VM decompiler tool (VMProtect, CodeVirtualizer) - Page 8

#**106** 07-25-2011, 16:49

Dear Vam,
I used the beta12,the iat of my application recovered successfully.But none of the Ponsponed can be decoded,such as 0x00411dfe.
When I tried to decode 0x0040DE5F where was labeled False code VM entry point,there came an error,
"Extra input after operand in push dword ptr ds:[0x0043905c]+0x7ddb8235+0x48899ea0".

PS:I can send you my application,which the oep is 0x0041E7EB at your wish.

JeRRy · #**107** 08-03-2011, 17:51

VMSweeper v1.4 beta 13

Quote:

Fixed:
1. Overflow the text buffer in the formation of long expressions, which led to the exclusion of the stage of code analysis.

arnix · #**108** 10-28-2011, 06:02

New version VMSweeper v1.4 beta 14

Quote:

Added:
1. CodeVirtualizer: Removing of initialized, but unused register RVM_TMP.
2. CodeVirtualizer: Correction of the top of the VM stack on its extension
3. CodeVirtualizer: Correction of the bottom of the VM stack on entering into the intermediate session of the VM.
4. CodeVirtualizer: Output into trc file the entry address of the next VM session.
5. Processing the neg operation in the constant expressions
6. Handling overflow exceptions when emulating div and idiv.
7. Improved the procedure of determinating the number of arguments in the called functions because OllyDbg sometimes makes errors doing that.
8. Simultaneous handling of constant expressions placed in the pair of registers xL - xH.
9. Minimization of the size of the generated code by removing the unnecessary ds: prefix.
10. VmProtect: Improved the p-code encoding algorithm (in the VM loop) analyzer.
11. VmProtect: Handler for FPU operation fsubr.
12. Removed the "Stop on EntryCall" window in manual mode.

Fixed:
1. Conditional jump from the VM primitive to the beginning of the VM loop is not the end of the primitive.
2. Analyze the OF flag on the extended byte-variables.

BoRoV · #**109** 11-03-2011, 21:53

03.11.2011 VMSweeper 1.4 beta 15
Posted:
1. CodeVirtualizer: Improved detection of primitive CMC.
2. CodeVirtualizer: Added handling setne.
3. CodeVirtualizer: Improved detection of upper byte registers (ah, ch, dh, bh).
4. VmProtect: Implemented processing bias VM code (relocation VM code).
5. VmProtect: Handlers FPU instructions fst, fisub.
Fixed:
1. CodeVirtualizer: Inserting a direct asm instruction in the source code.
2. VmProtect: Moving operator changes the flags to show their flag.
3. VmProtect: Restoration of imports, sometimes instead call [api] restored jmp [api].

estelle · #**110** 11-05-2011, 12:55

very nice tools

#**111** 11-06-2011, 23:45

Thank you for this tool, guys!

cnbragon · #**112** 11-12-2011, 00:35

For VMSweeper 1.4 beta 15, it still can't process some CodeVirtulizer VM.
Such as the vmcode in EmEditor.

sendersu · #**113** 11-12-2011, 02:33

cnbragon
from what time EmEditor (by Emurasoft?) uses vm?

cnbragon · #**114** 11-12-2011, 18:11

Quote:

Originally Posted by sendersu

cnbragon
from what time EmEditor (by Emurasoft?) uses vm?

About one year ago, from v10

#**115** 11-18-2011, 19:00

I can't donwload file Attached..

. Please upload from Mediafire for everybody..
Thank much

niculaita · #**116** 11-20-2011, 00:35

I try to aply to this http://forum.exetools.com/showthread.php?t=13884 could anybody do more?

niculaita · #**117** 01-02-2012, 03:44

please make a tutorial applying VMSweeper

Vam · #**118** 01-05-2012, 03:18

Read a WMSwweeper.chm or look a video in the beginning of this topic

FoxB · #**119** 04-12-2012, 22:08

New: VMSweeper v1.5 beta 0
http://rghost.ru/37543927

JeRRy · #**120** 04-13-2012, 02:13

VMSweeper 1.5 Beta 0 (12.04.2012)

Quote:

Added:
1. Process handler of the primitive simple function call without arguments and return values.
2. Recognition of primitive Push/Pop RvmLong p-code with indexation.
3. Handling of multiple VMs on a single function and a batch as well as separate call of the function ("Decompilate packet" option in the ini file).
It is recommended to disable it, but if there are difficulties finding entry points in the batch function, then you should enable it.
4. Decompiling the code in the areas of change registers ("Decompilate change register zones" option in the ini file). When enabled this option creates an additional "junk" in the log file. Its recommend to enable this option only if the generated code without this option has missing instructions.
5. Many small cosmetic changes.

Fixed:
1. Restructuring of a code.
2. Determining the size of the arguments of called functions.

Download:
http://www.mediafire.com/?6a6vrjya141cqyg

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Is there linux vm tool like vmprotect?	swlepus	General Discussion	4	12-23-2011 10:07

The Following 3 Users Gave Reputation+1 to JeRRy For This Useful Post:
beBoss (08-04-2011), chessgod101 (08-03-2011), wer (08-30-2011)

The Following 5 Users Gave Reputation+1 to arnix For This Useful Post:
besoeso (10-29-2011), chessgod101 (11-02-2011), JeRRy (10-28-2011), LCF-AT (10-29-2011)

The Following 3 Users Gave Reputation+1 to BoRoV For This Useful Post:
chessgod101 (11-05-2011), kOuD3LkA (11-05-2011)

The Following User Gave Reputation+1 to cnbragon For This Useful Post:
sendersu (11-13-2011)

The Following User Gave Reputation+1 to Vam For This Useful Post:
niculaita (01-16-2012)

The Following 2 Users Gave Reputation+1 to FoxB For This Useful Post:
chessgod101 (04-13-2012), JeRRy (04-13-2012)

The Following 2 Users Gave Reputation+1 to JeRRy For This Useful Post:
chessgod101 (04-13-2012), korosh (04-13-2012)