Exetools

Exetools (https://forum.exetools.com/index.php)
-   Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)
-   -   VM decompiler tool (VMProtect, CodeVirtualizer) (https://forum.exetools.com/showthread.php?t=13084)

progopis 11-09-2010 20:30

VM decompiler tool (VMProtect, CodeVirtualizer)
 
1 Attachment(s)
Hi guys!

My friend released beta version of decompiler. Here is it.

In your bug reports mention string with "#ERROR#" substring.

Rigel 11-09-2010 21:19

Cong Bro :)

besoeso 11-09-2010 22:30

Can anyone upload in mediafire server???

D-Jester 11-09-2010 23:11

http://www.d-jester.com/files/qCyiV1289315367.html

progopis 11-09-2010 23:14

http://www.mediafire.com/?xe2audtv678ttjq
http://www.multiupload.com/7KR131VMWH

jump 11-09-2010 23:37

It sounds promissing but could you post also some info how does it work and how to use it? ;)

--
Jump

progopis 11-10-2010 00:05

It's ollydbg 1.10 plug-in. It can't help you with anti-debug or crc checks. All what you need is to break at any address near OEP or after OEP. Then choose "Analyze for all VM references" and paste values for all .text/.code sections scope and for VM. It will show you all possible VM references. After that you can choose any address in this table (table of reference results) and press "[Ctrl]+[Crey *]" on it and then F1 for decompile.

quosego 11-10-2010 04:08

Well it should be cool, but it kinda crashes at 13% with vmprotect will try some others. In oreans it doesn't recognize a deobfuscated VM it seems. Will test some more.

EDIT:
Other VMprotect seems to crash as well.. Testing late VMprotect here, unpacked and antidump fixed.

progopis 11-10-2010 04:42

> "[Ctrl]+[Crey *]"
Sorry for mistake. I mean "New origin here" command.

quosego
Most programs have FPU handlers, so it one of the possible reasons of crashes. This tool is still beta and can't work with FPU handlers. But I can add support.

What do you mean about "crashes"? There are many possible problems. Please specify.

Hmily 11-10-2010 10:41

good tool~

zapline 11-10-2010 12:52

:(the windows do not have a cancel button

progopis 11-10-2010 17:32

Probably would be better if I did a little video with example of usage.

ahmadmansoor 11-10-2010 17:38

very Nice
 
Ooooo ..Ooooo . :eek:
progopis :cool: :cool: ........Great work bro :D .
will be tested ...

progopis 11-10-2010 18:18

ahmadmansoor
My part of work on this project no more than 10% or maybe less. This project is started by Vamit. My part of this work was to study VMProtect and testing. Also, I fixed a few bugs and wrote some of the technical things in the architecture of the project.

And I should make video for you now.

ahmadmansoor 11-10-2010 18:40

no problem .... 10% is enough to be thanked ,
and big thanks for sharing it .... and 90% thanks for Vamit .
video tut will be more useful to understand some points in this plugin .
for me after analysising Olly hung .and I just use StrongOD and IDAFicator
with this plugin .
the target protected with Winlic and Vmprotect

progopis 11-10-2010 19:55

Here is example of usage.

http://www.multiupload.com/DGV8WI410B

This example fails on decompilation, so maybe I will attach the working example later.

progopis 11-10-2010 21:28

1 Attachment(s)
Fixed an issue that I mentioned in a previous post.

freecat 11-10-2010 22:25

tools is very good~

besoeso 11-10-2010 22:32

can upload Fixed vmswipeer in mediafire??

Good work!!;)

progopis 11-10-2010 22:36

Mirror:
http://www.mediafire.com/?87qbsfzmtc6ssif

Nooby 11-11-2010 01:55

can you also provide an example target that works (100% functional) with this plugin ? I wish I can help you on improving.

ahmadmansoor 11-11-2010 03:39

yes ... agree with nooby in this point .
for me now ....
after I try it on my Target ... No results !!!!
did it work with the mixed protection ( Winlic & VMprotect ) ???
r this tool just for VMprotect alone ??

progopis 11-11-2010 03:43

It's NOT for any WL/TM vm!!! Just CodeVirtualizer and VMProtect. I will upload some good targets.

ahmadmansoor 11-11-2010 03:52

anyway ..my friend I have a Target with mixed protection .
2 layer or 3 , VMProtect is first one then Winlic .
the first plugin u upload it was working , but the next file not work ??!!
and I have try both on the same Target !!
so any Idea ?

progopis 11-11-2010 03:57

Can you tell me what do you mean about "not work"? Handler was not recognized, any error message by VMProtect or what? I hope you applying plug-in on already unpacked file! Because it's not an unpacker. Can you send me your file via PM?

ahmadmansoor 11-11-2010 04:28

yes I know that is not an unpacker .
I run the program then when reach to place where I could try the plugin .It give Handler was not recognized or stop at 49 % and olly hung.
it is Licgenerator ,but the problem it is locked to one PC ( my friend PC ) .
and I'm trying to study the reg routine .
anyway I will wait ur example .

progopis 11-11-2010 04:38

1 Attachment(s)
Ok. Here is very artificial example.

Use the following params:
Code section: 00401000 - 00403000
VM section: 00406000 - 00413000

Steps:
1. Analyze all VM references
2. Set breakpoint at 0x40146F and break on it.
3. Press F1.
4. On messages "Process still active" press "Yes".
5. You will get error "Code not created" for some reason.

Now look at 0x40146F instruction. It replaced by jump to intermediate code:
Quote:

00414040 68 68874F2F PUSH 2F4F8768
00414045 68 92576ED3 PUSH D36E5792
0041404A 53 PUSH EBX
0041404B 53 PUSH EBX
0041404C 55 PUSH EBP
0041404D 52 PUSH EDX
0041404E 51 PUSH ECX
0041404F 9C PUSHFD
00414050 56 PUSH ESI
00414051 57 PUSH EDI
00414052 50 PUSH EAX
00414053 FF35 7E104000 PUSH DWORD PTR DS:[40107E]
00414059 68 00000000 PUSH 0
0041405E 8F05 0C404100 POP DWORD PTR DS:[41400C]
00414064 68 D6D3638B PUSH 8B63D3D6
00414069 58 POP EAX
0041406A 010424 ADD DWORD PTR SS:[ESP],EAX
0041406D 9C PUSHFD
0041406E 8F05 14404100 POP DWORD PTR DS:[414014]
00414074 8F05 14404100 POP DWORD PTR DS:[414014]
0041407A 8F05 28404100 POP DWORD PTR DS:[414028]
...
It looks better than VM picode ;)
Also look log file (40146F.log):
Quote:

++++++++++++++++++++++++++++++++++++
Section a11
++++++++++++++++++++++++++++++++++++

004140F6: eax = [ebp + 0xFFFFFFD4]
00414100: edx = 0
00414121: ecx = [ebp + 0xFFFFFFE0]
0041412B: idiv ecx
00414173: [ebp + 0xFFFFFFF0] = eax
00414194: [ebp + 0xFFFFFFD8] = edx
00414207: jmp 0x0040148E


++++++++++++++++++++++++++++++++++++
Section asm
++++++++++++++++++++++++++++++++++++

004140F6: mov eax, dword ptr [ebp + 0xFFFFFFD4]
00414100: mov edx, 0
00414121: mov ecx, dword ptr [ebp + 0xFFFFFFE0]
0041412B: idiv ecx
00414173: mov dword ptr [ebp + 0xFFFFFFF0], eax
00414194: mov dword ptr [ebp + 0xFFFFFFD8], edx
I really don't know why it crashes on this step, but you see clean decompiled and deobfuscated code, and you can paste it back manually ;)

But listen again: this tool is Beta (!) - many bugs, many features was not realized and it should be tested. Also remember that there are many versions of VMProtect. We worked only on last 2.0x builds.

progopis 11-11-2010 04:43

Quote:

Originally Posted by ahmadmansoor (Post 70222)
It give Handler was not recognized

You can give me log file + trc file which were created last. And I can add support of this handler or fix handler determination.

ahmadmansoor 11-11-2010 06:06

1 Attachment(s)
Thanks progopis ..
this is just a flash on how it work . applied on ur target .
now back to test on some other targets .

besoeso 11-11-2010 06:13

@ahmadmansoor

Can share in mediafire?

I will like check it too.

Thanks

ahmadmansoor 11-11-2010 07:54

hxxp://www.filesend.net/download.php...f5e3f167a62921

D-Jester 11-11-2010 12:04

File: VMSweeper.rar
http://www.d-jester.com/files/bQ4SQC1289448194.html

File: VmpVirtTest1.rar
http://www.d-jester.com/files/zMm1Qg4B1289448194.html

File: progopis.rar
http://www.d-jester.com/files/Mqeu1289448194.html

estelle 11-12-2010 10:38

1 Attachment(s)
Attachment 5641
run error
;)

ahmadmansoor 11-13-2010 19:45

1 Attachment(s)
Hi progopis :
why ur plugin need to reload the target after u press DeCode VM ??!!.
if u can ,make it not to reload it again,
and can u make an option to to define the intermediate code section .
by Address or by name .
and an option to define the storage folder .
and this is an example I have create it for u in VB 6.0 .
u can see the pic for the options of protection .
when DeCode VM work to -21.0 then stop ...!!!!
pls check it .
in the attachment I have but both files the original file and the packed file .
address at = 00401CF0 type Virtualization
when press at Check button u will reach the address .

hXXp://img405.imageshack.us/f/progopis.jpg/

LCF-AT 11-14-2010 02:01

Hi,

nice plugin but it's not working very stable.In the most cases it just stops if it tries to DeCode.

@ ahmadmansoor

I tried also your vb target and for me it stops always at 21.0 % after the break on 00401CF0.Nothing happend anymore and the code is still the same.

greetz

progopis 11-14-2010 18:51

As I already mentioned, this plug-in doesn't support FPU. It stops on handler VM_fnclex.

I'm believe, I will finish support for all handlers to the end of the next week.

P.S. Anybody tried it on CodeVirtualizer btw? ;)

hyperchem 11-14-2010 23:59

I have tried this tool on Winlicense 2.13 main exe, a dialog popup said: invaild value Code start :00401000.
what's wrong with this?

another bug: The Segment address dialog can not be closed.....

mari0 b0ss 11-15-2010 00:55

Because only support to oreans Code Virtualizer product.

Anway when you say "Winlicense 2.13 main exe" refer to retail version?

Regards

progopis 11-15-2010 01:21

Quote:

Originally Posted by hyperchem (Post 70276)
I have tried this tool on Winlicense 2.13 main exe, a dialog popup said: invaild value Code start :00401000.
what's wrong with this?

another bug: The Segment address dialog can not be closed.....

Themida and WinLicense are unsupported yet.

The segment dialog is should not be closed. Just think before doing anything.

wuqing1501 11-22-2010 12:49

so strong tools !
3q 4 SHARE
but so many bugs
waiting the new version


All times are GMT +8. The time now is 10:57.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX