EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 04-10-2011, 11:56
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 217
Rept. Given: 75
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 29
Thanks Rcvd at 6 Times in 4 Posts
Newbie_Cracker Reputation: 26
Quote:
Originally Posted by Deathway View Post
...unfortunately I'm on exams
Good luck dude
__________________
UnREal RCE - Persian Crackers

UnREal RCE is UNDERGROUND hereafter !
Reply With Quote
  #17  
Old 04-14-2011, 10:30
estelle estelle is offline
Friend
 
Join Date: Feb 2009
Posts: 42
Rept. Given: 4
Rept. Rcvd 19 Times in 3 Posts
Thanks Given: 2
Thanks Rcvd at 3 Times in 1 Post
estelle Reputation: 19
10062200 55 PUSH EBP
10062201 8BEC MOV EBP,ESP
10062203 6A FF PUSH -1
10062205 68 1F8C0810 PUSH mapledll.10088C1F
1006220A 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
10062210 50 PUSH EAX
10062211 B8 B43B0000 MOV EAX,3BB4
10062216 E8 E5F00000 CALL mapledll.10071300
1006221B A1 10BA0910 MOV EAX,DWORD PTR DS:[1009BA10]
10062220 33C5 XOR EAX,EBP
10062222 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
10062225 56 PUSH ESI
10062226 57 PUSH EDI
10062227 50 PUSH EAX
10062228 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
1006222B 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
10062231 - E9 A2E92B00 JMP mapledll.10320BD8




@Label_10311F0B
10311F45 XOR EDX,EDX
10311F84 MOV ECX,0x8
10311FA4 DIV ECX
10311FE7 PUSH EDX
10311FF0 00D1
10311FF1 001C(00000007)
10311FFC 0018
10311FFD SBB EDX,EDX
10312037 PUSH EDX
10312044 00D1
10312045 001C(00000007)
10312050 0018
10312056 MOV BYTE PTR [EBP+0xffffc5bb],DL
10312088 MOV BYTE PTR [EBP+0xfffffffc],0x6
103120A2 LEA ECX,DWORD PTR [EBP+0xffffffb8]
103120F6 CALL 0x10002160
Reply With Quote
  #18  
Old 04-15-2011, 10:25
Deathway's Avatar
Deathway Deathway is offline
Lo*eXeTools*rd
 
Join Date: Jan 2009
Posts: 41
Rept. Given: 8
Rept. Rcvd 155 Times in 24 Posts
Thanks Given: 1
Thanks Rcvd at 3 Times in 2 Posts
Deathway Reputation: 100-199 Deathway Reputation: 100-199
Quote:
Originally Posted by estelle View Post
10062200 55 PUSH EBP
10062201 8BEC MOV EBP,ESP
10062203 6A FF PUSH -1
10062205 68 1F8C0810 PUSH mapledll.10088C1F
1006220A 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
10062210 50 PUSH EAX
10062211 B8 B43B0000 MOV EAX,3BB4
10062216 E8 E5F00000 CALL mapledll.10071300
1006221B A1 10BA0910 MOV EAX,DWORD PTR DS:[1009BA10]
10062220 33C5 XOR EAX,EBP
10062222 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
10062225 56 PUSH ESI
10062226 57 PUSH EDI
10062227 50 PUSH EAX
10062228 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
1006222B 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
10062231 - E9 A2E92B00 JMP mapledll.10320BD8




@Label_10311F0B
10311F45 XOR EDX,EDX
10311F84 MOV ECX,0x8
10311FA4 DIV ECX
10311FE7 PUSH EDX
10311FF0 00D1
10311FF1 001C(00000007)
10311FFC 0018
10311FFD SBB EDX,EDX
10312037 PUSH EDX
10312044 00D1
10312045 001C(00000007)
10312050 0018
10312056 MOV BYTE PTR [EBP+0xffffc5bb],DL
10312088 MOV BYTE PTR [EBP+0xfffffffc],0x6
103120A2 LEA ECX,DWORD PTR [EBP+0xffffffb8]
103120F6 CALL 0x10002160
That's weird, that sequence was already translate, could you send me a PM along with the target

@all
A CRITICAL ERROR was found on version 1.3 and lower, if the unvirtualization routine has SHL, SHR, ROR, ROL, RCL, RCR, It was wrong unvirtualized. It will be fixed on next version (along with the ImageBase, ESP+REG32+MOFFS, minor bugs)

PD2: People are/is asking about RISC UnVirtualization, Today I've managed to get my first Handler dumps about this machine, but unfortunately, the final handlers are mix of the original (I mean three or 4 thunks make one Virtual Handler on the exe/dll), it doesn't preserve registers (possible lost of data when deofuscation). However if the small thunks are enough predictable, I'll do my best effort to bring you this feature (Not promise yet )
Reply With Quote
  #19  
Old 04-15-2011, 11:19
estelle estelle is offline
Friend
 
Join Date: Feb 2009
Posts: 42
Rept. Given: 4
Rept. Rcvd 19 Times in 3 Posts
Thanks Given: 2
Thanks Rcvd at 3 Times in 1 Post
estelle Reputation: 19
Quote:
Originally Posted by Deathway View Post
That's weird, that sequence was already translate, could you send me a PM along with the target

@all
A CRITICAL ERROR was found on version 1.3 and lower, if the unvirtualization routine has SHL, SHR, ROR, ROL, RCL, RCR, It was wrong unvirtualized. It will be fixed on next version (along with the ImageBase, ESP+REG32+MOFFS, minor bugs)

PD2: People are/is asking about RISC UnVirtualization, Today I've managed to get my first Handler dumps about this machine, but unfortunately, the final handlers are mix of the original (I mean three or 4 thunks make one Virtual Handler on the exe/dll), it doesn't preserve registers (possible lost of data when deofuscation). However if the small thunks are enough predictable, I'll do my best effort to bring you this feature (Not promise yet )
Look at email
Reply With Quote
  #20  
Old 04-15-2011, 11:33
estelle estelle is offline
Friend
 
Join Date: Feb 2009
Posts: 42
Rept. Given: 4
Rept. Rcvd 19 Times in 3 Posts
Thanks Given: 2
Thanks Rcvd at 3 Times in 1 Post
estelle Reputation: 19
I can not download please reply
Reply With Quote
  #21  
Old 04-22-2011, 04:30
Finite
 
Posts: n/a
Jesus just came back and saw this plugin. Awesome work Deathway
Reply With Quote
  #22  
Old 04-24-2011, 16:57
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 217
Rept. Given: 75
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 29
Thanks Rcvd at 6 Times in 4 Posts
Newbie_Cracker Reputation: 26
Quote:
Originally Posted by Deathway View Post
Don't worry, that problem about the ImageBase and some relocation offset will be fixed in 2 weeks, unfortunately I'm on exams

Thanks for your report
Isn't any news?

Anyone who wants to fix the bytes overwritten by NOP at the end of UnVMed routine (in case of DLLs with altered ImageBase), should patch following address:

Code:
10070412                  |.  83C0 10                  ADD EAX,10  -> 0D
It's because of disassembling the EB 10 to long JMP. Also the JNZ about that code can be patched to JMP to skip NOP filling. Because of JMP an the end of UnVMed code, nopping of junk bytes is optional.


Deathway, please add an additional check in case of Long JMP to add only 0x0D NOPs (Maybe your plugin can not find actual ImageBase properly ).

Regards.
__________________
UnREal RCE - Persian Crackers

UnREal RCE is UNDERGROUND hereafter !

Last edited by Newbie_Cracker; 04-24-2011 at 17:02.
Reply With Quote
  #23  
Old 05-02-2011, 15:09
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 217
Rept. Given: 75
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 29
Thanks Rcvd at 6 Times in 4 Posts
Newbie_Cracker Reputation: 26
To day I used the plugin on Windows 7 SP1 x64. Fortunately the mentioned problem (crashing of OllyDbg on second unvirtualization) was not occured!

Does anybody else have this problem on Windows XP SP3 x86?
__________________
UnREal RCE - Persian Crackers

UnREal RCE is UNDERGROUND hereafter !
Reply With Quote
  #24  
Old 05-03-2011, 05:03
Polaris's Avatar
Polaris Polaris is offline
Friend
 
Join Date: Feb 2002
Location: Invincible Cyclones Of FrostWinds
Posts: 97
Rept. Given: 3
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Polaris Reputation: 0
This is an impressive plugin! Keep up the good work
Reply With Quote
  #25  
Old 05-13-2011, 08:21
test
 
Posts: n/a
Any news about RISC?

Of course good job.
Reply With Quote
  #26  
Old 03-06-2012, 01:50
Deathway's Avatar
Deathway Deathway is offline
Lo*eXeTools*rd
 
Join Date: Jan 2009
Posts: 41
Rept. Given: 8
Rept. Rcvd 155 Times in 24 Posts
Thanks Given: 1
Thanks Rcvd at 3 Times in 2 Posts
Deathway Reputation: 100-199 Deathway Reputation: 100-199
[v1.4]
- Fixed Cisc - CALL [REG32+IMMC]
- Fixed Cisc - SHL REG32, IMMC
- Fixed an issue with odbg when using context menu
- Added TAB key on windows
- Added autofill on FindReferences window
- Risc-64 machine function
- Added OreansAssember_Risc.cfg

Well, it was a long journey to deal with Risc, but i'ts almost finished, hope you like it

Some info about RISC machines
- It's still on debug mode, so it may take long time for deofuscate it
- 128 variant is not avaible, it could fail on that machine
- The example provided was modified in order to show how to deal when deofuscation fails
- In case of failure, two errors may popup (1) About Follow jump, this has a trail-error solution:
press reload and then the other option, (2) about could not find XXXX handler,
in this case the left list control show the current vm entry, and the right one the 'ideal handler',
on 80% of cases, the red instruction is the problem, the yellow part shows the handler that could
not be identified, press delete after selecting the 'wrong instruction' on the left panel (could be more than one)
- The example was compiled with full protection 64variant
- Can't read some opcodes like movzx, xchg, movsx, muls, div, etc


Deathway.
Example link: http://www.sendspace.com/file/fa45ny

PD: Example solution
Put a HWBP on execution at 00401058 and press F9 (could be on normal olly, doesn't have debug detection)
Click on 00401058 and press Alt - I
First error: press 'No'
Second error: On left panel select 00D5DFE4 and press delete
Third error: On left panel select 00D781CC and press delete then select 00D781CE and press delete

On the next popup window insert 005FC4DC and press enter
Attached Files
File Type: rar Oreans UnVirtualizer 1.4.rar (304.4 KB, 76 views)
Reply With Quote
The Following 7 Users Gave Reputation+1 to Deathway For This Useful Post:
Av0id (03-06-2012), chessgod101 (03-06-2012), dnvthv (03-06-2012), giv (03-06-2012), Loki (03-12-2012), uLysse (03-06-2012)
  #27  
Old 03-10-2012, 08:18
Deathway's Avatar
Deathway Deathway is offline
Lo*eXeTools*rd
 
Join Date: Jan 2009
Posts: 41
Rept. Given: 8
Rept. Rcvd 155 Times in 24 Posts
Thanks Given: 1
Thanks Rcvd at 3 Times in 2 Posts
Deathway Reputation: 100-199 Deathway Reputation: 100-199
[v1.5]
- Fixed Unvirtualize with Jump on CISC machines
- Fixed some errors when handling signed constants on RISC
- Fixed an issue when processing MOVS instrution on CISC machine
- Fixed some inversion data when processing COMM, REGX, REGX (like XOR EDI,ESI was decoded as XOR ESI,EDI)
- Fixed a problem when handling AH CH DH BH registers on COMM2 instructions
- Added MOVSX - MOVZX - XCHG - IMUL - MUL - DIV - IDIV - PUSHFD - POPFD instructions on RISC
- Added CALL [ESP+IMMC] on Cisc Machine
- Added support of dump files on RISC machines
- OreansAssember_Risc.cfg updated
- DLL Support on CISC and RISC machines

There is a fix regarding Risc machines, if you unvirtualized the opcodes, there is a high chance that you obtain the inversed form of this opcodes COMM REGX,REGX (like XOR EDI,ESI was decoded as XOR ESI,EDI). This errrors is fixed on the latest version

DLL support is now avaible, however Risc machines must be initialized first (not a problem, since risc machines are always encrypted).

On both machines, it's recommended the devirtualization once the eip reach the oep.


Deathway.
Attached Files
File Type: rar Oreans UnVirtualizer 1.5.rar (307.6 KB, 101 views)

Last edited by Deathway; 03-10-2012 at 08:23.
Reply With Quote
The Following 11 Users Gave Reputation+1 to Deathway For This Useful Post:
chessgod101 (03-10-2012), deepzero (03-10-2012), Ember (03-12-2012), foosaa (03-14-2012), giv (03-10-2012), kienmanowar (03-10-2012), Loki (03-12-2012), mdj (03-14-2012), Newbie_Cracker (03-25-2012), uLysse (03-10-2012), ZeNiX (03-10-2012)
  #28  
Old 12-25-2012, 04:26
Deathway's Avatar
Deathway Deathway is offline
Lo*eXeTools*rd
 
Join Date: Jan 2009
Posts: 41
Rept. Given: 8
Rept. Rcvd 155 Times in 24 Posts
Thanks Given: 1
Thanks Rcvd at 3 Times in 2 Posts
Deathway Reputation: 100-199 Deathway Reputation: 100-199
[v1.6]
- RISC machine re-designed
- Added RISC V2 machines (new branch tech)
- Added Pushad-popad instructions on risc machines
- Fixed some issues with end jump
- Added new detection for virtual machines
- Added abort button
Attached Files
File Type: rar Oreans UnVirtualizer 1.6.rar (325.3 KB, 151 views)
Reply With Quote
The Following 14 Users Gave Reputation+1 to Deathway For This Useful Post:
BAHEK (12-25-2012), besoeso (12-25-2012), chessgod101 (12-25-2012), cracki (12-27-2012), deepzero (12-25-2012), Ember (12-25-2012), giv (12-26-2012), JeRRy (12-25-2012), mak (01-10-2013), N0P (12-26-2012), pertican (12-26-2012), riverstore (12-25-2012), wilson bibe (12-26-2012)
  #29  
Old 11-05-2013, 08:29
___da-brain___
 
Posts: n/a
Hello,

I was wondering if you have an updated version for TIGER and FISH new VM ?
Reply With Quote
  #30  
Old 11-14-2013, 08:38
ZeNiX's Avatar
ZeNiX ZeNiX is offline
Administrator
 
Join Date: Feb 2009
Posts: 708
Rept. Given: 172
Rept. Rcvd 767 Times in 256 Posts
Thanks Given: 184
Thanks Rcvd at 534 Times in 134 Posts
ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899
Would Deathway like to update Oreans UnVirtualizer?
Reply With Quote
Reply

Tags
codevirualizer, decompiler

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[VB. NET 2010] Oreans Unvirtualizer plugin file processor giv Source Code 0 07-21-2015 16:18


All times are GMT +8. The time now is 17:35.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX