#91
|
|||
|
|||
1. Sweeper not yet able to fully restore multisection IAT with a partially erased sections where functions one API library are located in different sections.
2. Tell me a range of segments of code and the VM and address of the decoded function on which this error occurs. |
#92
|
||||
|
||||
I will provide u with details when I go back to home .
and I will make a small flash movie . Thanks for support ... great work from the best Coder .
__________________
Ur Best Friend Ahmadmansoor Always My Best Friend: Aaron & JMI & ZeNiX |
#93
|
||||
|
||||
@Vam :Check ur PM
I think when it need to rebuild the IAt it fail ...
__________________
Ur Best Friend Ahmadmansoor Always My Best Friend: Aaron & JMI & ZeNiX |
#94
|
|||
|
|||
At OEP 42E441 perform decoding (F1) makes no sense, there is no VM. Decoding functions may only address the status of Postponed. In your program, three of these addresses and they are decompiled successfully (until the section a12 final).
For the beginning we decompile the test example, if before it did, and learn ways to manage Sweeper. Processing of import will be done in the next version Sweeper. |
#95
|
|||
|
|||
it support themida vm?
|
#96
|
|||
|
|||
For Themida look here (but only CISC VM):
http://forum.exetools.com/showpost.php?p=72196&postcount=5 |
#97
|
|||
|
|||
wait for update £¡£¡£¡
|
#98
|
|||
|
|||
beta 11
http://rghost.net/6720721
Added: 1) Handlers of FPU instructions fclex, fldcw, fstcw, fldz, fld1, fistp 2) Window with code segments input and VM has 3 buttons now: - Analyze - Start analysis of VM entries and import restoration. - Accept - Apply entered values of segments without analysis - Cancel - Exit without saving any changes 3) Display API names in p-code maps, relocations and function callings 4) Devirtualization of add esp, xx instruction 5) Improved restoration of partially wiped IAT 6) Import recovery such as: push reg; call vm -> call [api]. 7) push/pop reg; call vm -> mov reg,[api]. 8) Improved recognition of VM entries 9) Improved detection of VM loop Fixed: 1) Code conversion: pop xx; jmp xx into retn. 2) Restructure of intermediate code. Blocks intersections. 3) Installed several exceptions during code devirtualization. 4) Removal of anti-dump code. Translated from Russian §¥§à§Ò§Ñ§Ó§Ý§Ö§ß§à: 1. §°§Ò§â§Ñ§Ò§à§ä§é§Ú§Ü§Ú FPU §Ú§ß§ã§ä§â§å§Ü§è§Ú§Û: fclex, fldcw, fstcw, fldz, fld1, fistp. 2. §°§Ü§ß§à §Ó§Ó§à§Õ§Ñ §Ù§ß§Ñ§é§Ö§ß§Ú§Û §ã§Ö§Ô§Þ§Ö§ß§ä§à§Ó §Ü§à§Õ§Ñ §Ú §£§® §ä§Ö§á§Ö§â§î §Ú§Þ§Ö§Ö§ä §ä§â§Ú §Ü§ß§à§á§Ü§Ú: - Analyze - §ß§Ñ§é§Ñ§ä§î §Ñ§ß§Ñ§Ý§Ú§Ù §ä§à§é§Ö§Ü §Ó§ç§à§Õ§Ñ §Ó §£§® §Ú §Ó§à§ã§ã§ä§Ñ§ß§à§Ó§Ý§Ö§ß§Ú§Ö §Ú§Þ§á§à§â§ä§Ñ. - Accept - §á§â§Ú§ß§ñ§ä§î §Ó§Ó§Ö§Õ§Ö§ß§ß§í§Ö §Ù§ß§Ñ§é§Ö§ß§Ú§ñ §ã§Ö§Ô§Þ§Ö§ß§ä§à§Ó §Ò§Ö§Ù §Ó§í§á§à§Ý§ß§Ö§ß§Ú§ñ §Ñ§ß§Ñ§Ý§Ú§Ù§Ñ. - Cancel - §Ó§í§Û§ä§Ú §ß§Ö §á§â§à§Ú§Ù§Ó§à§Õ§ñ §ß§Ú§Ü§Ñ§Ü§Ú§ç §Ú§Ù§Þ§Ö§ß§Ö§ß§Ú§Û. 3. §£§í§Ó§à§Õ §Ú§Þ§Ö§ß API §æ§å§ß§Ü§è§Ú§Û §Ó §Ü§Ñ§â§ä§Ñ§ç §á§Ú§Ü§à§Õ§Ñ, §â§Ö§Ý§à§Ü§à§Ó §Ú §Ó§í§Ù§à§Ó§à§Ó §æ§å§ß§Ü§è§Ú§Û. 4. §¥§Ö§Ó§Ú§â§ä§å§Ñ§Ý§Ú§Ù§Ñ§è§Ú§ñ §Ú§ß§ã§ä§â§å§Ü§è§Ú§Ú add esp, xx 5. §µ§Ý§å§é§ê§Ö§ß§à §Ó§à§ã§ã§ä§Ñ§ß§à§Ó§Ý§Ö§ß§Ú§Ö §é§Ñ§ã§ä§Ú§é§ß§à §Ù§Ñ§ä§Ö§â§ä§à§Û IAT. 6. §£§à§ã§ã§ä§Ñ§ß§à§Ó§Ý§Ö§ß§Ú§Ö §Ú§Þ§á§à§â§ä§Ñ §ä§Ú§á§Ñ: push reg; call vm -> call [api]. 7. §£§à§ã§ã§ä§Ñ§ß§à§Ó§Ý§Ö§ß§Ú§Ö §Ú§Þ§á§à§â§ä§Ñ §ä§Ú§á§Ñ: push/pop reg; call vm -> mov reg,[api]. 8. §µ§Ý§å§é§ê§Ö§ß§à §â§Ñ§ã§á§à§Ù§ß§Ñ§Ó§Ñ§ß§Ú§Ö §ä§à§é§Ö§Ü §Ó§ç§à§Õ§Ñ §Ó §£§®. 9. §µ§Ý§å§é§ê§Ö§ß§à §â§Ñ§ã§á§à§Ù§ß§Ñ§Ó§Ñ§ß§Ú§Ö §è§Ú§Ü§Ý§Ñ §£§®. §ª§ã§á§â§Ñ§Ó§Ý§Ö§ß§à: 1. §±§â§Ö§à§Ò§â§Ñ§Ù§à§Ó§Ñ§ß§Ú§Ö §Ü§à§Õ§Ñ pop xx; jmp xx §Ó retn. 2. §²§Ö§ã§ä§â§å§Ü§ä§å§â§Ú§Ù§Ñ§è§Ú§ñ §á§â§à§Þ§Ü§à§Õ§Ñ. §±§Ö§â§Ö§ã§Ö§é§Ö§ß§Ú§ñ §Ò§Ý§à§Ü§à§Ó. 3. §µ§ã§ä§â§Ñ§ß§Ö§ß§à §ß§Ö§ã§Ü§à§Ý§î§Ü§à §Ú§ã§Ü§Ý§ð§é§Ö§ß§Ú§Û §á§â§Ú §Õ§Ö§Ó§Ú§â§ä§å§Ñ§Ý§Ú§Ù§Ñ§è§Ú§Ú §Ü§à§Õ§Ñ. 4. §µ§Õ§Ñ§Ý§Ö§ß§Ú§Ö §Ü§à§Õ§Ñ §Ñ§ß§ä§Ú§Õ§Ñ§Þ§á§Ñ. PS: Vam correct me if I translated it incorrectly and you meant something else Last edited by V0ldemAr; 05-17-2011 at 19:08. |
#99
|
|||
|
|||
antidebuger function can only be used in windowsxp system
|
#100
|
|||
|
|||
thx for Vam's useful tips. vmsweeper,powerful tool!
|
#101
|
|||
|
|||
There is update for this tool
Download link: Code:
http://rghost.ru/11532971 Code:
http://www.exelab.ru/f/index.php?action=vthread&forum=13&topic=15906&page=10#14 Code:
§ª§ã§á§â§Ñ§Ó§Ý§Ö§ß§à: 1. fixed some errors with CodeVirtualizer decompiler, introduced with VMProtect decompiler development |
The Following 2 Users Gave Reputation+1 to Av0id For This Useful Post: | ||
chessgod101 (07-06-2011), uranus64 (06-19-2011) |
#102
|
|||
|
|||
Hope of a tut on vms plug to use and set
|
#104
|
|||
|
|||
thank vam
|
#105
|
|||
|
|||
good,great tools.
|
Tags |
codevirualizer, decompiler, vmprotect, vmsweeper |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Is there linux vm tool like vmprotect? | swlepus | General Discussion | 4 | 12-23-2011 10:07 |