Genaytyk-VM

My notes about Genyatyk VM crackme

Here I have my notes about Genyatyk VM, I have my analysis of the binary (once unpacked from MEW packer with qunpack), I tried to rename every funcion and every variable (even you have structs and enums). Trying to resolve this VM, I wrote my first disassembler, and I learned about this kind of obfuscation, I think VMs are one of the most complex packers, but well I had fun.

• In this URL, you can find the python disassembler of the VM: vm_disassembler.py

• Here, the output of this python script, commented: vm_instructions.txt

• Crackme without mew packer: vmkgme__.exe

• Crackme .idb from IDA 6.8: vmkgme__.idb

• Crackme with mew packer: vmkgme.exe

• Crackme .idb (with mew) from IDA 6.8: vmkgme.idb

• Some functions from Crackme in C, and the keygen from Andrewl resolution: GenaytykVM.cpp

• Translator from Genaytyk virtual code to LLVM IR (compiled with LLVM 3.8.1): genaytyk2llvmir

• Code of Genaytyk in LLVM IR: genaytyk.ll

As you can see, I was not able to resolve the encrypt function =( I hope to continue learning how this function works and continue working with VMs.

Finally I wrote the genaytyk VM code lifter with LLVM IR, so what you can find in genaytyk.ll it would be the LLVM IR version of vm_instructions.txt or vm_instructions.asm. The translation library can be found in genaytyk code lifter library, and the disassembler code in genaytyk llvm ir disassembler.