#1
|
||||
|
||||
Oreans UnVirtualizer ODBG Plug-in (WL/TMD/CV)
Hi All
This tool will help conversion VirtualOpcodes -> Assembly Instruction restoring the original code of your virtualized Application, the basic engine was from CodeUnvirtualizer, my other tool [Features] - Supports WinLicense/Themida/CodeVirtualizer Cisc Machines - Supports almost all common opcodes - Supports CHECK_MACRO_PROTECTION - Supppots MultiBranch Tech [Use] - Right-click on the jump leading to the Virtual Machine Area and press Unvirtualize (If machine isn't found you have to click again, after checking that the full machine was correctly deofuscated) [Oreans UnVirtualizer] [v1.0] - First public Version [Request] - Since is almost impossible to create a full database with every opcode combination I would appreciate if you got errors by some unknown opcodes, wrong decompiled, etc a full diagnosis including Cisc_Vo_Dump.txt, Cisc_Vo_Syntax.txt, Cisc_Uv_Dump.txt and Cisc_Iat_XXXXXX.txt file on your report |
The Following 9 Users Gave Reputation+1 to Deathway For This Useful Post: | ||
ahmadmansoor (03-26-2011), chessgod101 (03-26-2011), Ember (03-26-2011), progopis (03-26-2011), uranus64 (04-22-2011), whyIII (03-26-2011), _ruzmaz_ (03-26-2011) |
#3
|
||||
|
||||
Great Greet work man ...Thanks
my friend I think it is good to give us some working example .
__________________
Ur Best Friend Ahmadmansoor Always My Best Friend: Aaron & JMI & ZeNiX |
The Following User Says Thank You to ahmadmansoor For This Useful Post: | ||
Indigo (07-19-2019) |
#4
|
||||
|
||||
Quote:
Video Samples http://www.sendspace.com/file/1lscnw New Version [v1.1] - Fixed Decode GenV1 - Added CALL [EBX+ESI+0x234234] - Video logs Added - Updated OreansJunk.cfg |
The Following 7 Users Gave Reputation+1 to Deathway For This Useful Post: | ||
ahmadmansoor (03-27-2011), chessgod101 (03-31-2011), Ember (03-27-2011), oVERfLOW (03-27-2011), uranus64 (04-22-2011), _ruzmaz_ (03-27-2011) |
#5
|
||||
|
||||
[v1.2]
- Fixed Decode MovV1 - Added REP - REPNE - CMPS - MOVS - LODS - STOS - SCAS Instructions - Added CISC-2 Micro-opcodes UnVirtualizer - Fixed Decode MovV2 - OreansJunk.cfg updated - OreansAssembler.cfg updated - Added Virtual Opcode Mutation Tech - Fixed Jcc Jumps leading outside Virtual Machine - Fixed Crash on reading Register Handlers - Cisc_Vo_Dump.txt is no longer created |
The Following 2 Users Gave Reputation+1 to Deathway For This Useful Post: | ||
benney (03-28-2011) |
The Following User Says Thank You to Deathway For This Useful Post: | ||
Indigo (07-19-2019) |
#6
|
||||
|
||||
[v1.3]
- Fixed Identifying Some handler variants - Added NEG - NOT - BSWAP instructions - Updated OreansAssembler - Added Options Panel - Added Hotkeys - Added UnVirtualize With/Without Jumps - Fixed DeOfuscation GenV4 - Added optimization on reading virtual labels - Updated references panel |
The Following 10 Users Gave Reputation+1 to Deathway For This Useful Post: | ||
chessgod101 (03-31-2011), dnvthv (03-31-2011), Ember (03-31-2011), henry_y (04-12-2011), Newbie_Cracker (04-06-2011), oVERfLOW (03-31-2011), uranus64 (04-22-2011), ZeNiX (03-31-2011) |
The Following User Says Thank You to Deathway For This Useful Post: | ||
Indigo (07-19-2019) |
#7
|
|||
|
|||
Mirror v1.3: http://www.mediafire.com/?yy0tyhunu7wnbyp
Excellent progress Deathway! Tested on a CISC-2 target and 1.3 works well. Some unidentified functions still, but really good! |
The Following User Gave Reputation+1 to Ember For This Useful Post: | ||
dnvthv (03-31-2011) |
The Following User Says Thank You to Ember For This Useful Post: | ||
Indigo (07-19-2019) |
#10
|
||||
|
||||
Deathway, it's superb, but has a problem.
on two samples, OllyDbg was crashed for decoding second vm reference. I mean it only unvirtualize one region at each run of OllyDbg (OllyIce). For WL, the main problem is finding the first instruction. What's your idea about code in attachment? I tested several possible address, but there was no success!
__________________
In memory of UnREal RCE... |
The Following User Says Thank You to Newbie_Cracker For This Useful Post: | ||
Indigo (07-19-2019) |
#11
|
||||
|
||||
... I suggest this address,
00D2477D in case there isn't success, maybe you could upload your target, Remember that not all the functions end with EB 10, because compilers do some align to functions like NOP, MOV EDI,EDI, LEA ESP, [ESP], and Themida omits this kind of instruction, specially if no jump nor Jcc leads to that instruction About the crash, is from Quicktablewindow function, will do some test, but now I don't have any clue about the error. Last edited by Deathway; 04-08-2011 at 03:15. |
The Following User Gave Reputation+1 to Deathway For This Useful Post: | ||
Newbie_Cracker (04-09-2011) |
The Following User Says Thank You to Deathway For This Useful Post: | ||
Indigo (07-19-2019) |
#12
|
||||
|
||||
Yeah, that was correct. How did you choose that? I checked many addresses, but didn't think about last one.
__________________
In memory of UnREal RCE... |
The Following User Says Thank You to Newbie_Cracker For This Useful Post: | ||
Indigo (07-19-2019) |
#14
|
||||
|
||||
yeah, but not always, it's sometimes after last add esp, 04. e.g.:
Quote:
The real code is located few lines after something like this: Quote:
In DLL with the dump it is not in its original imagebase, the plugin writes 16 bytes of NOP at the end, which usually overwites 3 bytes of real code. Quote:
__________________
In memory of UnREal RCE... Last edited by Newbie_Cracker; 04-09-2011 at 19:31. |
The Following User Gave Reputation+1 to Newbie_Cracker For This Useful Post: | ||
The Following User Says Thank You to Newbie_Cracker For This Useful Post: | ||
Indigo (07-19-2019) |
#15
|
||||
|
||||
Don't worry, that problem about the ImageBase and some relocation offset will be fixed in 2 weeks, unfortunately I'm on exams
Thanks for your report |
The Following User Says Thank You to Deathway For This Useful Post: | ||
Indigo (07-19-2019) |
Tags |
codevirualizer, decompiler |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
[VB. NET 2010] Oreans Unvirtualizer plugin file processor | giv | Source Code | 0 | 07-21-2015 16:18 |