Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #76  
Old 02-25-2011, 08:34
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 505
Rept. Rcvd 373 Times in 142 Posts
Thanks Given: 326
Thanks Rcvd at 406 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
@BoRoV : I have a target which make olly fall (Crash ).
I load the target and reach the OEP , and do the vmsweeper plugin , it reach to 50 % then olly exit .
I unpacked the target , and it work fine , but it came the same result .
I would like to upload it to make u make some test and send it to progopis or to the Author of this nice plugin .
Thanks in adv
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #77  
Old 02-25-2011, 11:33
Ember Ember is offline
Friend
 
Join Date: Feb 2009
Posts: 84
Rept. Given: 68
Rept. Rcvd 25 Times in 15 Posts
Thanks Given: 36
Thanks Rcvd at 78 Times in 33 Posts
Ember Reputation: 25
I'm still getting that lock handler error on every CV target I try this on.
Reply With Quote
  #78  
Old 02-25-2011, 15:50
BoRoV's Avatar
BoRoV BoRoV is offline
Lo*eXeTools*rd
 
Join Date: Aug 2009
Posts: 56
Rept. Given: 3
Rept. Rcvd 91 Times in 24 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
BoRoV Reputation: 91
You can contact the author in this topic http://forum.tuts4you.com/index.php?showtopic=25077
He was there answering questions.
Reply With Quote
The Following 2 Users Gave Reputation+1 to BoRoV For This Useful Post:
ahmadmansoor (02-25-2011), Ember (02-25-2011)
  #79  
Old 02-25-2011, 22:10
Vam Vam is offline
Friend
 
Join Date: Feb 2011
Location: Russia
Posts: 15
Rept. Given: 0
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Vam Reputation: 6
Hi!
Quote:
I load the target and reach the OEP , and do the vmsweeper plugin , it reach to 50 % then olly exit
You can give the link to this application. I will look it...
Reply With Quote
The Following User Gave Reputation+1 to Vam For This Useful Post:
ahmadmansoor (02-25-2011)
  #80  
Old 02-25-2011, 23:09
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 505
Rept. Rcvd 373 Times in 142 Posts
Thanks Given: 326
Thanks Rcvd at 406 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Welcome Vam between us .... and Thanks for response .
I will send the target to ur PM , sorry from all , it is a private software .


Edit:

after it decoded "kernel32.GetVersion" , it produce the trc file , but not produce log file and olly exit
Quote:
005C83ED 8DBF EC6A>lea edi, dword ptr [edi+B5826AEC]
in trc file it end at
Quote:
0x0053992D: ret 58h
but the function end at
Quote:
005C8415 C2 4000 ret 40
to back to this :
Quote:
00447370 E8 0F6F12>call unpacked.0056E284 >>>>> Function
00447375 57 push edi >>>> back from ret 40
00447376 FFD6 call near esi ; kernel32.GetVersion
does VMware affect on the work of this plugin or not ??!!
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #81  
Old 02-26-2011, 01:15
Vam Vam is offline
Friend
 
Join Date: Feb 2011
Location: Russia
Posts: 15
Rept. Given: 0
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Vam Reputation: 6
Quote:
I will send the target to ur PM
Has not understood in what a problem. At me Analyse all VM references passes successfully. Truth IAT restores not completely. Finds some inputs in VM. Decompiling goes, but there are errors, the code of functions is desirable for decompiling, that the point of an entry in VM was in a way of execution of a code.
When you give the information from trc or log a file that inform their address.
Reply With Quote
  #82  
Old 02-26-2011, 02:16
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 505
Rept. Rcvd 373 Times in 142 Posts
Thanks Given: 326
Thanks Rcvd at 406 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
yes ... yes . it is VMware problem .
olly fail - maybe out of memory -
I try it on Vista -My OS- without Vmware .
it reach to 100 % and found all reference .
then olly hang .
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #83  
Old 02-26-2011, 04:35
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 505
Rept. Rcvd 373 Times in 142 Posts
Thanks Given: 326
Thanks Rcvd at 406 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
now it not work as well .
it reach 21.5% then hange .
dose OS affect on this plugin.
can u share ur olly which u make the tests on ?
Thanks
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #84  
Old 02-26-2011, 21:44
Vam Vam is offline
Friend
 
Join Date: Feb 2011
Location: Russia
Posts: 15
Rept. Given: 0
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Vam Reputation: 6
Use clean WinXp SP3 or VMWare with WinXP SP3 then problems should not be.
Some options of assembler Olly influence quality of a code and analysis VMSweeper. Look the configuration on which the plugin was created and tested. Options which result in error at analysis/decompiling of a code are selected.
[Settings]
IDEAL disassembling mode=0
Disassemble in lowercase=0
Separate arguments with TAB=0
Extra space between arguments=0
Show default segments=1
Always show memory size=1
NEAR jump modifiers=0
Show local module names=1
Show symbolic addresses=0
Use short form of string commands=0
Use RET instead of RETN=0
SSE size decoding mode=0
Size sensitive mnemonics=1
Top of FPU stack=1
Decode registers for any IP=0
Automatically select register type=0
Decode SSE registers=0
Reply With Quote
  #85  
Old 02-26-2011, 22:17
Vam Vam is offline
Friend
 
Join Date: Feb 2011
Location: Russia
Posts: 15
Rept. Given: 0
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Vam Reputation: 6
Quote:
Originally Posted by ahmadmansoor View Post
can u share ur olly which u make the tests on ?
Has checked up your program with WMSweeper v1.4 beta 9 (before checked with last version modified on today), it is valid at the end of the analysis there is an exception. So wait the following version of a plugin....
Reply With Quote
  #86  
Old 02-27-2011, 20:59
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 505
Rept. Rcvd 373 Times in 142 Posts
Thanks Given: 326
Thanks Rcvd at 406 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Ok VAM .. so my Olly still life and not aged .
so I have to wait for next version ... pls I can't wait -longing to see the new one - ....when it will be .
many thanks for ur nice work
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #87  
Old 02-27-2011, 23:30
Vam Vam is offline
Friend
 
Join Date: Feb 2011
Location: Russia
Posts: 15
Rept. Given: 0
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Vam Reputation: 6
New version VMSweeper v1.4 beta 10

Added:
1. Improved layout is completely erased IAT.
2. Improved detection of the names of API functions.
3. Resizing Virtual Segment intermediate code (VMS size option in the ini file).
4. Tracking the memory contents and the entire stack to create intermediate code.
5. Improved devirtualization conditional jumps.
6. Code analyzer detects two types of code: a clean and obfuscate. They were previously in the group "Cancelled".
7. Devirtualization instruction sub esp without flags.
8. Processing of the entry to VM type call xx (can decompile any intermediate input in the VM).
9. Automatic mode code analysis VM. Go to this mode on demand after the first restart the application.
Code obtained in this mode can be worse than the code obtained in manual mode (Ctrl+F2 -> [F9] -> Shift+F1), but
allows you to quickly check whether the decompiled code. In this mode works only static code analyzer.
Fixed:
1. Processing of transit (blank) out of the VM.
2. Fixed exception when restoring compliance VM registers and CPU.
3. Determining the number of arguments obfuscate function.
4. Pikode can be detected in any segment of the analyzed application.
Reply With Quote
The Following 3 Users Gave Reputation+1 to Vam For This Useful Post:
chessgod101 (02-28-2011), JeRRy (02-28-2011), skypeaful (03-01-2011)
  #88  
Old 02-28-2011, 01:10
w_antoni
 
Posts: n/a
this tool doesnt open in win7 or compilation wrong.
please fix.
thank.
Reply With Quote
  #89  
Old 02-28-2011, 01:27
Vam Vam is offline
Friend
 
Join Date: Feb 2011
Location: Russia
Posts: 15
Rept. Given: 0
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Vam Reputation: 6
Quote:
Originally Posted by w_antoni View Post
this tool doesnt open in win7 or compilation wrong.
The problem here is not in the plugin VMSweeper, but in the OllyDbg.
Use clean WinXp SP3 or VMWare with WinXP SP3 then problems should not be.
Reply With Quote
  #90  
Old 03-02-2011, 03:09
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 505
Rept. Rcvd 373 Times in 142 Posts
Thanks Given: 326
Thanks Rcvd at 406 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Hi Vam ....
I have this problem now !!!
pls can u check it again
Thanks
Attached Images
File Type: jpg vam.jpg (19.9 KB, 17 views)
File Type: jpg vam1.jpg (22.4 KB, 15 views)
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
Reply

Tags
codevirualizer, decompiler, vmprotect, vmsweeper

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is there linux vm tool like vmprotect? swlepus General Discussion 4 12-23-2011 10:07


All times are GMT +8. The time now is 08:21.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )