Exetools

Exetools (https://forum.exetools.com/index.php)
-   Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)
-   -   VM decompiler tool (VMProtect, CodeVirtualizer) (https://forum.exetools.com/showthread.php?t=13084)

ahmadmansoor 11-11-2010 07:54

hxxp://www.filesend.net/download.php...f5e3f167a62921

D-Jester 11-11-2010 12:04

File: VMSweeper.rar
http://www.d-jester.com/files/bQ4SQC1289448194.html

File: VmpVirtTest1.rar
http://www.d-jester.com/files/zMm1Qg4B1289448194.html

File: progopis.rar
http://www.d-jester.com/files/Mqeu1289448194.html

estelle 11-12-2010 10:38

1 Attachment(s)
Attachment 5641
run error
;)

ahmadmansoor 11-13-2010 19:45

1 Attachment(s)
Hi progopis :
why ur plugin need to reload the target after u press DeCode VM ??!!.
if u can ,make it not to reload it again,
and can u make an option to to define the intermediate code section .
by Address or by name .
and an option to define the storage folder .
and this is an example I have create it for u in VB 6.0 .
u can see the pic for the options of protection .
when DeCode VM work to -21.0 then stop ...!!!!
pls check it .
in the attachment I have but both files the original file and the packed file .
address at = 00401CF0 type Virtualization
when press at Check button u will reach the address .

hXXp://img405.imageshack.us/f/progopis.jpg/

LCF-AT 11-14-2010 02:01

Hi,

nice plugin but it's not working very stable.In the most cases it just stops if it tries to DeCode.

@ ahmadmansoor

I tried also your vb target and for me it stops always at 21.0 % after the break on 00401CF0.Nothing happend anymore and the code is still the same.

greetz

progopis 11-14-2010 18:51

As I already mentioned, this plug-in doesn't support FPU. It stops on handler VM_fnclex.

I'm believe, I will finish support for all handlers to the end of the next week.

P.S. Anybody tried it on CodeVirtualizer btw? ;)

hyperchem 11-14-2010 23:59

I have tried this tool on Winlicense 2.13 main exe, a dialog popup said: invaild value Code start :00401000.
what's wrong with this?

another bug: The Segment address dialog can not be closed.....

mari0 b0ss 11-15-2010 00:55

Because only support to oreans Code Virtualizer product.

Anway when you say "Winlicense 2.13 main exe" refer to retail version?

Regards

progopis 11-15-2010 01:21

Quote:

Originally Posted by hyperchem (Post 70276)
I have tried this tool on Winlicense 2.13 main exe, a dialog popup said: invaild value Code start :00401000.
what's wrong with this?

another bug: The Segment address dialog can not be closed.....

Themida and WinLicense are unsupported yet.

The segment dialog is should not be closed. Just think before doing anything.

wuqing1501 11-22-2010 12:49

so strong tools !
3q 4 SHARE
but so many bugs
waiting the new version

BoRoV 12-05-2010 00:48

VMSweeper 1.3 (beta 12):
- ݧߧ ӧѧߧӧݧ֧ߧڧ ڧާ ݧ VMProtect
- ѧߧ֧ ֧ԧާ֧ߧ .vm, ڧݧ֧է֧ާާ ѧۧݧ ҧݧ ߧڧ֧ԧ ֧ݧ ߧ ߧاߧ
- ݧ֧ ڧ ֧ ӧէ ӧ
- ݧ֧ߧ ѧ٧ߧѧӧѧߧڧ ڧ ӧ
- shortcut Shift+F1 ѧ֧ էݧا֧ߧڧ ѧߧѧݧڧ٧ ܧէ ӧ
- ӧ֧ݧڧ֧ߧ ҧ֧ ҧէ֧ۧӧڧ ӧ֧ ֧ѧڧ
- ӧ֧ ֧ߧ ֧ߧ է֧ܧާڧݧڧ ܧէ VmProtect (֧ߧѧ էݧ ާ֧ߧ - ܧԧէ ҧݧ֧ 50% ܧէ ѧ٧ߧѧߧ ӧѧߧӧݧ֧ߧ ѧӧާѧڧ֧ܧ, 100% ӧѧߧӧݧ֧ߧڧ ܧէ ܧ ӧ٧ާاߧ ݧܧ 5-10% ݧѧ֧ ݧܧ ߧ ߧ֧ܧ ӧ֧ڧ VmProtect, ܧѧܧڧ ߧ֧ڧ٧ӧ֧ߧ .. ֧ҧ ߧ ҧѧ֧)
- ҧߧӧݧ֧ߧ ܧӧէӧ ݧ٧ӧѧ֧ݧ, ܧԧ ݧ֧է֧ ߧѧѧ...

Who wants to can convert themselves from Russian into their native language.

http://rghost.net/3481244/private/2c41de505ab28d742ab19cc6db7e02c0

BoRoV 12-06-2010 23:45

VMSweeper 1.3 (beta 13)
- some internal fixes

http://rghost.net/3505157/private/c90edf1ea4c2dd9ce4342d188232f756

BoRoV 12-16-2010 00:19

VMSweeper 1.4 beta 1 (with surprise)
http://rghost.net/3619113

LCF-AT 12-17-2010 05:36

Hello,

@ BoRoV

Cool a new version but this time your plugin crashes always. :( Any Olly.I try to Analyse all VM references and then it crashes or closed Olly.The other version are working till now.
So I have test also diffrent dbghelp.dll versions but I get the same bad result.
Code:

VM Sweeper.dll


2. Break on this call - then step in.

1003FD07  CALL 10005BC0  // BP

10005BC0  PUSH -1

EAX 00000000
ECX 0012D3C0
EDX 0000001C
EBX 00000010
ESP 0012D334
EBP 0012DD90
ESI 00000000
EDI 00461A48 OLLYDBG._Findmemory
EIP 10005BC0


0012D334  1003FD0C  RETURN to 1003FD0C from 10005BC0
0012D338  0000001C
0012D33C  63BE9E82
0012D340  0012F50C
0012D344  00000000


10005C03  LEA EBX,DWORD PTR DS:[EAX+1]

Address=0000001D
EBX=00000010

10005C06  MOV CL,BYTE PTR DS:[EAX]

DS:[0000001C]=???
CL=C0
-----------------------

I hope you can fix this problem soon. :)

greetz

ahmadmansoor 12-17-2010 07:35

Ooo God I think LCF-AT faster than me.
anyway I have done some tests too .
and I got the same result as LCF-at .
this is a flash file of what happen .
hxxp://www.filesend.net/download.php...b41755226d09fb
bs: Thanks LCF-At for ur hints in unpack Vmprotect .
but I think ur way will not work always in upper OS ( Win 7.0 and Vista)
I am working on small way I will send the details to u after I check that it will work .
It will help ur script and push the target to run on different OS .
Thanks u for ur hard work and thanks for progopis and BoRoV and the Author of vmsweeper .
by the way I was absent for some time because I was very ill .
I hope I will recover soon .

the file include this :
VMS_test from modified olly >>>>. trc files and the log files tested with modify olly
VMS_test from original olly >>>>. trc files and the log files tested with original olly
VMSweeper-problem flash movie


All times are GMT +8. The time now is 11:43.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX