when VMs have only one opcode...

VMs are common in advanced packers or virii, but they seem to follow the same architectures (x86 or stack machine).
I was curious, and implemented, around a small fibonacci example, the usual models of course, but as well the TTA and Subleq ones, two models of one instruction set architectures.

Opcode-less VMs are quite small in code, but the virtual code is quite obscure - which makes an easy but annoying challenge:
typically, you would expect that MOV is the most basic opcode, and arithmetic operations tend to be more complex. But in Subleq, a standard MOV is made of 4 lines of code, while SUB+JLE is only 1.

This is not a pipe

...nor a virus.... just the EICAR test file.
I never took the time before to look at it in details, so I wrote a commented source to re-create it exactly.

Source code

a few fixes

I created a minimal project to keep libdasm updated.
a few fixes were already submitted, thanks to Silvo Cesare and Georg Wicherski, to fix a few FPU, TEST and MOV opcodes.

Stupid sequence of the day

Inspired from ReWolf:
9A 69 E8 C8 C2 CD C3
generates instructions that decode correctly at every bytes, independantly of the following bytes...

9A 69E8C8C2CDC3 callf 0C3CD:0C2C8E869

69 E8C8C2CDC3 imul ebp,eax,0C3CDC2C8

E8 C8C2CDC3 call 0C40E0C36

C8 C2CDC3 enter 0CDC2,0C3

C2 CDC3 retn 0C3CD

CD C3 int 0C3

C3 retn

sadly the 69 imul doesn't always decode that way, it's not a generic 5 bytes cloaker.

no more hidden progress

After having converted several working hashes algorithms to classes, I decided to put everything from my personal wip repository to a branches/wip on the public repository.

next step : reduce the /wip branch to the minimum.