Oreans UnVirtualizer ODBG Plug-in (WL/TMD/CV)
1 Attachment(s)
Hi All :)
This tool will help conversion VirtualOpcodes -> Assembly Instruction restoring the original code of your virtualized Application, the basic engine was from CodeUnvirtualizer, my other tool [Features] - Supports WinLicense/Themida/CodeVirtualizer Cisc Machines - Supports almost all common opcodes - Supports CHECK_MACRO_PROTECTION - Supppots MultiBranch Tech [Use] - Right-click on the jump leading to the Virtual Machine Area and press Unvirtualize (If machine isn't found you have to click again, after checking that the full machine was correctly deofuscated) [Oreans UnVirtualizer] [v1.0] - First public Version [Request] - Since is almost impossible to create a full database with every opcode combination I would appreciate if you got errors by some unknown opcodes, wrong decompiled, etc a full diagnosis including Cisc_Vo_Dump.txt, Cisc_Vo_Syntax.txt, Cisc_Uv_Dump.txt and Cisc_Iat_XXXXXX.txt file on your report |
Mirror: http://www.mediafire.com/?nxiwurv6rd7njhj
|
Great Greet work man ...Thanks
my friend I think it is good to give us some working example . |
1 Attachment(s)
Quote:
Video Samples http://www.sendspace.com/file/1lscnw New Version [v1.1] - Fixed Decode GenV1 - Added CALL [EBX+ESI+0x234234] - Video logs Added - Updated OreansJunk.cfg |
1 Attachment(s)
[v1.2]
- Fixed Decode MovV1 - Added REP - REPNE - CMPS - MOVS - LODS - STOS - SCAS Instructions - Added CISC-2 Micro-opcodes UnVirtualizer - Fixed Decode MovV2 - OreansJunk.cfg updated - OreansAssembler.cfg updated - Added Virtual Opcode Mutation Tech - Fixed Jcc Jumps leading outside Virtual Machine - Fixed Crash on reading Register Handlers - Cisc_Vo_Dump.txt is no longer created |
1 Attachment(s)
[v1.3]
- Fixed Identifying Some handler variants - Added NEG - NOT - BSWAP instructions - Updated OreansAssembler - Added Options Panel - Added Hotkeys - Added UnVirtualize With/Without Jumps - Fixed DeOfuscation GenV4 - Added optimization on reading virtual labels - Updated references panel |
Mirror v1.3: http://www.mediafire.com/?yy0tyhunu7wnbyp
Excellent progress Deathway! Tested on a CISC-2 target and 1.3 works well. Some unidentified functions still, but really good! |
int 2e
Command recognition error £¿ |
1 Attachment(s)
|
1 Attachment(s)
Deathway, it's superb, but has a problem.
on two samples, OllyDbg was crashed for decoding second vm reference. I mean it only unvirtualize one region at each run of OllyDbg (OllyIce). For WL, the main problem is finding the first instruction. What's your idea about code in attachment? I tested several possible address, but there was no success! |
... I suggest this address,
00D2477D in case there isn't success, maybe you could upload your target, Remember that not all the functions end with EB 10, because compilers do some align to functions like NOP, MOV EDI,EDI, LEA ESP, [ESP], and Themida omits this kind of instruction, specially if no jump nor Jcc leads to that instruction About the crash, is from Quicktablewindow function, will do some test, but now I don't have any clue about the error. |
Quote:
|
last
pop esp |
yeah, but not always, it's sometimes after last add esp, 04. e.g.:
Quote:
The real code is located few lines after something like this: Quote:
In DLL with the dump it is not in its original imagebase, the plugin writes 16 bytes of NOP at the end, which usually overwites 3 bytes of real code. Quote:
|
Don't worry, that problem about the ImageBase and some relocation offset will be fixed in 2 weeks, unfortunately I'm on exams
Thanks for your report :) |
Quote:
|
10062200 55 PUSH EBP
10062201 8BEC MOV EBP,ESP 10062203 6A FF PUSH -1 10062205 68 1F8C0810 PUSH mapledll.10088C1F 1006220A 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 10062210 50 PUSH EAX 10062211 B8 B43B0000 MOV EAX,3BB4 10062216 E8 E5F00000 CALL mapledll.10071300 1006221B A1 10BA0910 MOV EAX,DWORD PTR DS:[1009BA10] 10062220 33C5 XOR EAX,EBP 10062222 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX 10062225 56 PUSH ESI 10062226 57 PUSH EDI 10062227 50 PUSH EAX 10062228 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 1006222B 64:A3 00000000 MOV DWORD PTR FS:[0],EAX 10062231 - E9 A2E92B00 JMP mapledll.10320BD8 @Label_10311F0B 10311F45 XOR EDX,EDX 10311F84 MOV ECX,0x8 10311FA4 DIV ECX 10311FE7 PUSH EDX 10311FF0 00D1 10311FF1 001C(00000007) 10311FFC 0018 10311FFD SBB EDX,EDX 10312037 PUSH EDX 10312044 00D1 10312045 001C(00000007) 10312050 0018 10312056 MOV BYTE PTR [EBP+0xffffc5bb],DL 10312088 MOV BYTE PTR [EBP+0xfffffffc],0x6 103120A2 LEA ECX,DWORD PTR [EBP+0xffffffb8] 103120F6 CALL 0x10002160 |
Quote:
@all A CRITICAL ERROR was found on version 1.3 and lower, if the unvirtualization routine has SHL, SHR, ROR, ROL, RCL, RCR, It was wrong unvirtualized. It will be fixed on next version (along with the ImageBase, ESP+REG32+MOFFS, minor bugs) PD2: People are/is asking about RISC UnVirtualization, Today I've managed to get my first Handler dumps about this machine, but unfortunately, the final handlers are mix of the original (I mean three or 4 thunks make one Virtual Handler on the exe/dll), it doesn't preserve registers (possible lost of data when deofuscation). However if the small thunks are enough predictable, I'll do my best effort to bring you this feature ;) (Not promise yet :):):):) ) |
Quote:
|
I can not download please reply
|
Jesus just came back and saw this plugin. Awesome work Deathway :D
|
Quote:
Anyone who wants to fix the bytes overwritten by NOP at the end of UnVMed routine (in case of DLLs with altered ImageBase), should patch following address: Code:
10070412 |. 83C0 10 ADD EAX,10 -> 0D Deathway, please add an additional check in case of Long JMP to add only 0x0D NOPs (Maybe your plugin can not find actual ImageBase properly ;) ). Regards. |
To day I used the plugin on Windows 7 SP1 x64. Fortunately the mentioned problem (crashing of OllyDbg on second unvirtualization) was not occured!
Does anybody else have this problem on Windows XP SP3 x86? |
This is an impressive plugin! Keep up the good work :)
|
Any news about RISC?
Of course good job. |
1 Attachment(s)
[v1.4]
- Fixed Cisc - CALL [REG32+IMMC] - Fixed Cisc - SHL REG32, IMMC - Fixed an issue with odbg when using context menu - Added TAB key on windows - Added autofill on FindReferences window - Risc-64 machine function :) - Added OreansAssember_Risc.cfg Well, it was a long journey to deal with Risc, but i'ts almost finished, hope you like it :) Some info about RISC machines - It's still on debug mode, so it may take long time for deofuscate it - 128 variant is not avaible, it could fail on that machine - The example provided was modified in order to show how to deal when deofuscation fails - In case of failure, two errors may popup (1) About Follow jump, this has a trail-error solution: press reload and then the other option, (2) about could not find XXXX handler, in this case the left list control show the current vm entry, and the right one the 'ideal handler', on 80% of cases, the red instruction is the problem, the yellow part shows the handler that could not be identified, press delete after selecting the 'wrong instruction' on the left panel (could be more than one) - The example was compiled with full protection 64variant - Can't read some opcodes like movzx, xchg, movsx, muls, div, etc Deathway. Example link: http://www.sendspace.com/file/fa45ny PD: Example solution Put a HWBP on execution at 00401058 and press F9 (could be on normal olly, doesn't have debug detection) Click on 00401058 and press Alt - I First error: press 'No' Second error: On left panel select 00D5DFE4 and press delete Third error: On left panel select 00D781CC and press delete then select 00D781CE and press delete On the next popup window insert 005FC4DC and press enter |
1 Attachment(s)
[v1.5]
- Fixed Unvirtualize with Jump on CISC machines - Fixed some errors when handling signed constants on RISC - Fixed an issue when processing MOVS instrution on CISC machine - Fixed some inversion data when processing COMM, REGX, REGX (like XOR EDI,ESI was decoded as XOR ESI,EDI) - Fixed a problem when handling AH CH DH BH registers on COMM2 instructions - Added MOVSX - MOVZX - XCHG - IMUL - MUL - DIV - IDIV - PUSHFD - POPFD instructions on RISC - Added CALL [ESP+IMMC] on Cisc Machine - Added support of dump files on RISC machines - OreansAssember_Risc.cfg updated - DLL Support on CISC and RISC machines There is a fix regarding Risc machines, if you unvirtualized the opcodes, there is a high chance that you obtain the inversed form of this opcodes COMM REGX,REGX (like XOR EDI,ESI was decoded as XOR ESI,EDI). This errrors is fixed on the latest version DLL support is now avaible, however Risc machines must be initialized first (not a problem, since risc machines are always encrypted). On both machines, it's recommended the devirtualization once the eip reach the oep. Deathway. |
1 Attachment(s)
[v1.6]
- RISC machine re-designed - Added RISC V2 machines (new branch tech) - Added Pushad-popad instructions on risc machines - Fixed some issues with end jump - Added new detection for virtual machines - Added abort button |
Hello,
I was wondering if you have an updated version for TIGER and FISH new VM ? |
Would Deathway like to update Oreans UnVirtualizer?
|
Quote:
|
Quote:
|
lol
Many of us don't have knowledge to reverse a simple crackme. |
1 Attachment(s)
[v1.7]
- FISH machine avaible (WHITE and RED variants) - Added Vm signatures Hi all, the new version of this plug-in supports the FISH virtual machine, WHITE and RED variants. Some words about this machine... It mixes both CISC and RISC architecture, but the code isn't like template anymore, every virtual machine has a new different number of handlers, and every handler contains a different execution path, a little tricky, but nothing that can't be 'devirtualized' ;), maybe i'll write a paper about FISH and TIGER machines later. Some specs that aren't coded yet: - Support for Check macro; - Sort algo is very unstable - This plugin may crash when deofuscating very rare sequences, (most of them are 'expected' specially when crash was due to an ud2 instruction). - Suppor for BLACK variants ;) ... About TIGER, I have no plans for the moment, but it isn't very different from FISH analog. Plug-in was tested with 2.2.6.0 version, other versions may have variants that this plug-in couldn't handle. Deathway. |
Quote:
|
Is amaizing how fast you do the update.
It seems that you have a very good knownledge of the VM's. Bravo and thank you! |
thank you for the update, nice work Deathway!
|
Really nice work Deathway.
but any example files or update for movie tut . many thanks . |
1 Attachment(s)
[v1.8]
- FISH BLACK variant avaible - Fixed deofuscation order (GenV6) - New deofucation scheme for FISH machine - New smart code tracer for FISH machines - Stack sort for FISH commands - Improved management of memory (faster deofuscation) - Added movzx reg32, [esp+eax+memoffset] on CISC machines - Added a message prompt when the opcode buffer is not enough - Added LEAVE instruction for FISH machines - Added support for CALLs to VM section in FISH machines - CHECK_PROTECTION macro disabled, now it must be restored by hand - Fixed QWORD incorrect names for some opcodes - Fixed a problem when deofuscating RISC machines Thanks people for all your reports, the plug-in becomes more powerful every day. Now it fully supports FISH machines. CHECK_PROTECTION macro has been disbled, it must be restored by hand, there were many troubles when handling this kind of macro. CodeVirtualizer machines aren't supported (FISH-TIGER). Hope you like this new update, happy reversing :) Deathway. |
So fast.
Congrats amigo. |
All times are GMT +8. The time now is 23:37. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX