Oreans UnVirtualizer ODBG Plug-in (WL/TMD/CV)
1 Attachment(s)
Hi All :)
This tool will help conversion VirtualOpcodes -> Assembly Instruction restoring the original code of your virtualized Application, the basic engine was from CodeUnvirtualizer, my other tool [Features] - Supports WinLicense/Themida/CodeVirtualizer Cisc Machines - Supports almost all common opcodes - Supports CHECK_MACRO_PROTECTION - Supppots MultiBranch Tech [Use] - Right-click on the jump leading to the Virtual Machine Area and press Unvirtualize (If machine isn't found you have to click again, after checking that the full machine was correctly deofuscated) [Oreans UnVirtualizer] [v1.0] - First public Version [Request] - Since is almost impossible to create a full database with every opcode combination I would appreciate if you got errors by some unknown opcodes, wrong decompiled, etc a full diagnosis including Cisc_Vo_Dump.txt, Cisc_Vo_Syntax.txt, Cisc_Uv_Dump.txt and Cisc_Iat_XXXXXX.txt file on your report |
Mirror: http://www.mediafire.com/?nxiwurv6rd7njhj
|
Great Greet work man ...Thanks
my friend I think it is good to give us some working example . |
1 Attachment(s)
Quote:
Video Samples http://www.sendspace.com/file/1lscnw New Version [v1.1] - Fixed Decode GenV1 - Added CALL [EBX+ESI+0x234234] - Video logs Added - Updated OreansJunk.cfg |
1 Attachment(s)
[v1.2]
- Fixed Decode MovV1 - Added REP - REPNE - CMPS - MOVS - LODS - STOS - SCAS Instructions - Added CISC-2 Micro-opcodes UnVirtualizer - Fixed Decode MovV2 - OreansJunk.cfg updated - OreansAssembler.cfg updated - Added Virtual Opcode Mutation Tech - Fixed Jcc Jumps leading outside Virtual Machine - Fixed Crash on reading Register Handlers - Cisc_Vo_Dump.txt is no longer created |
1 Attachment(s)
[v1.3]
- Fixed Identifying Some handler variants - Added NEG - NOT - BSWAP instructions - Updated OreansAssembler - Added Options Panel - Added Hotkeys - Added UnVirtualize With/Without Jumps - Fixed DeOfuscation GenV4 - Added optimization on reading virtual labels - Updated references panel |
Mirror v1.3: http://www.mediafire.com/?yy0tyhunu7wnbyp
Excellent progress Deathway! Tested on a CISC-2 target and 1.3 works well. Some unidentified functions still, but really good! |
int 2e
Command recognition error £¿ |
1 Attachment(s)
|
1 Attachment(s)
Deathway, it's superb, but has a problem.
on two samples, OllyDbg was crashed for decoding second vm reference. I mean it only unvirtualize one region at each run of OllyDbg (OllyIce). For WL, the main problem is finding the first instruction. What's your idea about code in attachment? I tested several possible address, but there was no success! |
... I suggest this address,
00D2477D in case there isn't success, maybe you could upload your target, Remember that not all the functions end with EB 10, because compilers do some align to functions like NOP, MOV EDI,EDI, LEA ESP, [ESP], and Themida omits this kind of instruction, specially if no jump nor Jcc leads to that instruction About the crash, is from Quicktablewindow function, will do some test, but now I don't have any clue about the error. |
Quote:
|
last
pop esp |
yeah, but not always, it's sometimes after last add esp, 04. e.g.:
Quote:
The real code is located few lines after something like this: Quote:
In DLL with the dump it is not in its original imagebase, the plugin writes 16 bytes of NOP at the end, which usually overwites 3 bytes of real code. Quote:
|
Don't worry, that problem about the ImageBase and some relocation offset will be fixed in 2 weeks, unfortunately I'm on exams
Thanks for your report :) |
All times are GMT +8. The time now is 17:27. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX