View Single Post
Old 05-17-2011, 19:03
Posts: n/a
beta 11

1) Handlers of FPU instructions fclex, fldcw, fstcw, fldz, fld1, fistp
2) Window with code segments input and VM has 3 buttons now:
- Analyze - Start analysis of VM entries and import restoration.
- Accept - Apply entered values of segments without analysis
- Cancel - Exit without saving any changes

3) Display API names in p-code maps, relocations and function callings
4) Devirtualization of add esp, xx instruction
5) Improved restoration of partially wiped IAT
6) Import recovery such as: push reg; call vm -> call [api].
7) push/pop reg; call vm -> mov reg,[api].
8) Improved recognition of VM entries
9) Improved detection of VM loop

1) Code conversion: pop xx; jmp xx into retn.
2) Restructure of intermediate code. Blocks intersections.
3) Installed several exceptions during code devirtualization.
4) Removal of anti-dump code.

Translated from Russian

1. ҧѧҧڧܧ FPU ڧߧܧڧ: fclex, fldcw, fstcw, fldz, fld1, fistp.
2. ܧߧ ӧӧէ ٧ߧѧ֧ߧڧ ֧ԧާ֧ߧ ܧէ ֧֧ ڧާ֧֧ ܧߧܧ:
- Analyze - ߧѧѧ ѧߧѧݧڧ ֧ ӧէ ӧѧߧӧݧ֧ߧڧ ڧާ.
- Accept - ڧߧ ӧӧ֧է֧ߧߧ ٧ߧѧ֧ߧڧ ֧ԧާ֧ߧ ҧ֧ ӧݧߧ֧ߧڧ ѧߧѧݧڧ٧.
- Cancel - ӧۧ ߧ ڧ٧ӧէ ߧڧܧѧܧڧ ڧ٧ާ֧ߧ֧ߧڧ.
3. ӧ ڧާ֧ API ߧܧڧ ܧѧѧ ڧܧէ, ֧ݧܧ ӧ٧ӧ ߧܧڧ.
4. ֧ӧڧѧݧڧ٧ѧڧ ڧߧܧڧ add esp, xx
5. ݧ֧ߧ ӧѧߧӧݧ֧ߧڧ ѧڧߧ ٧ѧ֧ IAT.
6. ѧߧӧݧ֧ߧڧ ڧާ ڧ: push reg; call vm -> call [api].
7. ѧߧӧݧ֧ߧڧ ڧާ ڧ: push/pop reg; call vm -> mov reg,[api].
8. ݧ֧ߧ ѧ٧ߧѧӧѧߧڧ ֧ ӧէ .
9. ݧ֧ߧ ѧ٧ߧѧӧѧߧڧ ڧܧݧ .
1. ֧ҧѧ٧ӧѧߧڧ ܧէ pop xx; jmp xx retn.
2. ֧ܧڧ٧ѧڧ ާܧէ. ֧֧֧֧ߧڧ ҧݧܧ.
3. ѧߧ֧ߧ ߧ֧ܧݧܧ ڧܧݧ֧ߧڧ է֧ӧڧѧݧڧ٧ѧڧ ܧէ.
4. էѧݧ֧ߧڧ ܧէ ѧߧڧէѧާ.

PS: Vam correct me if I translated it incorrectly and you meant something else

Last edited by V0ldemAr; 05-17-2011 at 19:08.
Reply With Quote
The Following 2 Users Gave Reputation+1 to For This Useful Post:
greengo (05-18-2011), JeRRy (05-17-2011)