Thread: How long will the best software-only protections last?
View Single Post
  #15  
Old 06-23-2005, 03:20
chaboyd
 
Posts: n/a
Wink Looks like it does mutate
>>>Mutable virtual machine is hard to analyze

I downloaded and did a quick test of VMProtect 1.05. It certainly seems to do a good job preventing both analysis through IDAPro and Ollydbg. Ollydbg can't execute the code since it is no longer x86 instructions. I haven't figured out yet how the VM actually executes it though.


-------------------------------------
New addition

So I decided to test if VmProtect mutates the code each time you protect a program. It definitely changes. I used the maximum protection options and delected the project after each run. I did three runs applying the VM to a program including the below section of code:

004015FF E85C020000 call 00401860
00401604 83C404 add esp,04
00401607 E8F4F9FFFF call 00401000
0040160C 0FBEC0 movsx eax,al
0040160F 83F879 cmp eax,79
00401612 750F jnz 00401623

How the code appears while debugging during each run:

First run:

004015FF .-E9 9DCE0100 JMP Guessing.0041E4A1
00401604 58 DB 58 ; CHAR 'X'
00401605 D2 DB D2
00401606 57 DB 57 ; CHAR 'W'
00401607 C5 DB C5
00401608 E4 DB E4
00401609 06 DB 06
0040160A ED DB ED
0040160B . 53 PUSH EBX
0040160C . EB 35 JMP SHORT Guessing.00401643
0040160E E0 DB E0
0040160F F2 DB F2
00401610 74 DB 74 ; CHAR 't'
00401611 DA DB DA
00401612 0D DB 0D

Second run:

004015FF .-E9 43D00100 JMP Guessing.0041E647
00401604 63 DB 63 ; CHAR 'c'
00401605 72 DB 72 ; CHAR 'r'
00401606 9E DB 9E
00401607 72 DB 72 ; CHAR 'r'
00401608 A0 DB A0
00401609 19 DB 19
0040160A BD DB BD
0040160B 17 DB 17
0040160C BE DB BE
0040160D E6 DB E6
0040160E . C3 RETN
0040160F DC DB DC
00401610 C6 DB C6
00401611 AD DB AD
00401612 B6 DB B6

Third run:

004015FF >-E9 46CF0100 JMP Guessing.0041E54A
00401604 DA DB DA
00401605 D7 DB D7
00401606 15 DB 15
00401607 . 1351 4D ADC EDX,DWORD PTR DS:[ECX+4D]
0040160A . 8B7B C9 MOV EDI,DWORD PTR DS:[EBX-37]
0040160D . C3 RETN
0040160E . 01FB ADD EBX,EDI
00401610 > 3932 CMP DWORD PTR DS:[EDX],ESI
00401612 . 70 68 JO SHORT Guessing.0040167C


So you can see that the hex dump is quite a bit different with no obvious patterns. So while it doesn't change from run to run it does "mutate" when you actually protect a program. Maybe this is old news and everyone already knows this..
Last edited by chaboyd; 06-28-2005 at 09:50. Reason: Answer my own question
Reply With Quote