Thread: VM decompiler tool (VMProtect, CodeVirtualizer)
View Single Post
  #27  
Old 11-11-2010, 04:38
progopis progopis is offline
CrackTool coder
  
Join Date: Jan 2009
Location: ru
Posts: 235
Rept. Given: 93
Rept. Rcvd 152 Times in 57 Posts
Thanks Given: 8
Thanks Rcvd at 17 Times in 13 Posts
progopis Reputation: 100-199 progopis Reputation: 100-199
Exclamation
Ok. Here is very artificial example.

Use the following params:
Code section: 00401000 - 00403000
VM section: 00406000 - 00413000

Steps:
1. Analyze all VM references
2. Set breakpoint at 0x40146F and break on it.
3. Press F1.
4. On messages "Process still active" press "Yes".
5. You will get error "Code not created" for some reason.

Now look at 0x40146F instruction. It replaced by jump to intermediate code:
Quote:
00414040 68 68874F2F PUSH 2F4F8768
00414045 68 92576ED3 PUSH D36E5792
0041404A 53 PUSH EBX
0041404B 53 PUSH EBX
0041404C 55 PUSH EBP
0041404D 52 PUSH EDX
0041404E 51 PUSH ECX
0041404F 9C PUSHFD
00414050 56 PUSH ESI
00414051 57 PUSH EDI
00414052 50 PUSH EAX
00414053 FF35 7E104000 PUSH DWORD PTR DS:[40107E]
00414059 68 00000000 PUSH 0
0041405E 8F05 0C404100 POP DWORD PTR DS:[41400C]
00414064 68 D6D3638B PUSH 8B63D3D6
00414069 58 POP EAX
0041406A 010424 ADD DWORD PTR SS:[ESP],EAX
0041406D 9C PUSHFD
0041406E 8F05 14404100 POP DWORD PTR DS:[414014]
00414074 8F05 14404100 POP DWORD PTR DS:[414014]
0041407A 8F05 28404100 POP DWORD PTR DS:[414028]
...
It looks better than VM picode
Also look log file (40146F.log):
Quote:
++++++++++++++++++++++++++++++++++++
Section a11
++++++++++++++++++++++++++++++++++++

004140F6: eax = [ebp + 0xFFFFFFD4]
00414100: edx = 0
00414121: ecx = [ebp + 0xFFFFFFE0]
0041412B: idiv ecx
00414173: [ebp + 0xFFFFFFF0] = eax
00414194: [ebp + 0xFFFFFFD8] = edx
00414207: jmp 0x0040148E


++++++++++++++++++++++++++++++++++++
Section asm
++++++++++++++++++++++++++++++++++++

004140F6: mov eax, dword ptr [ebp + 0xFFFFFFD4]
00414100: mov edx, 0
00414121: mov ecx, dword ptr [ebp + 0xFFFFFFE0]
0041412B: idiv ecx
00414173: mov dword ptr [ebp + 0xFFFFFFF0], eax
00414194: mov dword ptr [ebp + 0xFFFFFFD8], edx
I really don't know why it crashes on this step, but you see clean decompiled and deobfuscated code, and you can paste it back manually

But listen again: this tool is Beta (!) - many bugs, many features was not realized and it should be tested. Also remember that there are many versions of VMProtect. We worked only on last 2.0x builds.
Attached Files
File Type: rar VmpVirtTest1.rar (40.7 KB, 48 views)
Reply With Quote
The Following User Gave Reputation+1 to progopis For This Useful Post:
besoeso (11-11-2010)