Exetools - VM decompiler tool (VMProtect, CodeVirtualizer)

Exetools (https://forum.exetools.com/index.php)

- Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)

- - VM decompiler tool (VMProtect, CodeVirtualizer) (https://forum.exetools.com/showthread.php?t=13084)

File: VMSweeper.rar
http://www.d-jester.com/files/bQ4SQC1289448194.html

File: VmpVirtTest1.rar
http://www.d-jester.com/files/zMm1Qg4B1289448194.html

File: progopis.rar
http://www.d-jester.com/files/Mqeu1289448194.html

Attachment 5641
run error
;)

Hi progopis :
why ur plugin need to reload the target after u press DeCode VM ??!!.
if u can ,make it not to reload it again,
and can u make an option to to define the intermediate code section .
by Address or by name .
and an option to define the storage folder .
and this is an example I have create it for u in VB 6.0 .
u can see the pic for the options of protection .
when DeCode VM work to -21.0 then stop ...!!!!
pls check it .
in the attachment I have but both files the original file and the packed file .
address at = 00401CF0 type Virtualization
when press at Check button u will reach the address .

hXXp://img405.imageshack.us/f/progopis.jpg/

Hi,

nice plugin but it's not working very stable.In the most cases it just stops if it tries to DeCode.

@ ahmadmansoor

I tried also your vb target and for me it stops always at 21.0 % after the break on 00401CF0.Nothing happend anymore and the code is still the same.

greetz

As I already mentioned, this plug-in doesn't support FPU. It stops on handler VM_fnclex.

I'm believe, I will finish support for all handlers to the end of the next week.

P.S. Anybody tried it on CodeVirtualizer btw? ;)

I have tried this tool on Winlicense 2.13 main exe, a dialog popup said: invaild value Code start :00401000.
what's wrong with this?

another bug: The Segment address dialog can not be closed.....

Because only support to oreans Code Virtualizer product.

Anway when you say "Winlicense 2.13 main exe" refer to retail version?

Regards

Quote:

Originally Posted by hyperchem (Post 70276)

I have tried this tool on Winlicense 2.13 main exe, a dialog popup said: invaild value Code start :00401000.
what's wrong with this?

another bug: The Segment address dialog can not be closed.....

Themida and WinLicense are unsupported yet.

The segment dialog is should not be closed. Just think before doing anything.

so strong tools !
3q 4 SHARE
but so many bugs
waiting the new version

VMSweeper 1.3 (beta 12):
- 扭抉抖扶抉快志抉扼扼找忘扶抉志抖快扶我快我技扭抉把找忘扭抉扼抖快 VMProtect
- 批扼找把忘扶快扶扼快忍技快扶找 .vm, 抗我扼扼抖快忱批快技抉技批扳忘抄抖批忌抉抖抆扮快扶我折快忍抉扯快扭抖攸找抆扶快扶批忪扶抉
- 批抖批折扮快扶扭抉我扼抗找抉折快抗志抒抉忱忘志志技
- 批抖批折扮快扶抉把忘扼扭抉戒扶忘志忘扶我快找我扭抉志志技
- shortcut Shift+F1 批扭把抉投忘快找扭把抉忱抉抖忪快扶我快忘扶忘抖我戒忘抗抉忱忘志技
- 批志快抖我折快扶抉抉忌投快快忌抑扼找把抉忱快抄扼找志我快扭把我志扼快抒抉扭快把忘扯我攸抒
- 扭抉志抑扮快扶扭把抉扯快扶找批扼扭快扮扶抉抄忱快抗抉技扭我抖攸扯我我抗抉忱忘扭抉忱 VmProtect (批扼扭快扮扶忘攸忱抖攸技快扶攸 - 抗抉忍忱忘忌抉抖快快 50% 抗抉忱忘把忘扼扭抉戒扶忘扶抉我志抉扼扼找忘扶抉志抖快扶抉忘志找抉技忘找我折快扼抗我, 忘 100% 志抉扼扼找忘扶抉志抖快扶我快抗抉忱忘扭抉抗忘志抉戒技抉忪扶抉找抉抖抆抗抉志 5-10% 扼抖批折忘快志我找抉抖抆抗抉扶忘扶快抗抉找抉把抑抒志快把扼我攸抒 VmProtect, 忘抗忘抗我抒扶快我戒志快扼找扶抉找.抗. 抉扶抉扼快忌快扶快扼抉抉忌投忘快找)
- 抉忌扶抉志抖快扶抉妓批抗抉志抉忱扼找志抉扭抉抖抆戒抉志忘找快抖攸, 扼抗抉找抉把抉忍抉我扼抖快忱批快找扶忘折忘找抆...

Who wants to can convert themselves from Russian into their native language.

http://rghost.net/3481244/private/2c41de505ab28d742ab19cc6db7e02c0

VMSweeper 1.3 (beta 13)
- some internal fixes

http://rghost.net/3505157/private/c90edf1ea4c2dd9ce4342d188232f756

VMSweeper 1.4 beta 1 (with surprise)
http://rghost.net/3619113

Hello,

@ BoRoV

Cool a new version but this time your plugin crashes always. :( Any Olly.I try to Analyse all VM references and then it crashes or closed Olly.The other version are working till now.
So I have test also diffrent dbghelp.dll versions but I get the same bad result.

Code:

VM Sweeper.dll 





2. Break on this call - then step in.



1003FD07   CALL 10005BC0   // BP



10005BC0   PUSH -1



EAX 00000000

ECX 0012D3C0

EDX 0000001C

EBX 00000010

ESP 0012D334

EBP 0012DD90

ESI 00000000

EDI 00461A48 OLLYDBG._Findmemory

EIP 10005BC0





0012D334   1003FD0C  RETURN to 1003FD0C from 10005BC0

0012D338   0000001C

0012D33C   63BE9E82

0012D340   0012F50C

0012D344   00000000





10005C03   LEA EBX,DWORD PTR DS:[EAX+1]



Address=0000001D

EBX=00000010



10005C06   MOV CL,BYTE PTR DS:[EAX]



DS:[0000001C]=???

CL=C0

-----------------------

I hope you can fix this problem soon. :)

greetz

Ooo God I think LCF-AT faster than me.
anyway I have done some tests too .
and I got the same result as LCF-at .
this is a flash file of what happen .
hxxp://www.filesend.net/download.php...b41755226d09fb
bs: Thanks LCF-At for ur hints in unpack Vmprotect .
but I think ur way will not work always in upper OS ( Win 7.0 and Vista)
I am working on small way I will send the details to u after I check that it will work .
It will help ur script and push the target to run on different OS .
Thanks u for ur hard work and thanks for progopis and BoRoV and the Author of vmsweeper .
by the way I was absent for some time because I was very ill .
I hope I will recover soon .

the file include this :
VMS_test from modified olly >>>>. trc files and the log files tested with modify olly
VMS_test from original olly >>>>. trc files and the log files tested with original olly
VMSweeper-problem flash movie