VM decompiler tool (VMProtect, CodeVirtualizer)
 

Hi guys!

My friend released beta version of decompiler. Here is it.

In your bug reports mention string with "#ERROR#" substring.

Cong Bro :)

Can anyone upload in mediafire server???

http://www.d-jester.com/files/qCyiV1289315367.html

http://www.mediafire.com/?xe2audtv678ttjq
http://www.multiupload.com/7KR131VMWH

It sounds promissing but could you post also some info how does it work and how to use it? ;)

--
Jump

It's ollydbg 1.10 plug-in. It can't help you with anti-debug or crc checks. All what you need is to break at any address near OEP or after OEP. Then choose "Analyze for all VM references" and paste values for all .text/.code sections scope and for VM. It will show you all possible VM references. After that you can choose any address in this table (table of reference results) and press "[Ctrl]+[Crey *]" on it and then F1 for decompile.

Well it should be cool, but it kinda crashes at 13% with vmprotect will try some others. In oreans it doesn't recognize a deobfuscated VM it seems. Will test some more.

EDIT:
Other VMprotect seems to crash as well.. Testing late VMprotect here, unpacked and antidump fixed.

> "[Ctrl]+[Crey *]"
Sorry for mistake. I mean "New origin here" command.

quosego
Most programs have FPU handlers, so it one of the possible reasons of crashes. This tool is still beta and can't work with FPU handlers. But I can add support.

What do you mean about "crashes"? There are many possible problems. Please specify.

good tool~

:(the windows do not have a cancel button

Probably would be better if I did a little video with example of usage.

very Nice
 

Ooooo ..Ooooo . :eek:
progopis :cool: :cool: ........Great work bro :D .
will be tested ...

ahmadmansoor
My part of work on this project no more than 10% or maybe less. This project is started by Vamit. My part of this work was to study VMProtect and testing. Also, I fixed a few bugs and wrote some of the technical things in the architecture of the project.

And I should make video for you now.

no problem .... 10% is enough to be thanked ,
and big thanks for sharing it .... and 90% thanks for Vamit .
video tut will be more useful to understand some points in this plugin .
for me after analysising Olly hung .and I just use StrongOD and IDAFicator
with this plugin .
the target protected with Winlic and Vmprotect

Here is example of usage.

http://www.multiupload.com/DGV8WI410B

This example fails on decompilation, so maybe I will attach the working example later.

Fixed an issue that I mentioned in a previous post.

tools is very good~

can upload Fixed vmswipeer in mediafire??

Good work!!;)

Mirror:
http://www.mediafire.com/?87qbsfzmtc6ssif

can you also provide an example target that works (100% functional) with this plugin ? I wish I can help you on improving.

yes ... agree with nooby in this point .
for me now ....
after I try it on my Target ... No results !!!!
did it work with the mixed protection ( Winlic & VMprotect ) ???
r this tool just for VMprotect alone ??

It's NOT for any WL/TM vm!!! Just CodeVirtualizer and VMProtect. I will upload some good targets.

anyway ..my friend I have a Target with mixed protection .
2 layer or 3 , VMProtect is first one then Winlic .
the first plugin u upload it was working , but the next file not work ??!!
and I have try both on the same Target !!
so any Idea ?

Can you tell me what do you mean about "not work"? Handler was not recognized, any error message by VMProtect or what? I hope you applying plug-in on already unpacked file! Because it's not an unpacker. Can you send me your file via PM?

yes I know that is not an unpacker .
I run the program then when reach to place where I could try the plugin .It give Handler was not recognized or stop at 49 % and olly hung.
it is Licgenerator ,but the problem it is locked to one PC ( my friend PC ) .
and I'm trying to study the reg routine .
anyway I will wait ur example .

Ok. Here is very artificial example.

Use the following params:
Code section: 00401000 - 00403000
VM section: 00406000 - 00413000

Steps:
1. Analyze all VM references
2. Set breakpoint at 0x40146F and break on it.
3. Press F1.
4. On messages "Process still active" press "Yes".
5. You will get error "Code not created" for some reason.

Now look at 0x40146F instruction. It replaced by jump to intermediate code:
It looks better than VM picode ;)
Also look log file (40146F.log):
I really don't know why it crashes on this step, but you see clean decompiled and deobfuscated code, and you can paste it back manually ;)

But listen again: this tool is Beta (!) - many bugs, many features was not realized and it should be tested. Also remember that there are many versions of VMProtect. We worked only on last 2.0x builds.

You can give me log file + trc file which were created last. And I can add support of this handler or fix handler determination.

Thanks progopis ..
this is just a flash on how it work . applied on ur target .
now back to test on some other targets .

@ahmadmansoor

Can share in mediafire?

I will like check it too.

Thanks

File: VMSweeper.rar
http://www.d-jester.com/files/bQ4SQC1289448194.html

File: VmpVirtTest1.rar
http://www.d-jester.com/files/zMm1Qg4B1289448194.html

File: progopis.rar
http://www.d-jester.com/files/Mqeu1289448194.html

Attachment 5641
run error
;)

Hi progopis :
why ur plugin need to reload the target after u press DeCode VM ??!!.
if u can ,make it not to reload it again,
and can u make an option to to define the intermediate code section .
by Address or by name .
and an option to define the storage folder .
and this is an example I have create it for u in VB 6.0 .
u can see the pic for the options of protection .
when DeCode VM work to -21.0 then stop ...!!!!
pls check it .
in the attachment I have but both files the original file and the packed file .
address at = 00401CF0 type Virtualization
when press at Check button u will reach the address .

hXXp://img405.imageshack.us/f/progopis.jpg/

Hi,

nice plugin but it's not working very stable.In the most cases it just stops if it tries to DeCode.

@ ahmadmansoor

I tried also your vb target and for me it stops always at 21.0 % after the break on 00401CF0.Nothing happend anymore and the code is still the same.

greetz

As I already mentioned, this plug-in doesn't support FPU. It stops on handler VM_fnclex.

I'm believe, I will finish support for all handlers to the end of the next week.

P.S. Anybody tried it on CodeVirtualizer btw? ;)

I have tried this tool on Winlicense 2.13 main exe, a dialog popup said: invaild value Code start :00401000.
what's wrong with this?

another bug: The Segment address dialog can not be closed.....

Because only support to oreans Code Virtualizer product.

Anway when you say "Winlicense 2.13 main exe" refer to retail version?

Regards

Themida and WinLicense are unsupported yet.

The segment dialog is should not be closed. Just think before doing anything.

so strong tools !
3q 4 SHARE
but so many bugs
waiting the new version