Sign In
Microsoft Malware Protection Center
Threat Research & Response Blog
Options
Blog Home
About
Share this
RSS for posts
Atom
Search Blogs
Advanced search options...
Search In:
Everything
Blogs
Forums
People
Groups
Places
Pages
Date range:
All Time
Last Year
Last 6 Months
Last 3 Months
Last Month
Last Week
Last Two Days
Tags
Adobe
botnets
conference
conficker
exploits
guidance
Java
Malicious Software Removal Tool
malware research
Microsoft Security Essentials
MMPC
MSRT
passwords
phishing
piracy
research
rogue
Security Intelligence Report
SIR
SIR v11
SIR v9
spam
telemetry
trojan
vulnerability
Partner Links
Microsoft Safety Scanner
The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.
Microsoft Security Response Center
The Microsoft Security Response Center (MSRC) identifies, monitors, resolves, and responds to Microsoft software security vulnerabilities.
Microsoft Security Essentials
Get high-quality, hassle-free antivirus protection for your home PC now.
Microsoft Forefront
Microsoft Forefront: a comprehensive security product portfolio.
Windows Defender
Windows Defender Homepage
Microsoft AntiSpam
Microsoft AntiSpam
Industry Links
ICSA Labs
Virus Bulletin
Virus Bulletin: Independent Malware Advice
West Coast Labs
West Coast Labs (WCL) is one of the world's leading independent test facilities.
AV-Test
AV-Test.org - Tests of Anti-Virus and Security-Software
AV-Comparatives
Independent comparatives of Anti-Virus Software
Partner Blogroll
Forefront Client Security Team Blog
The scoop from the FCS engineering team.
Forefront Team Blog
Information about what's happening with the entire Microsoft Forefront Family of products.
Microsoft Security Research & Defense Blog
Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, and other related guidance.
The Microsoft Security Response Center Blog
Working to help protect customers from vulnerabilities in Microsoft software.
Trustworthy Computing Blog
Perspectives on security, privacy, online safety and reliability topics.
MMPC Links
Microsoft Malware Protection Center
The Microsoft Malware Protection Center (MMPC) Portal.
Microsoft Security Intelligence Report
Microsoft Security Intelligence Report
Archive
Archives
May 2012
(4)
April 2012
(6)
March 2012
(9)
February 2012
(5)
January 2012
(8)
December 2011
(5)
November 2011
(8)
October 2011
(8)
September 2011
(7)
August 2011
(8)
July 2011
(9)
June 2011
(10)
May 2011
(13)
April 2011
(6)
March 2011
(11)
February 2011
(9)
January 2011
(4)
December 2010
(7)
November 2010
(5)
October 2010
(12)
September 2010
(10)
August 2010
(8)
July 2010
(7)
June 2010
(6)
May 2010
(5)
April 2010
(5)
March 2010
(9)
February 2010
(7)
January 2010
(3)
December 2009
(4)
November 2009
(9)
October 2009
(6)
September 2009
(8)
August 2009
(4)
July 2009
(5)
June 2009
(7)
May 2009
(8)
April 2009
(18)
March 2009
(10)
February 2009
(8)
January 2009
(5)
December 2008
(11)
November 2008
(7)
October 2008
(12)
September 2008
(8)
August 2008
(11)
July 2008
(4)
June 2008
(3)
Prehistoric Virtual Machines
TechNet Blogs
>
Microsoft Malware Protection Center
>
Prehistoric Virtual Machines
Prehistoric Virtual Machines
Rate This
mmpc2
8 Oct 2010 8:16 AM
Comments
0
When people in the industry talk about intentional obfuscation using virtual machines, (note that these are not the same virtual machines as Virtual PC or VMware, but rather it's a technical term that was in use long before these products came into existence), the two examples that are most likely to come to mind are VMProtect and Themida. Both of them have been around since about 2004, only six years ago.
I'm trying to choose my terms carefully here, because by their nature, virtual machines provide a level of obfuscation as a side-effect of their very existence. By converting native code into pseudo-code (or "p-code", for short), the translation results in something that is much harder to read. Of course, the most common use of virtual machines is portability. Code that is translated to p-code can be run wherever an interpreter exists. Thus, many code samples can run on all platforms using a single constant interpreter for a particular platform, instead of one code sample for each platform. Of course, some of those interpreters allowed the execution of native code on the appropriate platform to perform actions that could not be provided by the virtual machines. For example, the Magnetic Scrolls interpreter allowed the execution of Motorola 68000 code directly on the Amiga platform. The game named "Amnesia" from Electronic Arts allowed the execution of Intel x86 code directly on the IBM PC platform.
We can also find early examples of virtual machines in some adventure games from companies such as Infocom since the late 1970s, and Magnetic Scrolls since the early 1980s. Some of those games had copy-protection built into the code that ran in the virtual machines. I consider those as well to be a kind of obfuscation by side-effect, too.
So, almost back to the intentional obfuscation. Just a little diversion first. I was browsing through my collection of Apple II stuff recently, and I noticed that I had a disk image in "nibble"* format. A disk image is the contents of a floppy disk saved as a file, for use with an emulator because I no longer have the hardware to run the original disk. Disk images come in one of two formats, because of how the disk drive works. We'll have to forgo the primer to explain the details, but the point is that a disk image in "nibble" format is the contents of the disk exactly as the disk drive would read it, before decoding it into the "disk" format. The "nibble" format is used to store images of disks that are copy-protected by changes to the disk structure.
Now really back to the intentional obfuscation. Here was a game from 1983. That's 27 years ago. It contained a virtual machine devoted to implementing the copy protection. The virtual machine supported only 18 instructions (add, subtract, increment, load, store, arithmetic shift left, move, branch if equal, branch if not equal, call, return, jump, decrypt, and execute native code). The p-code hooked the reset vector, and copied and decrypted the next layer which was another virtual machine. The second virtual machine supported only 13 instructions, and contained a funny twist: most of the tokens were the same between the two virtual machines, but in particular, the branch instructions were reversed. That meant that a parser or emulator that understood the code of the first virtual machine would misbehave when reading the code of the second virtual machine. It caught me, at first. The virtual machine called the native code to read the disk sectors. The sectors used a modified data header, and that's why the "nibble" format was needed.
I spent some time figuring out how both virtual machines worked, and wrote a disassembler for them to see what the p-code was doing. It's exactly the same thing that some people have done for VMProtect and Themida, though both VMProtect and Themida work very hard to obfuscate the interpreter, too.
The game was "The Last Gladiator" from Electronic Arts. The copy protection probably took longer to write than the game did, but I converted it to "disk" format anyway, so that I won't rediscover it years from now and do it all again.
Seeing that 27 year old virtual machine made me think of an anthropologist finding 40,000 year old paintings in a cave that was thought to have been inhabited for only a couple of thousand years. It's probably not as exciting, though. :-)
- Peter Ferrie
* as opposed to "nybble", which is half of a byte. Byte, nybble. Ha ha. Computer people are funny.
copy protection
,
Apple
,
1983
,
p-code
,
Themida
,
virtual machine
,
VMware
Comments