Exetools  

Go Back   Exetools > General > Community Tools
Reload this Page Oreans UnVirtualizer ODBG Plug-in (WL/TMD/CV)
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-06-2011, 17:36
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
  
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 50
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
Deathway, it's superb, but has a problem.
on two samples, OllyDbg was crashed for decoding second vm reference. I mean it only unvirtualize one region at each run of OllyDbg (OllyIce).

For WL, the main problem is finding the first instruction. What's your idea about code in attachment?

I tested several possible address, but there was no success!
Attached Files
File Type: txt Cisc_Uv_Dump.txt (6.6 KB, 14 views)
__________________
In memory of UnREal RCE...
Reply With Quote
The Following User Says Thank You to Newbie_Cracker For This Useful Post:
Indigo (07-19-2019)
  #2  
Old 04-08-2011, 03:05
Deathway's Avatar
Deathway Deathway is offline
Lo*eXeTools*rd
  
Join Date: Jan 2009
Posts: 41
Rept. Given: 8
Rept. Rcvd 155 Times in 24 Posts
Thanks Given: 1
Thanks Rcvd at 20 Times in 14 Posts
Deathway Reputation: 100-199 Deathway Reputation: 100-199
... I suggest this address,
00D2477D
in case there isn't success, maybe you could upload your target,

Remember that not all the functions end with EB 10, because compilers do some align to functions like NOP, MOV EDI,EDI, LEA ESP, [ESP], and Themida omits this kind of instruction, specially if no jump nor Jcc leads to that instruction

About the crash, is from Quicktablewindow function, will do some test, but now I don't have any clue about the error.
Last edited by Deathway; 04-08-2011 at 03:15.
Reply With Quote
The Following User Gave Reputation+1 to Deathway For This Useful Post:
Newbie_Cracker (04-09-2011)
The Following User Says Thank You to Deathway For This Useful Post:
Indigo (07-19-2019)
  #3  
Old 04-09-2011, 13:55
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
  
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 50
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
Quote:
Originally Posted by Deathway View Post
... I suggest this address,
00D2477D
Yeah, that was correct. How did you choose that? I checked many addresses, but didn't think about last one.
__________________
In memory of UnREal RCE...
Reply With Quote
The Following User Says Thank You to Newbie_Cracker For This Useful Post:
Indigo (07-19-2019)
Reply

Tags
codevirualizer, decompiler

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[VB. NET 2010] Oreans Unvirtualizer plugin file processor giv Source Code 0 07-21-2015 16:18


All times are GMT +8. The time now is 00:36.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )