VM decompiler tool (VMProtect, CodeVirtualizer)

[Raham]

@Vam
Current Version is better than old... better detection of Handler.

But a 2big problem is still here.
1.VMProtect is stack based VM, so all stuff are pushed on stack for process.
even without add junk code,its obfuscated. why?
because:
push dword ptr [reg_C]
push 0041077C
pop eax
pop edx
mov dword ptr ds:[eax], edx ;00000005
is :
MOV DWORD PTR DS:[41077C],ECX

so its hard for to understand in Long analyse.
its better to use atleast pattern matching for deobfuscating this routine.
for example : handler : 0x50,0x60,0x40,0x70,0x80 if run together it will for example
equal to MOV R32,R32

if you do it, it will be very good.


Kind Regards.
Also im w8 for your new version

[Vam]

Quote:

Originally Posted by Raham

@Vam
its better to use atleast pattern matching for deobfuscating this routine.
for example : handler : 0x50,0x60,0x40,0x70,0x80 if run together it will for example
equal to MOV R32,R32

In principle, the intermediate code, about which you speak, explore the user does not need, it makes the intermediate code decompiler. Notice more attention to the analysis already decompiled code (log file) - with the right understanding of it is possible to manually restore source code of virtualization function nearly 100% of cases.

[benney]

this really a great tool, it helps a lot.thanks

[Raham]

Hi Vam



let see this CrackMe.
i VMed it with minimum option.
your plugin will crash during analyze of it.




Kind Regards.

[Raham]

@Vam

with Stolen Resource feature, sometimes vmpr will find the call FindResource in the code section ,and instead of just protecting import, it will redirect it to internal FindResource.
so not FindResource api will called. in this situation your VMSweeper will crash.
Please Fix It


Thanks

[DMichael]

i have queastion what the diffrence in the virutalizer that made deathway and that one?o_O

This tool can unpack Xenocode protection?

[chessgod101]

Quote:

Originally Posted by felixcatx

This tool can unpack Xenocode protection?

No, this tool is designed to aide in the unpacking of VMProtect and CodeVirtualizer, as the title indicates.

[Beyond2000!]

Thank you. Very nice work. I´ll give it a try.

[Jupiter]

VMSweeper 1.5 beta 2

What's new:

2012-09-20

[i] VmProtect:
[+] "Empty" VM exit handler
[+] Switch-cases decompilation
[+] Handling of non-virtualized instruction "sbb"

(Attached)

[mcp]

An open source code virtualizer decompiler is available here. Haven't tried it yet, though.

[Vam]

Article Protect&Sweeper contains basic material of protection algorithms VmProtekt and remove it WmSweeper with the addition of exclusive not been previously published material.
It will be useful to anyone dealing with the decompiler and protector.

nice,i have never thought about that VMcode can be decompiled

[BiMode]

Any chance for ollydbg v2?

[progopis]

BiMode
Why do you want OllyDbg v2? OllyDbg v2 has new PDK API. It's hard to rewrite such big project to new API.