Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   [Help] Reversing VMProtect 3? (https://forum.exetools.com/showthread.php?t=17561)

0xNOP 05-12-2016 10:34
[Help] Reversing VMProtect 3?
 
Hello,

Basically I'm initiating myself on VMProtect because someone came to me looking for help to see if I could help him reversing a program with VMProtect, yeah I know it's crazy... well I checked on PiD and shows VMProtect 3 detected.

So, I'm not that familiar with protectors like VMProtect except for Armadillo, but that was like for a project I was working on like a month ago or so, never got too deep in it neither.

The thing is, that I need some pointers on how to work with VMProtect, I've got past the anti-debugging protections at the beginning of execution (same ol' anti-debugger techinques to detect debugers, etc, etc.) but I'm failing in particularly one, and it's when I get into the VM, the inline polymorphic VM Handlers undo whatever I do to the Virtualized P-Code, but I'm getting kinda lost here...

I was reading this article -> http://lille1tv.univ-lille1.fr/telecharge.aspx?id=d5b2487e-cacc-4596-ab37-dab2b362cb9e that mainly gives a thorough explanation of what you will find inside a program protected with VMProtect, now the thing is that, I've tried reading but like I said, I'm not familiar with some of the concepts, or I don't even know if most of the concepts are up-to-date (guide was written in 2015 and now the latest version is VMProtect 3), mainly because I haven't yet understood how the underlying VM really works, just yet, and only knowing that the VM is always different after each compilation, it makes me cringe...

I will really appreciate any help anyone could bring to me and aid me on this clash of protected code vs reversing.

TechLord 05-12-2016 15:11
Quote:
Originally Posted by 0xNOP (Post 105264)
Hello,

Basically I'm initiating myself on VMProtect because someone came to me looking for help to see if I could help him reversing a program ...

The thing is, that I need some pointers on how to work with VMProtect,...

I will really appreciate any help anyone could bring to me and aid me on this clash of protected code vs reversing.
Hello friend,

Since you have not mentioned it, I believe that you are not familiar with LCF-AT's scripts and concepts for unwrapping VMP.

See here :

https://forum.tuts4you.com/topic/30733-vmprotect-ultra-unpacker-10/

You need to register on the forum (for free).

I think that the scripts can still work on VMP v3 as well but definitely, the CONCEPTS etc of VM Protect can be learned very well by watching her videos.

They will help you immensely in your unpacking quest !

Another EXCELLENT paper on this topic, titled "Unpacking Virtualization Obfuscators" can be found here :

http://static.usenix.org/event/woot09/tech/full_papers/rolles.pdf

Good luck :)


All times are GMT +8. The time now is 22:35.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX