Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #91  
Old 03-02-2011, 14:15
Vam Vam is offline
Friend
 
Join Date: Feb 2011
Location: Russia
Posts: 15
Rept. Given: 0
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Vam Reputation: 6
1. Sweeper not yet able to fully restore multisection IAT with a partially erased sections where functions one API library are located in different sections.
2. Tell me a range of segments of code and the VM and address of the decoded function on which this error occurs.
Reply With Quote
  #92  
Old 03-02-2011, 17:25
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 505
Rept. Rcvd 373 Times in 142 Posts
Thanks Given: 326
Thanks Rcvd at 406 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
I will provide u with details when I go back to home .
and I will make a small flash movie .
Thanks for support ... great work from the best Coder .
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #93  
Old 03-02-2011, 17:25
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 505
Rept. Rcvd 373 Times in 142 Posts
Thanks Given: 326
Thanks Rcvd at 406 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
@Vam :Check ur PM
I think when it need to rebuild the IAt it fail ...
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #94  
Old 03-03-2011, 14:49
Vam Vam is offline
Friend
 
Join Date: Feb 2011
Location: Russia
Posts: 15
Rept. Given: 0
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Vam Reputation: 6
At OEP 42E441 perform decoding (F1) makes no sense, there is no VM. Decoding functions may only address the status of Postponed. In your program, three of these addresses and they are decompiled successfully (until the section a12 final).
For the beginning we decompile the test example, if before it did, and learn ways to manage Sweeper.
Processing of import will be done in the next version Sweeper.
Reply With Quote
  #95  
Old 03-28-2011, 20:11
peexe
 
Posts: n/a
it support themida vm?
Reply With Quote
  #96  
Old 03-28-2011, 20:48
progopis progopis is offline
CrackTool coder
 
Join Date: Jan 2009
Location: ru
Posts: 235
Rept. Given: 93
Rept. Rcvd 152 Times in 57 Posts
Thanks Given: 8
Thanks Rcvd at 17 Times in 13 Posts
progopis Reputation: 100-199 progopis Reputation: 100-199
For Themida look here (but only CISC VM):

http://forum.exetools.com/showpost.php?p=72196&postcount=5
Reply With Quote
  #97  
Old 04-19-2011, 13:13
estelle estelle is offline
Friend
 
Join Date: Feb 2009
Posts: 42
Rept. Given: 4
Rept. Rcvd 19 Times in 3 Posts
Thanks Given: 2
Thanks Rcvd at 11 Times in 9 Posts
estelle Reputation: 19
wait for update £¡£¡£¡
Reply With Quote
  #98  
Old 05-17-2011, 19:03
V0ldemAr
 
Posts: n/a
beta 11

http://rghost.net/6720721

Added:
1) Handlers of FPU instructions fclex, fldcw, fstcw, fldz, fld1, fistp
2) Window with code segments input and VM has 3 buttons now:
- Analyze - Start analysis of VM entries and import restoration.
- Accept - Apply entered values of segments without analysis
- Cancel - Exit without saving any changes

3) Display API names in p-code maps, relocations and function callings
4) Devirtualization of add esp, xx instruction
5) Improved restoration of partially wiped IAT
6) Import recovery such as: push reg; call vm -> call [api].
7) push/pop reg; call vm -> mov reg,[api].
8) Improved recognition of VM entries
9) Improved detection of VM loop

Fixed:
1) Code conversion: pop xx; jmp xx into retn.
2) Restructure of intermediate code. Blocks intersections.
3) Installed several exceptions during code devirtualization.
4) Removal of anti-dump code.

Translated from Russian

§¥§à§Ò§Ñ§Ó§Ý§Ö§ß§à:
1. §°§Ò§â§Ñ§Ò§à§ä§é§Ú§Ü§Ú FPU §Ú§ß§ã§ä§â§å§Ü§è§Ú§Û: fclex, fldcw, fstcw, fldz, fld1, fistp.
2. §°§Ü§ß§à §Ó§Ó§à§Õ§Ñ §Ù§ß§Ñ§é§Ö§ß§Ú§Û §ã§Ö§Ô§Þ§Ö§ß§ä§à§Ó §Ü§à§Õ§Ñ §Ú §£§® §ä§Ö§á§Ö§â§î §Ú§Þ§Ö§Ö§ä §ä§â§Ú §Ü§ß§à§á§Ü§Ú:
- Analyze - §ß§Ñ§é§Ñ§ä§î §Ñ§ß§Ñ§Ý§Ú§Ù §ä§à§é§Ö§Ü §Ó§ç§à§Õ§Ñ §Ó §£§® §Ú §Ó§à§ã§ã§ä§Ñ§ß§à§Ó§Ý§Ö§ß§Ú§Ö §Ú§Þ§á§à§â§ä§Ñ.
- Accept - §á§â§Ú§ß§ñ§ä§î §Ó§Ó§Ö§Õ§Ö§ß§ß§í§Ö §Ù§ß§Ñ§é§Ö§ß§Ú§ñ §ã§Ö§Ô§Þ§Ö§ß§ä§à§Ó §Ò§Ö§Ù §Ó§í§á§à§Ý§ß§Ö§ß§Ú§ñ §Ñ§ß§Ñ§Ý§Ú§Ù§Ñ.
- Cancel - §Ó§í§Û§ä§Ú §ß§Ö §á§â§à§Ú§Ù§Ó§à§Õ§ñ §ß§Ú§Ü§Ñ§Ü§Ú§ç §Ú§Ù§Þ§Ö§ß§Ö§ß§Ú§Û.
3. §£§í§Ó§à§Õ §Ú§Þ§Ö§ß API §æ§å§ß§Ü§è§Ú§Û §Ó §Ü§Ñ§â§ä§Ñ§ç §á§Ú§Ü§à§Õ§Ñ, §â§Ö§Ý§à§Ü§à§Ó §Ú §Ó§í§Ù§à§Ó§à§Ó §æ§å§ß§Ü§è§Ú§Û.
4. §¥§Ö§Ó§Ú§â§ä§å§Ñ§Ý§Ú§Ù§Ñ§è§Ú§ñ §Ú§ß§ã§ä§â§å§Ü§è§Ú§Ú add esp, xx
5. §µ§Ý§å§é§ê§Ö§ß§à §Ó§à§ã§ã§ä§Ñ§ß§à§Ó§Ý§Ö§ß§Ú§Ö §é§Ñ§ã§ä§Ú§é§ß§à §Ù§Ñ§ä§Ö§â§ä§à§Û IAT.
6. §£§à§ã§ã§ä§Ñ§ß§à§Ó§Ý§Ö§ß§Ú§Ö §Ú§Þ§á§à§â§ä§Ñ §ä§Ú§á§Ñ: push reg; call vm -> call [api].
7. §£§à§ã§ã§ä§Ñ§ß§à§Ó§Ý§Ö§ß§Ú§Ö §Ú§Þ§á§à§â§ä§Ñ §ä§Ú§á§Ñ: push/pop reg; call vm -> mov reg,[api].
8. §µ§Ý§å§é§ê§Ö§ß§à §â§Ñ§ã§á§à§Ù§ß§Ñ§Ó§Ñ§ß§Ú§Ö §ä§à§é§Ö§Ü §Ó§ç§à§Õ§Ñ §Ó §£§®.
9. §µ§Ý§å§é§ê§Ö§ß§à §â§Ñ§ã§á§à§Ù§ß§Ñ§Ó§Ñ§ß§Ú§Ö §è§Ú§Ü§Ý§Ñ §£§®.
§ª§ã§á§â§Ñ§Ó§Ý§Ö§ß§à:
1. §±§â§Ö§à§Ò§â§Ñ§Ù§à§Ó§Ñ§ß§Ú§Ö §Ü§à§Õ§Ñ pop xx; jmp xx §Ó retn.
2. §²§Ö§ã§ä§â§å§Ü§ä§å§â§Ú§Ù§Ñ§è§Ú§ñ §á§â§à§Þ§Ü§à§Õ§Ñ. §±§Ö§â§Ö§ã§Ö§é§Ö§ß§Ú§ñ §Ò§Ý§à§Ü§à§Ó.
3. §µ§ã§ä§â§Ñ§ß§Ö§ß§à §ß§Ö§ã§Ü§à§Ý§î§Ü§à §Ú§ã§Ü§Ý§ð§é§Ö§ß§Ú§Û §á§â§Ú §Õ§Ö§Ó§Ú§â§ä§å§Ñ§Ý§Ú§Ù§Ñ§è§Ú§Ú §Ü§à§Õ§Ñ.
4. §µ§Õ§Ñ§Ý§Ö§ß§Ú§Ö §Ü§à§Õ§Ñ §Ñ§ß§ä§Ú§Õ§Ñ§Þ§á§Ñ.

PS: Vam correct me if I translated it incorrectly and you meant something else

Last edited by V0ldemAr; 05-17-2011 at 19:08.
Reply With Quote
The Following 2 Users Gave Reputation+1 to For This Useful Post:
greengo (05-18-2011), JeRRy (05-17-2011)
  #99  
Old 05-18-2011, 13:07
estelle estelle is offline
Friend
 
Join Date: Feb 2009
Posts: 42
Rept. Given: 4
Rept. Rcvd 19 Times in 3 Posts
Thanks Given: 2
Thanks Rcvd at 11 Times in 9 Posts
estelle Reputation: 19
antidebuger function can only be used in windowsxp system
Reply With Quote
  #100  
Old 06-14-2011, 10:29
BiTdEcOdE
 
Posts: n/a
Thumbs up

Quote:
Originally Posted by Vam View Post
Use clean WinXp SP3 or VMWare with WinXP SP3 then problems should not be.
Some options of assembler Olly influence quality of a code and analysis VMSweeper.
thx for Vam's useful tips. vmsweeper,powerful tool!
Reply With Quote
  #101  
Old 06-19-2011, 22:42
Av0id Av0id is offline
VIP
 
Join Date: Jan 2006
Posts: 399
Rept. Given: 112
Rept. Rcvd 111 Times in 69 Posts
Thanks Given: 0
Thanks Rcvd at 15 Times in 15 Posts
Av0id Reputation: 100-199 Av0id Reputation: 100-199
There is update for this tool

Download link:
Code:
http://rghost.ru/11532971
Original thread:
Code:
http://www.exelab.ru/f/index.php?action=vthread&forum=13&topic=15906&page=10#14
What was fixed:
Code:
§ª§ã§á§â§Ñ§Ó§Ý§Ö§ß§à:
1. fixed some errors with CodeVirtualizer decompiler, introduced with VMProtect decompiler development
Credits goes to Vamit
Reply With Quote
The Following 2 Users Gave Reputation+1 to Av0id For This Useful Post:
chessgod101 (07-06-2011), uranus64 (06-19-2011)
  #102  
Old 06-29-2011, 17:08
estelle estelle is offline
Friend
 
Join Date: Feb 2009
Posts: 42
Rept. Given: 4
Rept. Rcvd 19 Times in 3 Posts
Thanks Given: 2
Thanks Rcvd at 11 Times in 9 Posts
estelle Reputation: 19
Hope of a tut on vms plug to use and set
Reply With Quote
  #103  
Old 06-29-2011, 23:48
Vam Vam is offline
Friend
 
Join Date: Feb 2011
Location: Russia
Posts: 15
Rept. Given: 0
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Vam Reputation: 6
Quote:
Originally Posted by estelle View Post
Hope of a tut on vms plug to use and set
Read and look here
Read a topic, decompile a test example, all is detail written, even from video...
Do not forget to read also chm help file.
Reply With Quote
  #104  
Old 07-06-2011, 18:58
estelle estelle is offline
Friend
 
Join Date: Feb 2009
Posts: 42
Rept. Given: 4
Rept. Rcvd 19 Times in 3 Posts
Thanks Given: 2
Thanks Rcvd at 11 Times in 9 Posts
estelle Reputation: 19
thank vam
Reply With Quote
  #105  
Old 07-08-2011, 17:34
fiy
 
Posts: n/a
good,great tools.
Reply With Quote
Reply

Tags
codevirualizer, decompiler, vmprotect, vmsweeper

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is there linux vm tool like vmprotect? swlepus General Discussion 4 12-23-2011 10:07


All times are GMT +8. The time now is 14:12.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )