Exetools

Exetools (https://forum.exetools.com/index.php)
-   Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)
-   -   Oreans UnVirtualizer ODBG Plug-in (WL/TMD/CV) (https://forum.exetools.com/showthread.php?t=13391)

Deathway 03-26-2011 01:51

Oreans UnVirtualizer ODBG Plug-in (WL/TMD/CV)
 
1 Attachment(s)
Hi All :)

This tool will help conversion VirtualOpcodes -> Assembly Instruction
restoring the original code of your virtualized Application, the basic engine
was from CodeUnvirtualizer, my other tool

[Features]
- Supports WinLicense/Themida/CodeVirtualizer Cisc Machines
- Supports almost all common opcodes
- Supports CHECK_MACRO_PROTECTION
- Supppots MultiBranch Tech

[Use]
- Right-click on the jump leading to the Virtual Machine Area and press Unvirtualize (If machine isn't found
you have to click again, after checking that the full machine was correctly deofuscated)


[Oreans UnVirtualizer]
[v1.0]
- First public Version

[Request]
- Since is almost impossible to create a full database with every opcode combination
I would appreciate if you got errors by some unknown opcodes, wrong decompiled, etc
a full diagnosis including Cisc_Vo_Dump.txt, Cisc_Vo_Syntax.txt, Cisc_Uv_Dump.txt and
Cisc_Iat_XXXXXX.txt file on your report

Ember 03-26-2011 04:26

Mirror: http://www.mediafire.com/?nxiwurv6rd7njhj

ahmadmansoor 03-26-2011 06:11

Great Greet work man ...Thanks

my friend I think it is good to give us some working example .

Deathway 03-27-2011 02:43

1 Attachment(s)
Quote:

Originally Posted by ahmadmansoor (Post 72148)
Great Greet work man ...Thanks

my friend I think it is good to give us some working example .

Done

Video Samples
http://www.sendspace.com/file/1lscnw

New Version

[v1.1]
- Fixed Decode GenV1
- Added CALL [EBX+ESI+0x234234]
- Video logs Added
- Updated OreansJunk.cfg

Deathway 03-28-2011 06:48

1 Attachment(s)
[v1.2]
- Fixed Decode MovV1
- Added REP - REPNE - CMPS - MOVS - LODS - STOS - SCAS Instructions
- Added CISC-2 Micro-opcodes UnVirtualizer
- Fixed Decode MovV2
- OreansJunk.cfg updated
- OreansAssembler.cfg updated
- Added Virtual Opcode Mutation Tech
- Fixed Jcc Jumps leading outside Virtual Machine
- Fixed Crash on reading Register Handlers
- Cisc_Vo_Dump.txt is no longer created

Deathway 03-31-2011 07:12

1 Attachment(s)
[v1.3]
- Fixed Identifying Some handler variants
- Added NEG - NOT - BSWAP instructions
- Updated OreansAssembler
- Added Options Panel
- Added Hotkeys
- Added UnVirtualize With/Without Jumps
- Fixed DeOfuscation GenV4
- Added optimization on reading virtual labels
- Updated references panel

Ember 03-31-2011 07:24

Mirror v1.3: http://www.mediafire.com/?yy0tyhunu7wnbyp

Excellent progress Deathway! Tested on a CISC-2 target and 1.3 works well. Some unidentified functions still, but really good!

estelle 04-03-2011 18:52

int 2e
Command recognition error £¿

estelle 04-04-2011 18:41

1 Attachment(s)
Attachment 5788

How to write the following few

Newbie_Cracker 04-06-2011 17:36

1 Attachment(s)
Deathway, it's superb, but has a problem.
on two samples, OllyDbg was crashed for decoding second vm reference. I mean it only unvirtualize one region at each run of OllyDbg (OllyIce).

For WL, the main problem is finding the first instruction. What's your idea about code in attachment?

I tested several possible address, but there was no success!

Deathway 04-08-2011 03:05

... I suggest this address,
00D2477D
in case there isn't success, maybe you could upload your target,

Remember that not all the functions end with EB 10, because compilers do some align to functions like NOP, MOV EDI,EDI, LEA ESP, [ESP], and Themida omits this kind of instruction, specially if no jump nor Jcc leads to that instruction

About the crash, is from Quicktablewindow function, will do some test, but now I don't have any clue about the error.

Newbie_Cracker 04-09-2011 13:55

Quote:

Originally Posted by Deathway (Post 72353)
... I suggest this address,
00D2477D

Yeah, that was correct. How did you choose that? I checked many addresses, but didn't think about last one.

estelle 04-09-2011 15:37

last

pop esp

Newbie_Cracker 04-09-2011 19:21

yeah, but not always, it's sometimes after last add esp, 04. e.g.:
Quote:

00D98E7D POP ESP
00D98E85 MOV DWORD PTR [EBP+0xbf03541],0x5857cdb0
00D98ECC PUSH DWORD PTR [ESP]
00D98ED8 MOV EBP,DWORD PTR [ESP]
00D98EEB ADD ESP,0x4
00D98F14 ADD ESP,0x4
00D98F32 MOV ECX,DWORD PTR [EBP+0xfffffe98]
00D98F6B PUSH ECX
00D98F81 MOV EDX,DWORD PTR [EBP+0xfffffeb8]

The real code is located few lines after something like this:

Quote:

00D984F3 SUB EBP,0x4b6a5494
00D98537 PUSH EDX
00D98540 MOV EDX,0x27e976fd
00D98550 SUB EDX,0x6e14c4d2
But the plugin need a little fix.

In DLL with the dump it is not in its original imagebase, the plugin writes 16 bytes of NOP at the end, which usually overwites 3 bytes of real code.

Quote:

00B0908E 83C1 FF ADD ECX,-1
00B09091 8A95 E7FEFFFF MOV DL,BYTE PTR SS:[EBP-119]
00B09097 88940D F0FEFFFF MOV BYTE PTR SS:[EBP+ECX-110],DL
00B0909E - E9 0C00500F JMP 100090AF
00B090A3 90 NOP
00B090A4 90 NOP
00B090A5 90 NOP
00B090A6 90 NOP
00B090A7 90 NOP
00B090A8 90 NOP
00B090A9 90 NOP
00B090AA 90 NOP
00B090AB 90 NOP
00B090AC 90 NOP
00B090AD 90 NOP
00B090AE 90 NOP
00B090AF 90 NOP
00B090B0 90 NOP
00B090B1 90 NOP
00B090B2 90 NOP
00B090B3 ? BF 00000F85 MOV EDI,850F0000
00B090B8 ? EA 030000B9 0001 JMP FAR 0100:B9000003
00B090BF ? 0000 ADD BYTE PTR DS:[EAX],AL
00B090C1 . 33C0 XOR EAX,EAX
00B090C3 . BF E06EBE00 MOV EDI,Dumped2_.00BE6EE0
As you see, the end of unvirtualized code has JMP 100090AF, but in new imagebase, it have to disassembled manually to JMP 0B090AF. Unfortunately, 00B090AF has been overwritten with NOP by plugin.

Deathway 04-09-2011 19:59

Don't worry, that problem about the ImageBase and some relocation offset will be fixed in 2 weeks, unfortunately I'm on exams

Thanks for your report :)

Newbie_Cracker 04-10-2011 11:56

Quote:

Originally Posted by Deathway (Post 72390)
...unfortunately I'm on exams

Good luck dude :)

estelle 04-14-2011 10:30

10062200 55 PUSH EBP
10062201 8BEC MOV EBP,ESP
10062203 6A FF PUSH -1
10062205 68 1F8C0810 PUSH mapledll.10088C1F
1006220A 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
10062210 50 PUSH EAX
10062211 B8 B43B0000 MOV EAX,3BB4
10062216 E8 E5F00000 CALL mapledll.10071300
1006221B A1 10BA0910 MOV EAX,DWORD PTR DS:[1009BA10]
10062220 33C5 XOR EAX,EBP
10062222 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
10062225 56 PUSH ESI
10062226 57 PUSH EDI
10062227 50 PUSH EAX
10062228 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
1006222B 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
10062231 - E9 A2E92B00 JMP mapledll.10320BD8




@Label_10311F0B
10311F45 XOR EDX,EDX
10311F84 MOV ECX,0x8
10311FA4 DIV ECX
10311FE7 PUSH EDX
10311FF0 00D1
10311FF1 001C(00000007)
10311FFC 0018
10311FFD SBB EDX,EDX
10312037 PUSH EDX
10312044 00D1
10312045 001C(00000007)
10312050 0018
10312056 MOV BYTE PTR [EBP+0xffffc5bb],DL
10312088 MOV BYTE PTR [EBP+0xfffffffc],0x6
103120A2 LEA ECX,DWORD PTR [EBP+0xffffffb8]
103120F6 CALL 0x10002160

Deathway 04-15-2011 10:25

Quote:

Originally Posted by estelle (Post 72445)
10062200 55 PUSH EBP
10062201 8BEC MOV EBP,ESP
10062203 6A FF PUSH -1
10062205 68 1F8C0810 PUSH mapledll.10088C1F
1006220A 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
10062210 50 PUSH EAX
10062211 B8 B43B0000 MOV EAX,3BB4
10062216 E8 E5F00000 CALL mapledll.10071300
1006221B A1 10BA0910 MOV EAX,DWORD PTR DS:[1009BA10]
10062220 33C5 XOR EAX,EBP
10062222 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
10062225 56 PUSH ESI
10062226 57 PUSH EDI
10062227 50 PUSH EAX
10062228 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
1006222B 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
10062231 - E9 A2E92B00 JMP mapledll.10320BD8




@Label_10311F0B
10311F45 XOR EDX,EDX
10311F84 MOV ECX,0x8
10311FA4 DIV ECX
10311FE7 PUSH EDX
10311FF0 00D1
10311FF1 001C(00000007)
10311FFC 0018
10311FFD SBB EDX,EDX
10312037 PUSH EDX
10312044 00D1
10312045 001C(00000007)
10312050 0018
10312056 MOV BYTE PTR [EBP+0xffffc5bb],DL
10312088 MOV BYTE PTR [EBP+0xfffffffc],0x6
103120A2 LEA ECX,DWORD PTR [EBP+0xffffffb8]
103120F6 CALL 0x10002160

That's weird, that sequence was already translate, could you send me a PM along with the target

@all
A CRITICAL ERROR was found on version 1.3 and lower, if the unvirtualization routine has SHL, SHR, ROR, ROL, RCL, RCR, It was wrong unvirtualized. It will be fixed on next version (along with the ImageBase, ESP+REG32+MOFFS, minor bugs)

PD2: People are/is asking about RISC UnVirtualization, Today I've managed to get my first Handler dumps about this machine, but unfortunately, the final handlers are mix of the original (I mean three or 4 thunks make one Virtual Handler on the exe/dll), it doesn't preserve registers (possible lost of data when deofuscation). However if the small thunks are enough predictable, I'll do my best effort to bring you this feature ;) (Not promise yet :):):):) )

estelle 04-15-2011 11:19

Quote:

Originally Posted by Deathway (Post 72453)
That's weird, that sequence was already translate, could you send me a PM along with the target

@all
A CRITICAL ERROR was found on version 1.3 and lower, if the unvirtualization routine has SHL, SHR, ROR, ROL, RCL, RCR, It was wrong unvirtualized. It will be fixed on next version (along with the ImageBase, ESP+REG32+MOFFS, minor bugs)

PD2: People are/is asking about RISC UnVirtualization, Today I've managed to get my first Handler dumps about this machine, but unfortunately, the final handlers are mix of the original (I mean three or 4 thunks make one Virtual Handler on the exe/dll), it doesn't preserve registers (possible lost of data when deofuscation). However if the small thunks are enough predictable, I'll do my best effort to bring you this feature ;) (Not promise yet :):):):) )

Look at email

estelle 04-15-2011 11:33

I can not download please reply

Finite 04-22-2011 04:30

Jesus just came back and saw this plugin. Awesome work Deathway :D

Newbie_Cracker 04-24-2011 16:57

Quote:

Originally Posted by Deathway (Post 72390)
Don't worry, that problem about the ImageBase and some relocation offset will be fixed in 2 weeks, unfortunately I'm on exams

Thanks for your report :)

Isn't any news?

Anyone who wants to fix the bytes overwritten by NOP at the end of UnVMed routine (in case of DLLs with altered ImageBase), should patch following address:

Code:

10070412                  |.  83C0 10                  ADD EAX,10  -> 0D
It's because of disassembling the EB 10 to long JMP. Also the JNZ about that code can be patched to JMP to skip NOP filling. Because of JMP an the end of UnVMed code, nopping of junk bytes is optional.


Deathway, please add an additional check in case of Long JMP to add only 0x0D NOPs (Maybe your plugin can not find actual ImageBase properly ;) ).

Regards.

Newbie_Cracker 05-02-2011 15:09

To day I used the plugin on Windows 7 SP1 x64. Fortunately the mentioned problem (crashing of OllyDbg on second unvirtualization) was not occured!

Does anybody else have this problem on Windows XP SP3 x86?

Polaris 05-03-2011 05:03

This is an impressive plugin! Keep up the good work :)

test 05-13-2011 08:21

Any news about RISC?

Of course good job.

Deathway 03-06-2012 01:50

1 Attachment(s)
[v1.4]
- Fixed Cisc - CALL [REG32+IMMC]
- Fixed Cisc - SHL REG32, IMMC
- Fixed an issue with odbg when using context menu
- Added TAB key on windows
- Added autofill on FindReferences window
- Risc-64 machine function :)
- Added OreansAssember_Risc.cfg

Well, it was a long journey to deal with Risc, but i'ts almost finished, hope you like it :)

Some info about RISC machines
- It's still on debug mode, so it may take long time for deofuscate it
- 128 variant is not avaible, it could fail on that machine
- The example provided was modified in order to show how to deal when deofuscation fails
- In case of failure, two errors may popup (1) About Follow jump, this has a trail-error solution:
press reload and then the other option, (2) about could not find XXXX handler,
in this case the left list control show the current vm entry, and the right one the 'ideal handler',
on 80% of cases, the red instruction is the problem, the yellow part shows the handler that could
not be identified, press delete after selecting the 'wrong instruction' on the left panel (could be more than one)
- The example was compiled with full protection 64variant
- Can't read some opcodes like movzx, xchg, movsx, muls, div, etc


Deathway.
Example link: http://www.sendspace.com/file/fa45ny

PD: Example solution
Put a HWBP on execution at 00401058 and press F9 (could be on normal olly, doesn't have debug detection)
Click on 00401058 and press Alt - I
First error: press 'No'
Second error: On left panel select 00D5DFE4 and press delete
Third error: On left panel select 00D781CC and press delete then select 00D781CE and press delete

On the next popup window insert 005FC4DC and press enter

Deathway 03-10-2012 08:18

1 Attachment(s)
[v1.5]
- Fixed Unvirtualize with Jump on CISC machines
- Fixed some errors when handling signed constants on RISC
- Fixed an issue when processing MOVS instrution on CISC machine
- Fixed some inversion data when processing COMM, REGX, REGX (like XOR EDI,ESI was decoded as XOR ESI,EDI)
- Fixed a problem when handling AH CH DH BH registers on COMM2 instructions
- Added MOVSX - MOVZX - XCHG - IMUL - MUL - DIV - IDIV - PUSHFD - POPFD instructions on RISC
- Added CALL [ESP+IMMC] on Cisc Machine
- Added support of dump files on RISC machines
- OreansAssember_Risc.cfg updated
- DLL Support on CISC and RISC machines

There is a fix regarding Risc machines, if you unvirtualized the opcodes, there is a high chance that you obtain the inversed form of this opcodes COMM REGX,REGX (like XOR EDI,ESI was decoded as XOR ESI,EDI). This errrors is fixed on the latest version

DLL support is now avaible, however Risc machines must be initialized first (not a problem, since risc machines are always encrypted).

On both machines, it's recommended the devirtualization once the eip reach the oep.


Deathway.

Deathway 12-25-2012 04:26

1 Attachment(s)
[v1.6]
- RISC machine re-designed
- Added RISC V2 machines (new branch tech)
- Added Pushad-popad instructions on risc machines
- Fixed some issues with end jump
- Added new detection for virtual machines
- Added abort button

___da-brain___ 11-05-2013 08:29

Hello,

I was wondering if you have an updated version for TIGER and FISH new VM ?

ZeNiX 11-14-2013 08:38

Would Deathway like to update Oreans UnVirtualizer?

giv 11-14-2013 17:17

Quote:

Originally Posted by ___da-brain___ (Post 87766)
Hello,

I was wondering if you have an updated version for TIGER and FISH new VM ?

Do you think is easy to reverse a newer VM?

b30wulf 11-15-2013 01:56

Quote:

Originally Posted by giv (Post 87995)
Do you think is easy to reverse a newer VM?

are you serious? :) he calls Chuck Norris and VM revers it self :D:D:D:D

giv 11-16-2013 00:16

lol
Many of us don't have knowledge to reverse a simple crackme.

Deathway 01-31-2014 10:11

1 Attachment(s)
[v1.7]
- FISH machine avaible (WHITE and RED variants)
- Added Vm signatures

Hi all, the new version of this plug-in supports the FISH virtual machine, WHITE and RED variants.

Some words about this machine...

It mixes both CISC and RISC architecture, but the code isn't like template anymore, every virtual machine has a new different number of handlers, and every handler contains a different execution path, a little tricky, but nothing that can't be 'devirtualized' ;), maybe i'll write a paper about FISH and TIGER machines later.

Some specs that aren't coded yet:
- Support for Check macro;
- Sort algo is very unstable
- This plugin may crash when deofuscating very rare sequences, (most of them are 'expected' specially when crash was due to an ud2 instruction).
- Suppor for BLACK variants ;)

... About TIGER, I have no plans for the moment, but it isn't very different from FISH analog.
Plug-in was tested with 2.2.6.0 version, other versions may have variants that this plug-in couldn't handle.


Deathway.

Conquest 01-31-2014 12:31

Quote:

Originally Posted by Deathway (Post 89678)
[v1.7]
- FISH machine avaible (WHITE and RED variants)
- Added Vm signatures

Hi all, the new version of this plug-in supports the FISH virtual machine, WHITE and RED variants.

Some words about this machine...

It mixes both CISC and RISC architecture, but the code isn't like template anymore, every virtual machine has a new different number of handlers, and every handler contains a different execution path, a little tricky, but nothing that can't be 'devirtualized' ;), maybe i'll write a paper about FISH and TIGER machines later.

Some specs that aren't coded yet:
- Support for Check macro;
- Sort algo is very unstable
- This plugin may crash when deofuscating very rare sequences, (most of them are 'expected' specially when crash was due to an ud2 instruction).
- Suppor for BLACK variants ;)

... About TIGER, I have no plans for the moment, but it isn't very different from FISH analog.
Plug-in was tested with 2.2.6.0 version, other versions may have variants that this plug-in couldn't handle.


Deathway.

LF> the paper . thanks for the great update

giv 01-31-2014 16:07

Is amaizing how fast you do the update.
It seems that you have a very good knownledge of the VM's.
Bravo and thank you!

benney 01-31-2014 21:43

thank you for the update, nice work Deathway!

ahmadmansoor 02-01-2014 04:29

Really nice work Deathway.
but any example files or update for movie tut .
many thanks .

Deathway 02-05-2014 11:03

1 Attachment(s)
[v1.8]
- FISH BLACK variant avaible
- Fixed deofuscation order (GenV6)
- New deofucation scheme for FISH machine
- New smart code tracer for FISH machines
- Stack sort for FISH commands
- Improved management of memory (faster deofuscation)
- Added movzx reg32, [esp+eax+memoffset] on CISC machines
- Added a message prompt when the opcode buffer is not enough
- Added LEAVE instruction for FISH machines
- Added support for CALLs to VM section in FISH machines
- CHECK_PROTECTION macro disabled, now it must be restored by hand
- Fixed QWORD incorrect names for some opcodes
- Fixed a problem when deofuscating RISC machines

Thanks people for all your reports, the plug-in becomes more powerful every day.

Now it fully supports FISH machines.
CHECK_PROTECTION macro has been disbled, it must be restored by hand, there were many troubles when handling this kind of macro.
CodeVirtualizer machines aren't supported (FISH-TIGER).
Hope you like this new update, happy reversing :)


Deathway.

giv 02-05-2014 14:41

So fast.
Congrats amigo.


All times are GMT +8. The time now is 23:37.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX