Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #61  
Old 01-28-2011, 23:09
BoRoV's Avatar
BoRoV BoRoV is offline
Lo*eXeTools*rd
 
Join Date: Aug 2009
Posts: 56
Rept. Given: 3
Rept. Rcvd 91 Times in 24 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
BoRoV Reputation: 91
VMSweeper 1.4 beta 7
http://rghost.net/4113758/private/631d9353dbb15d81dd381bef1cba8721
Reply With Quote
  #62  
Old 01-29-2011, 00:06
farfar
 
Posts: n/a
mirror post#61
Code:
http://www.multiupload.com/6D3JAK38OU
Reply With Quote
  #63  
Old 01-30-2011, 08:06
LCF-AT LCF-AT is offline
Lo*eXeTools*rd
 
Join Date: Aug 2008
Location: Château-Saint-Martin
Posts: 33
Rept. Given: 4
Rept. Rcvd 15 Times in 6 Posts
Thanks Given: 0
Thanks Rcvd at 2 Times in 1 Post
LCF-AT Reputation: 15
@ BoRoV

Testet:
VMSweeper 1.4 beta 7

Target:
Project1.vmp.exe by ahmadmansoor

Results:
Decoding stops at 21.0% // still the same problem like always.

Environments used:
----------------
OllyDBG // clean Olly
VMSweeper 1.4 beta 7 plugin
dbghelp.dll version 6.10.3.233
WinXP SP2

So maybe you can also use this Project1.vmp.exe which was attached on this topic by ahmadmansoor.Use this and see whether you get also the same problem and if yes then try to fix it.Also it would be good if you would add some more checks in your plugin for different problems like the scan problem and then you can add some more message / error infos which the user can see then to tell you then the error problem etc. you know what I mean.So I hope that you can find a solution for this problem.

greetz
Reply With Quote
  #64  
Old 01-30-2011, 16:48
BoRoV's Avatar
BoRoV BoRoV is offline
Lo*eXeTools*rd
 
Join Date: Aug 2009
Posts: 56
Rept. Given: 3
Rept. Rcvd 91 Times in 24 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
BoRoV Reputation: 91
What file? I looked topic and not found him.
Reply With Quote
  #65  
Old 01-30-2011, 18:59
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 1,006
Rept. Given: 462
Rept. Rcvd 361 Times in 134 Posts
Thanks Given: 187
Thanks Rcvd at 273 Times in 98 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
my friend he mean this
http://forum.exetools.com/showpost.php?p=70255&postcount=34

by the way this plugin become more and more powerful . Fix IAT very Good ,except in some cases when double dll load in one section ,as the bad message which appear .
Keep Good work thanks .
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
The Following User Gave Reputation+1 to ahmadmansoor For This Useful Post:
  #66  
Old 02-04-2011, 20:33
BoRoV's Avatar
BoRoV BoRoV is offline
Lo*eXeTools*rd
 
Join Date: Aug 2009
Posts: 56
Rept. Given: 3
Rept. Rcvd 91 Times in 24 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
BoRoV Reputation: 91
VMSweeper 1.4 beta 8
http://rghost.net/4201251/private/1938124d1d9a7ea573094e319e9bcc2a
Reply With Quote
The Following 5 Users Gave Reputation+1 to BoRoV For This Useful Post:
besoeso (02-05-2011), chessgod101 (02-05-2011), Fyyre (02-10-2011), KuNgBiM (02-20-2011)
  #67  
Old 02-05-2011, 12:06
LCF-AT LCF-AT is offline
Lo*eXeTools*rd
 
Join Date: Aug 2008
Location: Château-Saint-Martin
Posts: 33
Rept. Given: 4
Rept. Rcvd 15 Times in 6 Posts
Thanks Given: 0
Thanks Rcvd at 2 Times in 1 Post
LCF-AT Reputation: 15
@ BoRoV

New version.
Unfortunately is the "Project1.vmp.exe" still not working with your plugin and hangs still on 21%

Where is the problem with this file?So I thought you would test this target to make the plugin working before release a new version.So can we get some infos about this problem?

It would also be good if you can write a english history.txt file so I can't let translate this letters....
Code:
1. Óëøåî ðñïîçâå ðçûõ åî.
2. Óëøåî ðñïîçâå ñëîâûõ ïåðåõîäîâ.
3. Óëøåî ðñïîçâå ñïîëçîâÿ ïåðååî ïð å¸ ¨ñ¨î ïåðåïðñâîå.
4. Óäëåå äåîäðîâÿ äðåñ åçñëîâîãî ïåðåõîä.
5. Âîðî ëãîð ïîäñå CRC äëÿ VMProtect âåðñ âûøå 2.0
6. Ç DRx ðåãñðîâ (ïïðûõ îå îñîâ) î VMProtect.
7. Îðî ïðÿîãî âûçîâ ÀÏÈ ïîñëå îäðîâîãî âûõîä ç ÂÌ.
greetz
Reply With Quote
  #68  
Old 02-05-2011, 17:43
BoRoV's Avatar
BoRoV BoRoV is offline
Lo*eXeTools*rd
 
Join Date: Aug 2009
Posts: 56
Rept. Given: 3
Rept. Rcvd 91 Times in 24 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
BoRoV Reputation: 91
I just release a plugin, I'm not the author. The author reads your message.
Reply With Quote
  #69  
Old 02-05-2011, 18:41
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 1,006
Rept. Given: 462
Rept. Rcvd 361 Times in 134 Posts
Thanks Given: 187
Thanks Rcvd at 273 Times in 98 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
@BORoV : my friend ...if u like invite the author here .
this will make it easy to discuss , if this is not a problem .
many thanks for u and for the author .
note : if he accept the invite let me know I do the job ,, just PM me his nick name .
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #70  
Old 02-06-2011, 04:19
Ember Ember is offline
Friend
 
Join Date: Feb 2009
Posts: 81
Rept. Given: 70
Rept. Rcvd 25 Times in 15 Posts
Thanks Given: 32
Thanks Rcvd at 58 Times in 26 Posts
Ember Reputation: 25
04.02.2011 VMSweeper 1.4 beta 8
Added:
1. Improved detection of transit tags.
2. Improved detection of conditional jumps.
3. Improved detection of the use of a variable when its partial re-appropriation.
4. Removal of decoding addresses unconditional jump.
5. The second algorithm for calculating CRC VMProtect version above 2.0
6. Protect DRx registers (hardware breakpoints) from VMProtect.
7. Direct Call Processing API after the coded output of the VM.
Fixed:
1. Restructuring promkoda. Sometimes a direct line after a conditional branch was not on the next block.
2. Restructuring promkoda. For a nondegenerate unconditional transition is added to the zone label.
3. Recognition of use of the register VM in line with its initialization.
4. Devirtualizatsiya instructions retn xx is no longer dependent on the number of variables in the VM stack.
5. Tag degenerate transition is not deleted if it goes the other transitions.
6. Fixed a stack overflow exception and to match the registers of the VM and the CPU cycle.
7. When automatic restart of the program is not an option avtivirovalas AntiAntiDebug.


28.01.2011 VMSweeper 1.4 beta 7
Added:
1. Option AntiAntiDebug.
2. Option Break on TLS.
3. Initial treatment AntiDump.
4. Devirtualizatsiya instructions retn xx.
5. Devirtualizatsiya instructions sub without flags.
6. Restoring the hidden procedure call (type push xx; retn)
7. Correction of bias in addressing the stack through esp.
8. Improved detection of the beginning of the cycle in the VM CodeVirtualizer.
Fixed:
1. Restructuring promkoda. Sometimes a direct line after a conditional jump was in the middle of the next block.
2. Correction pointer esp when decompiling mov esp, [esp]
3. Restoration of indirect procedure calls.
4. Recognition of Conformity CPU registers and on the instructions of the VM pop xx.
Reply With Quote
The Following 4 Users Gave Reputation+1 to Ember For This Useful Post:
ahmadmansoor (02-06-2011), besoeso (02-06-2011), JeRRy (02-06-2011)
  #71  
Old 02-06-2011, 04:35
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 1,006
Rept. Given: 462
Rept. Rcvd 361 Times in 134 Posts
Thanks Given: 187
Thanks Rcvd at 273 Times in 98 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Thumbs up

@Ember: so we can conclude that u r the author .
if yes let me know ....
and many thanks for Great work
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #72  
Old 02-06-2011, 07:21
Ember Ember is offline
Friend
 
Join Date: Feb 2009
Posts: 81
Rept. Given: 70
Rept. Rcvd 25 Times in 15 Posts
Thanks Given: 32
Thanks Rcvd at 58 Times in 26 Posts
Ember Reputation: 25
Quote:
Originally Posted by ahmadmansoor View Post
@Ember: so we can conclude that u r the author .
Hah! I wish. I just put the Russian readme in Google Translate.
Reply With Quote
The Following User Gave Reputation+1 to Ember For This Useful Post:
JeRRy (02-06-2011)
  #73  
Old 02-15-2011, 19:44
BoRoV's Avatar
BoRoV BoRoV is offline
Lo*eXeTools*rd
 
Join Date: Aug 2009
Posts: 56
Rept. Given: 3
Rept. Rcvd 91 Times in 24 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
BoRoV Reputation: 91
VMSweeper 1.4 beta 9
Added:
1. Share all files created VMSweeper.
2. Instead of counting the CRC correction is CRC.
3. Handlers FPU instructions: fsub, fmul, fdiv and fabs.
4. Blocking "Analyze all VM references" to re-start.
5. Optimization log, trc and map files.
6. Processing of transit tags in promkode in the absence of transition.
7. Restructuring promkoda. Processing of the entrance to the VM, combined with the label.
8. Devirtualizatsiya instruction cpuid.
9. Removing AntiDump and AntiTrace code.
10. Improved converter PMB to GDL.
Fixed:
1. Restoring the factor in the SIB addressing.
2. Restructuring promkoda. Removal of unnecessary branches.

http://rghost.net/4378966/private/a6fbf50e271378d8a6d41211005ef35a
Reply With Quote
The Following 7 Users Gave Reputation+1 to BoRoV For This Useful Post:
besoeso (02-15-2011), dnvthv (02-15-2011), Fyyre (02-16-2011), KuNgBiM (02-20-2011), papi (02-15-2011), tonyweb (02-20-2011)
  #74  
Old 02-17-2011, 23:22
quosego quosego is offline
Family
 
Join Date: Feb 2009
Posts: 104
Rept. Given: 8
Rept. Rcvd 39 Times in 13 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
quosego Reputation: 39
Damn nice tool,

However got around to testing this properly and it seems it always stops on a "not recognize a VM primitive 61" error. In Vmprotect. Will try some others.

It also has problems recognizing a fully deobfuscated oreans VM. (Should be easier?) And it can't recognize obfuscated hash keys which are not just push xxxxx jumps. (Macro's and API's)
Reply With Quote
  #75  
Old 02-18-2011, 21:30
quosego quosego is offline
Family
 
Join Date: Feb 2009
Posts: 104
Rept. Given: 8
Rept. Rcvd 39 Times in 13 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
quosego Reputation: 39
Ah took a look at the new beta 9.
Seems it solved the primitive issue. Nice. Which I suspect was some floating point instruction.

Also took a look at the intermediate code generated, and my decompiler seems to be in agreeance with yours. I always wondered if my code was simply just bonkers, since Oreans VM intermediately decompiled is way more clear. But it seems it's just how VMprotect is. (love how you dump everything cleanly including opcodes, mine just ditches instructions and skips unknown handlers.)

However it seems it's not breaking on some external code breakpoints. It works on a few detours however it gets lost eventually and the program just starts. (No, one of the normal code exits doesn't start it. ) Could be the VMware crappy hw breakpointing though. (Also really doesn't like unfixed CPUID antidumps, which is expectable though. )

Restarting it and breaking on the correct location works fine though. Detects this and simply proceeds.
(Small note, sometimes the retn's of the external code aren't properly detected and dumped it the trace, unlikely to matter though since you won't decompile it.)

Also this restarting won't work if the external code is called multiple times thoughout the program, since it'll then break on a earlier call and try to DeVM some other code.
(a check for the return address in esp would solve this.) Will see if I can make it gen some ASM.

anyways it's pretty awesome.
regards,
q.

Last edited by quosego; 02-18-2011 at 21:43.
Reply With Quote
Reply

Tags
codevirualizer, decompiler, vmprotect, vmsweeper

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is there linux vm tool like vmprotect? swlepus General Discussion 4 12-23-2011 10:07


All times are GMT +8. The time now is 08:29.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX