Thread: VM decompiler tool (VMProtect, CodeVirtualizer)
View Single Post
  #121  
Old 04-30-2012, 16:29
Raham Raham is offline
Family
  
Join Date: Dec 2010
Posts: 24
Rept. Given: 7
Rept. Rcvd 45 Times in 15 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Raham Reputation: 45
@Vam
Current Version is better than old... better detection of Handler.

But a 2big problem is still here.
1.VMProtect is stack based VM, so all stuff are pushed on stack for process.
even without add junk code,its obfuscated. why?
because:
push dword ptr [reg_C]
push 0041077C
pop eax
pop edx
mov dword ptr ds:[eax], edx ;00000005
is :
MOV DWORD PTR DS:[41077C],ECX

so its hard for to understand in Long analyse.
its better to use atleast pattern matching for deobfuscating this routine.
for example : handler : 0x50,0x60,0x40,0x70,0x80 if run together it will for example
equal to MOV R32,R32

if you do it, it will be very good.


Kind Regards.
Also im w8 for your new version
Last edited by Raham; 04-30-2012 at 16:38.
Reply With Quote
The Following 2 Users Gave Reputation+1 to Raham For This Useful Post:
demon_da (05-01-2012), pertican (05-02-2012)