altering Virtual Instruction Results
• Encoding Virtual Instructions - Inverse Transformations
• Conclusion - Static Analysis, Dynamic Analysis

• Samuel Chevet
  • Inside VMProtect 2
    • Inside VMProtect 2 Slides
• Rolf Rolles
  • Unpacking Virtualization Obfuscators
  • VMProtect 2 - Reverse Engineering
• Anatoli Kalysch
  • VMAttack IDA PRO Plugin
• Can Bölük
  • VTIL (Virtual-machine Translation Intermediate Language)
  • NoVmp - A static devirtualizer for VMProtect x64 3.x powered by VTIL.
• Katy Hearthstone
  • VMProtect Control Flow Obfuscation (Case study: string algorithm cryptanalysis in Honkai Impact 3rd)
• IRQL0
  • Helped created vmprofiler v1.0, and helped with general analysis of vm handlers.
• BTBD
  • Providing an algorithm to handle deadstore removal with Zydis.

Before diving into this post I would like to state a few things in regards to existing VMProtect 2 work, the purpose of this article, and my intentions, as these seem to become misconstrued and distorted at times.

Download link: Voyager

• Keywords
• Abstract
• Credit
• Introduction
• bootmgfw.efi
• winload.efi
  • BlLdrLoadImage
  • BlImgAllocateImageBuffer
• Hyper-V Intel - vm exit handler location and hooking
  • Locating Vmexit Handler
• Hyper-V AMD - vm exit handler location and hooking
  • Locating Vmexit Handler
  • Locating VMCB
• Hyper-V Payload - Injection, vmexit handler hooking
• Hyper-V Page Tables - Extended Page Tables, Host Page Tables
• Payload - Page Tables
• Voyager - VDM Support & Legacy Projects
  • VDM - Vulnerable Driver Manipulation
• Possible Detection - UEFI Reclaimable Memory
• Conclusion

Hyper-V, UEFI, Windows 10, Hyperjacking, VDM, PTM, Intel, AMD

Download link: Hyperspace

• Introduction - Address Spaces
• Thread Scheduler - Trap Frames and Control Registers
• DKOM - Direct Kernel Object Manipulation
• Windows Memory Manager - MiStealPage
• Example - printf, malloc, etc
• Limitations - Crashes and Conclusions

An address space is defined as a region of memory. In this post I will be referring to an address space in reference to a 64bit virtual address space on x86 architecture. Control Register Three (CR3) contains the PFN (Page Frame Number) of the current Page Map Level Four (PML4). It is also known as dirbase.

Download link: Reverse Injector

• Introduction - Virtual Memory & Page Tables
  • TLB - Translation Lookaside Buffer
  • Four Level Page Table Graph
• Reverse Injector - Merging Address Spaces
  • Remapping PML4 Entries
  • 32bit Processes - Support, Limitations, Information
    • Remapping 32bit Processes
  • VirtualProtect - Page Protections and WinAPI’s
  • Example - Translating Remote Module Base Addresses
• Credit, Resources, External Links

Each process on the Windows operating system has its own virtual address space. Virtual address spaces are created and described by page tables. The top most layer of translation is through the Page Map Level 4 or PML4 for short. Each entry in a PML4 points to another page table, to the next layer of translation, a Page Directory Page Table or PDPT for short. PDPTE’s point to Page Directories or PD’s, and PD’s point to Page Tables, or PT. There are four levels of address translation in IA-32e Long Mode. Each translation layer can map f(x) = (512^x) * 8 bytes, where x is the translation table layer. PT = 1; PD = 2; PDPT = 3; PML4 = 4

Download link: MSREXEC

• Introduction
  • MSREXEC Starter Code
  • WRMSR - Write Model Specific Register
  • MSR - Model Specific Registers
  • KVA Shadowing & KiSystemCall64
    • IA32_LSTAR With KVA Shadowing Disabled (KiSystemCall64)
    • IA32_LSTAR With KVA Shadowing Enabled (KiSystemCall64Shadow)
  • Thread Scheduler - Interrupts & LSTAR
• Existing Kernel Preventions
  • SMEP - Supervisor Mode Execution Prevention Of User Supervisor Pages
  • SMAP - Supervisor Mode Access Prevention Of User Supervisor Pages
• ROP - Return Oriented Programming
  • Syscall Wrapper To Setup ROP Gadgets
  • Syscall Handler - Restoring LSTAR & Calling Lambda
    • Syscall Handler - MASM
    • C++ Syscall Handler
• Example - VDM Integration
  • Skip Scanning Physical Memory
  • Read Physical Memory Using MSREXEC
  • Write Physical Memory Using MSREXEC
• Conclusion - Credits & Limitations
  • Limitations - HVCI & Hyper-V
  • Credit - Inspiration

MSREXEC is a library to elevate arbitrary MSR (Model Specific Register) writes to kernel execution. The project is extremely modular and open ended on how writes to MSR’s are achieved. One only has to pass a lambda of type std::function<bool(std::uint32_t reg, std::uint64_t value)> to the constructor of vdm::msrexec_ctx to use this library. For demonstration, the project is set up to exploit vulnerable Windows drivers, however the project is not limited to using vulnerable drivers.

PDF Version (Best Version) can be downloaded here: PDF Download.
You can download the source from the open source repo here: PTM Repo.

PDF Version (Best Version) can be downloaded here: PDF Download.
You can download the open source repo here: VDM Repo.

Download link: PSKP (Process-Context Specific Kernel Patch)

Applying knowledge obtained from the prior write up of paging tables, one can easily follow along with this write up, if you have not acquainted yourself with paging tables this write up will be nothing but squiggly lines. Refresh your mind of the meaning of the following terms: PML4(E), PDPT(E), PD(E), PT(E), address space, paging, and CR3.

Download link: PTM

Virtual memory is probably one of the most interesting topics of modern computer science. Although virtual memory was originally designed back when physical memory was not an abundant resource to allow the use of disk space as ram, it has stuck with us, offering security, modularity, and flexibility. Unlike the rest of the content on my sites which is bound to an operating system, virtual memory is really a CPU level concept. Although virtual memory is well documented in the intel manual, applying such knowledge to windows can be tricky due to the fact there isn’t a single documented way to interface with paging tables on windows. In this series of write ups I will be discussing methods to manipulate paging tables and detect such manipulations. Although there are many different types of paging table systems, I will only be discussing the standard four layer paging table system used in all modern AMD and Intel 64 bit CPU’s.

Download link: physmeme

Physmeme is a driver mapper that works with any form of read and write to physical memory. It is highly modular code that allows a reverse engineer to easily integrate their own vulnerable driver. If you are able to read and write to physical memory you can now map an unsigned driver into your kernel just by coding four functions.