Exetools

Exetools (https://forum.exetools.com/index.php)
-   Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)
-   -   VM decompiler tool (VMProtect, CodeVirtualizer) (https://forum.exetools.com/showthread.php?t=13084)

progopis 11-10-2010 19:55

Here is example of usage.

http://www.multiupload.com/DGV8WI410B

This example fails on decompilation, so maybe I will attach the working example later.

progopis 11-10-2010 21:28

1 Attachment(s)
Fixed an issue that I mentioned in a previous post.

freecat 11-10-2010 22:25

tools is very good~

besoeso 11-10-2010 22:32

can upload Fixed vmswipeer in mediafire??

Good work!!;)

progopis 11-10-2010 22:36

Mirror:
http://www.mediafire.com/?87qbsfzmtc6ssif

Nooby 11-11-2010 01:55

can you also provide an example target that works (100% functional) with this plugin ? I wish I can help you on improving.

ahmadmansoor 11-11-2010 03:39

yes ... agree with nooby in this point .
for me now ....
after I try it on my Target ... No results !!!!
did it work with the mixed protection ( Winlic & VMprotect ) ???
r this tool just for VMprotect alone ??

progopis 11-11-2010 03:43

It's NOT for any WL/TM vm!!! Just CodeVirtualizer and VMProtect. I will upload some good targets.

ahmadmansoor 11-11-2010 03:52

anyway ..my friend I have a Target with mixed protection .
2 layer or 3 , VMProtect is first one then Winlic .
the first plugin u upload it was working , but the next file not work ??!!
and I have try both on the same Target !!
so any Idea ?

progopis 11-11-2010 03:57

Can you tell me what do you mean about "not work"? Handler was not recognized, any error message by VMProtect or what? I hope you applying plug-in on already unpacked file! Because it's not an unpacker. Can you send me your file via PM?

ahmadmansoor 11-11-2010 04:28

yes I know that is not an unpacker .
I run the program then when reach to place where I could try the plugin .It give Handler was not recognized or stop at 49 % and olly hung.
it is Licgenerator ,but the problem it is locked to one PC ( my friend PC ) .
and I'm trying to study the reg routine .
anyway I will wait ur example .

progopis 11-11-2010 04:38

1 Attachment(s)
Ok. Here is very artificial example.

Use the following params:
Code section: 00401000 - 00403000
VM section: 00406000 - 00413000

Steps:
1. Analyze all VM references
2. Set breakpoint at 0x40146F and break on it.
3. Press F1.
4. On messages "Process still active" press "Yes".
5. You will get error "Code not created" for some reason.

Now look at 0x40146F instruction. It replaced by jump to intermediate code:
Quote:

00414040 68 68874F2F PUSH 2F4F8768
00414045 68 92576ED3 PUSH D36E5792
0041404A 53 PUSH EBX
0041404B 53 PUSH EBX
0041404C 55 PUSH EBP
0041404D 52 PUSH EDX
0041404E 51 PUSH ECX
0041404F 9C PUSHFD
00414050 56 PUSH ESI
00414051 57 PUSH EDI
00414052 50 PUSH EAX
00414053 FF35 7E104000 PUSH DWORD PTR DS:[40107E]
00414059 68 00000000 PUSH 0
0041405E 8F05 0C404100 POP DWORD PTR DS:[41400C]
00414064 68 D6D3638B PUSH 8B63D3D6
00414069 58 POP EAX
0041406A 010424 ADD DWORD PTR SS:[ESP],EAX
0041406D 9C PUSHFD
0041406E 8F05 14404100 POP DWORD PTR DS:[414014]
00414074 8F05 14404100 POP DWORD PTR DS:[414014]
0041407A 8F05 28404100 POP DWORD PTR DS:[414028]
...
It looks better than VM picode ;)
Also look log file (40146F.log):
Quote:

++++++++++++++++++++++++++++++++++++
Section a11
++++++++++++++++++++++++++++++++++++

004140F6: eax = [ebp + 0xFFFFFFD4]
00414100: edx = 0
00414121: ecx = [ebp + 0xFFFFFFE0]
0041412B: idiv ecx
00414173: [ebp + 0xFFFFFFF0] = eax
00414194: [ebp + 0xFFFFFFD8] = edx
00414207: jmp 0x0040148E


++++++++++++++++++++++++++++++++++++
Section asm
++++++++++++++++++++++++++++++++++++

004140F6: mov eax, dword ptr [ebp + 0xFFFFFFD4]
00414100: mov edx, 0
00414121: mov ecx, dword ptr [ebp + 0xFFFFFFE0]
0041412B: idiv ecx
00414173: mov dword ptr [ebp + 0xFFFFFFF0], eax
00414194: mov dword ptr [ebp + 0xFFFFFFD8], edx
I really don't know why it crashes on this step, but you see clean decompiled and deobfuscated code, and you can paste it back manually ;)

But listen again: this tool is Beta (!) - many bugs, many features was not realized and it should be tested. Also remember that there are many versions of VMProtect. We worked only on last 2.0x builds.

progopis 11-11-2010 04:43

Quote:

Originally Posted by ahmadmansoor (Post 70222)
It give Handler was not recognized

You can give me log file + trc file which were created last. And I can add support of this handler or fix handler determination.

ahmadmansoor 11-11-2010 06:06

1 Attachment(s)
Thanks progopis ..
this is just a flash on how it work . applied on ur target .
now back to test on some other targets .

besoeso 11-11-2010 06:13

@ahmadmansoor

Can share in mediafire?

I will like check it too.

Thanks


All times are GMT +8. The time now is 16:15.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX