#121
|
|||
|
|||
@Vam
Current Version is better than old... better detection of Handler. But a 2big problem is still here. 1.VMProtect is stack based VM, so all stuff are pushed on stack for process. even without add junk code,its obfuscated. why? because: push dword ptr [reg_C] push 0041077C pop eax pop edx mov dword ptr ds:[eax], edx ;00000005 is : MOV DWORD PTR DS:[41077C],ECX so its hard for to understand in Long analyse. its better to use atleast pattern matching for deobfuscating this routine. for example : handler : 0x50,0x60,0x40,0x70,0x80 if run together it will for example equal to MOV R32,R32 if you do it, it will be very good. Kind Regards. Also im w8 for your new version Last edited by Raham; 04-30-2012 at 16:38. |
#122
|
|||
|
|||
In principle, the intermediate code, about which you speak, explore the user does not need, it makes the intermediate code decompiler. Notice more attention to the analysis already decompiled code (log file) - with the right understanding of it is possible to manually restore source code of virtualization function nearly 100% of cases.
|
#123
|
|||
|
|||
this really a great tool, it helps a lot.thanks
|
#124
|
|||
|
|||
Error Report
Hi Vam
let see this CrackMe. i VMed it with minimum option. your plugin will crash during analyze of it. Kind Regards. |
#125
|
|||
|
|||
@Vam
with Stolen Resource feature, sometimes vmpr will find the call FindResource in the code section ,and instead of just protecting import, it will redirect it to internal FindResource. so not FindResource api will called. in this situation your VMSweeper will crash. Please Fix It Thanks |
The Following User Gave Reputation+1 to Raham For This Useful Post: | ||
demon_da (07-13-2012) |
#126
|
||||
|
||||
i have queastion what the diffrence in the virutalizer that made deathway and that one?o_O
|
#127
|
|||
|
|||
This tool can unpack Xenocode protection?
|
#128
|
||||
|
||||
No, this tool is designed to aide in the unpacking of VMProtect and CodeVirtualizer, as the title indicates.
__________________
"As the island of our knowledge grows, so does the shore of our ignorance." John Wheeler |
The Following User Gave Reputation+1 to chessgod101 For This Useful Post: | ||
#129
|
|||
|
|||
Thank you. Very nice work. I´ll give it a try.
|
#130
|
||||
|
||||
VMSweeper 1.5 beta 2
What's new: 2012-09-20 [i] VmProtect: [+] "Empty" VM exit handler [+] Switch-cases decompilation [+] Handling of non-virtualized instruction "sbb" (Attached)
__________________
EnJoy! |
The Following 7 Users Gave Reputation+1 to Jupiter For This Useful Post: | ||
besoeso (10-05-2012), chessgod101 (10-04-2012), giv (10-05-2012), JeRRy (10-04-2012), Raham (10-04-2012), val2032 (10-16-2012), WildGoblin (10-21-2012) |
#132
|
|||
|
|||
Article Protect&Sweeper contains basic material of protection algorithms VmProtekt and remove it WmSweeper with the addition of exclusive not been previously published material.
It will be useful to anyone dealing with the decompiler and protector. |
The Following User Gave Reputation+1 to Vam For This Useful Post: | ||
besoeso (11-02-2012) |
#133
|
|||
|
|||
nice,i have never thought about that VMcode can be decompiled
|
#134
|
|||
|
|||
Any chance for ollydbg v2?
|
#135
|
|||
|
|||
BiMode
Why do you want OllyDbg v2? OllyDbg v2 has new PDK API. It's hard to rewrite such big project to new API. |
The Following User Gave Reputation+1 to progopis For This Useful Post: | ||
giv (12-05-2013) |
Tags |
codevirualizer, decompiler, vmprotect, vmsweeper |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Is there linux vm tool like vmprotect? | swlepus | General Discussion | 4 | 12-23-2011 10:07 |