EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-26-2011, 01:51
Deathway's Avatar
Deathway Deathway is offline
Lo*eXeTools*rd
 
Join Date: Jan 2009
Posts: 41
Rept. Given: 8
Rept. Rcvd 155 Times in 24 Posts
Thanks Given: 1
Thanks Rcvd at 3 Times in 2 Posts
Deathway Reputation: 100-199 Deathway Reputation: 100-199
Oreans UnVirtualizer ODBG Plug-in (WL/TMD/CV)

Hi All

This tool will help conversion VirtualOpcodes -> Assembly Instruction
restoring the original code of your virtualized Application, the basic engine
was from CodeUnvirtualizer, my other tool

[Features]
- Supports WinLicense/Themida/CodeVirtualizer Cisc Machines
- Supports almost all common opcodes
- Supports CHECK_MACRO_PROTECTION
- Supppots MultiBranch Tech

[Use]
- Right-click on the jump leading to the Virtual Machine Area and press Unvirtualize (If machine isn't found
you have to click again, after checking that the full machine was correctly deofuscated)


[Oreans UnVirtualizer]
[v1.0]
- First public Version

[Request]
- Since is almost impossible to create a full database with every opcode combination
I would appreciate if you got errors by some unknown opcodes, wrong decompiled, etc
a full diagnosis including Cisc_Vo_Dump.txt, Cisc_Vo_Syntax.txt, Cisc_Uv_Dump.txt and
Cisc_Iat_XXXXXX.txt file on your report
Attached Files
File Type: rar OreansUnVirtualizerv1.0.rar (68.6 KB, 90 views)
Reply With Quote
The Following 9 Users Gave Reputation+1 to Deathway For This Useful Post:
ahmadmansoor (03-26-2011), chessgod101 (03-26-2011), Ember (03-26-2011), progopis (03-26-2011), uranus64 (04-22-2011), whyIII (03-26-2011), _ruzmaz_ (03-26-2011)
The Following 2 Users Say Thank You to Deathway For This Useful Post:
zeffy (12-28-2018)
  #2  
Old 03-26-2011, 04:26
Ember Ember is offline
Friend
 
Join Date: Feb 2009
Posts: 71
Rept. Given: 70
Rept. Rcvd 25 Times in 15 Posts
Thanks Given: 22
Thanks Rcvd at 42 Times in 15 Posts
Ember Reputation: 25
Mirror: http://www.mediafire.com/?nxiwurv6rd7njhj
Reply With Quote
  #3  
Old 03-26-2011, 06:11
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 979
Rept. Given: 454
Rept. Rcvd 351 Times in 129 Posts
Thanks Given: 140
Thanks Rcvd at 121 Times in 33 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Great Greet work man ...Thanks

my friend I think it is good to give us some working example .
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #4  
Old 03-27-2011, 02:43
Deathway's Avatar
Deathway Deathway is offline
Lo*eXeTools*rd
 
Join Date: Jan 2009
Posts: 41
Rept. Given: 8
Rept. Rcvd 155 Times in 24 Posts
Thanks Given: 1
Thanks Rcvd at 3 Times in 2 Posts
Deathway Reputation: 100-199 Deathway Reputation: 100-199
Quote:
Originally Posted by ahmadmansoor View Post
Great Greet work man ...Thanks

my friend I think it is good to give us some working example .
Done

Video Samples
http://www.sendspace.com/file/1lscnw

New Version

[v1.1]
- Fixed Decode GenV1
- Added CALL [EBX+ESI+0x234234]
- Video logs Added
- Updated OreansJunk.cfg
Attached Files
File Type: rar Oreans UnVirtualizer 1.1.rar (298.1 KB, 66 views)
Reply With Quote
The Following 7 Users Gave Reputation+1 to Deathway For This Useful Post:
ahmadmansoor (03-27-2011), chessgod101 (03-31-2011), Ember (03-27-2011), oVERfLOW (03-27-2011), uranus64 (04-22-2011), _ruzmaz_ (03-27-2011)
  #5  
Old 03-28-2011, 06:48
Deathway's Avatar
Deathway Deathway is offline
Lo*eXeTools*rd
 
Join Date: Jan 2009
Posts: 41
Rept. Given: 8
Rept. Rcvd 155 Times in 24 Posts
Thanks Given: 1
Thanks Rcvd at 3 Times in 2 Posts
Deathway Reputation: 100-199 Deathway Reputation: 100-199
[v1.2]
- Fixed Decode MovV1
- Added REP - REPNE - CMPS - MOVS - LODS - STOS - SCAS Instructions
- Added CISC-2 Micro-opcodes UnVirtualizer
- Fixed Decode MovV2
- OreansJunk.cfg updated
- OreansAssembler.cfg updated
- Added Virtual Opcode Mutation Tech
- Fixed Jcc Jumps leading outside Virtual Machine
- Fixed Crash on reading Register Handlers
- Cisc_Vo_Dump.txt is no longer created
Attached Files
File Type: rar Oreans UnVirtualizer 1.2.rar (308.8 KB, 64 views)
Reply With Quote
The Following 2 Users Gave Reputation+1 to Deathway For This Useful Post:
benney (03-28-2011)
  #6  
Old 03-31-2011, 07:12
Deathway's Avatar
Deathway Deathway is offline
Lo*eXeTools*rd
 
Join Date: Jan 2009
Posts: 41
Rept. Given: 8
Rept. Rcvd 155 Times in 24 Posts
Thanks Given: 1
Thanks Rcvd at 3 Times in 2 Posts
Deathway Reputation: 100-199 Deathway Reputation: 100-199
[v1.3]
- Fixed Identifying Some handler variants
- Added NEG - NOT - BSWAP instructions
- Updated OreansAssembler
- Added Options Panel
- Added Hotkeys
- Added UnVirtualize With/Without Jumps
- Fixed DeOfuscation GenV4
- Added optimization on reading virtual labels
- Updated references panel
Attached Files
File Type: rar Oreans UnVirtualizer 1.3.rar (311.9 KB, 86 views)
Reply With Quote
The Following 10 Users Gave Reputation+1 to Deathway For This Useful Post:
chessgod101 (03-31-2011), dnvthv (03-31-2011), Ember (03-31-2011), henry_y (04-12-2011), Newbie_Cracker (04-06-2011), oVERfLOW (03-31-2011), uranus64 (04-22-2011), ZeNiX (03-31-2011)
  #7  
Old 03-31-2011, 07:24
Ember Ember is offline
Friend
 
Join Date: Feb 2009
Posts: 71
Rept. Given: 70
Rept. Rcvd 25 Times in 15 Posts
Thanks Given: 22
Thanks Rcvd at 42 Times in 15 Posts
Ember Reputation: 25
Mirror v1.3: http://www.mediafire.com/?yy0tyhunu7wnbyp

Excellent progress Deathway! Tested on a CISC-2 target and 1.3 works well. Some unidentified functions still, but really good!
Reply With Quote
The Following User Gave Reputation+1 to Ember For This Useful Post:
dnvthv (03-31-2011)
  #8  
Old 04-03-2011, 18:52
estelle estelle is offline
Friend
 
Join Date: Feb 2009
Posts: 42
Rept. Given: 4
Rept. Rcvd 19 Times in 3 Posts
Thanks Given: 2
Thanks Rcvd at 3 Times in 1 Post
estelle Reputation: 19
int 2e
Command recognition error
Reply With Quote
  #9  
Old 04-04-2011, 18:41
estelle estelle is offline
Friend
 
Join Date: Feb 2009
Posts: 42
Rept. Given: 4
Rept. Rcvd 19 Times in 3 Posts
Thanks Given: 2
Thanks Rcvd at 3 Times in 1 Post
estelle Reputation: 19
δ.jpg

How to write the following few
Reply With Quote
  #10  
Old 04-06-2011, 17:36
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 217
Rept. Given: 75
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 29
Thanks Rcvd at 6 Times in 4 Posts
Newbie_Cracker Reputation: 26
Deathway, it's superb, but has a problem.
on two samples, OllyDbg was crashed for decoding second vm reference. I mean it only unvirtualize one region at each run of OllyDbg (OllyIce).

For WL, the main problem is finding the first instruction. What's your idea about code in attachment?

I tested several possible address, but there was no success!
Attached Files
File Type: txt Cisc_Uv_Dump.txt (6.6 KB, 14 views)
__________________
UnREal RCE - Persian Crackers

UnREal RCE is UNDERGROUND hereafter !
Reply With Quote
  #11  
Old 04-08-2011, 03:05
Deathway's Avatar
Deathway Deathway is offline
Lo*eXeTools*rd
 
Join Date: Jan 2009
Posts: 41
Rept. Given: 8
Rept. Rcvd 155 Times in 24 Posts
Thanks Given: 1
Thanks Rcvd at 3 Times in 2 Posts
Deathway Reputation: 100-199 Deathway Reputation: 100-199
... I suggest this address,
00D2477D
in case there isn't success, maybe you could upload your target,

Remember that not all the functions end with EB 10, because compilers do some align to functions like NOP, MOV EDI,EDI, LEA ESP, [ESP], and Themida omits this kind of instruction, specially if no jump nor Jcc leads to that instruction

About the crash, is from Quicktablewindow function, will do some test, but now I don't have any clue about the error.

Last edited by Deathway; 04-08-2011 at 03:15.
Reply With Quote
The Following User Gave Reputation+1 to Deathway For This Useful Post:
Newbie_Cracker (04-09-2011)
  #12  
Old 04-09-2011, 13:55
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 217
Rept. Given: 75
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 29
Thanks Rcvd at 6 Times in 4 Posts
Newbie_Cracker Reputation: 26
Quote:
Originally Posted by Deathway View Post
... I suggest this address,
00D2477D
Yeah, that was correct. How did you choose that? I checked many addresses, but didn't think about last one.
__________________
UnREal RCE - Persian Crackers

UnREal RCE is UNDERGROUND hereafter !
Reply With Quote
  #13  
Old 04-09-2011, 15:37
estelle estelle is offline
Friend
 
Join Date: Feb 2009
Posts: 42
Rept. Given: 4
Rept. Rcvd 19 Times in 3 Posts
Thanks Given: 2
Thanks Rcvd at 3 Times in 1 Post
estelle Reputation: 19
last

pop esp
Reply With Quote
  #14  
Old 04-09-2011, 19:21
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 217
Rept. Given: 75
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 29
Thanks Rcvd at 6 Times in 4 Posts
Newbie_Cracker Reputation: 26
yeah, but not always, it's sometimes after last add esp, 04. e.g.:
Quote:
00D98E7D POP ESP
00D98E85 MOV DWORD PTR [EBP+0xbf03541],0x5857cdb0
00D98ECC PUSH DWORD PTR [ESP]
00D98ED8 MOV EBP,DWORD PTR [ESP]
00D98EEB ADD ESP,0x4
00D98F14 ADD ESP,0x4
00D98F32 MOV ECX,DWORD PTR [EBP+0xfffffe98]
00D98F6B PUSH ECX
00D98F81 MOV EDX,DWORD PTR [EBP+0xfffffeb8]

The real code is located few lines after something like this:

Quote:
00D984F3 SUB EBP,0x4b6a5494
00D98537 PUSH EDX
00D98540 MOV EDX,0x27e976fd
00D98550 SUB EDX,0x6e14c4d2
But the plugin need a little fix.

In DLL with the dump it is not in its original imagebase, the plugin writes 16 bytes of NOP at the end, which usually overwites 3 bytes of real code.

Quote:
00B0908E 83C1 FF ADD ECX,-1
00B09091 8A95 E7FEFFFF MOV DL,BYTE PTR SS:[EBP-119]
00B09097 88940D F0FEFFFF MOV BYTE PTR SS:[EBP+ECX-110],DL
00B0909E - E9 0C00500F JMP 100090AF
00B090A3 90 NOP
00B090A4 90 NOP
00B090A5 90 NOP
00B090A6 90 NOP
00B090A7 90 NOP
00B090A8 90 NOP
00B090A9 90 NOP
00B090AA 90 NOP
00B090AB 90 NOP
00B090AC 90 NOP
00B090AD 90 NOP
00B090AE 90 NOP
00B090AF 90 NOP
00B090B0 90 NOP
00B090B1 90 NOP
00B090B2 90 NOP
00B090B3 ? BF 00000F85 MOV EDI,850F0000
00B090B8 ? EA 030000B9 0001 JMP FAR 0100:B9000003
00B090BF ? 0000 ADD BYTE PTR DS:[EAX],AL
00B090C1 . 33C0 XOR EAX,EAX
00B090C3 . BF E06EBE00 MOV EDI,Dumped2_.00BE6EE0
As you see, the end of unvirtualized code has JMP 100090AF, but in new imagebase, it have to disassembled manually to JMP 0B090AF. Unfortunately, 00B090AF has been overwritten with NOP by plugin.
__________________
UnREal RCE - Persian Crackers

UnREal RCE is UNDERGROUND hereafter !

Last edited by Newbie_Cracker; 04-09-2011 at 19:31.
Reply With Quote
The Following User Gave Reputation+1 to Newbie_Cracker For This Useful Post:
  #15  
Old 04-09-2011, 19:59
Deathway's Avatar
Deathway Deathway is offline
Lo*eXeTools*rd
 
Join Date: Jan 2009
Posts: 41
Rept. Given: 8
Rept. Rcvd 155 Times in 24 Posts
Thanks Given: 1
Thanks Rcvd at 3 Times in 2 Posts
Deathway Reputation: 100-199 Deathway Reputation: 100-199
Don't worry, that problem about the ImageBase and some relocation offset will be fixed in 2 weeks, unfortunately I'm on exams

Thanks for your report
Reply With Quote
Reply

Tags
codevirualizer, decompiler

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[VB. NET 2010] Oreans Unvirtualizer plugin file processor giv Source Code 0 07-21-2015 16:18


All times are GMT +8. The time now is 13:27.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX