#17
|
|||
|
|||
10062200 55 PUSH EBP
10062201 8BEC MOV EBP,ESP 10062203 6A FF PUSH -1 10062205 68 1F8C0810 PUSH mapledll.10088C1F 1006220A 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 10062210 50 PUSH EAX 10062211 B8 B43B0000 MOV EAX,3BB4 10062216 E8 E5F00000 CALL mapledll.10071300 1006221B A1 10BA0910 MOV EAX,DWORD PTR DS:[1009BA10] 10062220 33C5 XOR EAX,EBP 10062222 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX 10062225 56 PUSH ESI 10062226 57 PUSH EDI 10062227 50 PUSH EAX 10062228 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 1006222B 64:A3 00000000 MOV DWORD PTR FS:[0],EAX 10062231 - E9 A2E92B00 JMP mapledll.10320BD8 @Label_10311F0B 10311F45 XOR EDX,EDX 10311F84 MOV ECX,0x8 10311FA4 DIV ECX 10311FE7 PUSH EDX 10311FF0 00D1 10311FF1 001C(00000007) 10311FFC 0018 10311FFD SBB EDX,EDX 10312037 PUSH EDX 10312044 00D1 10312045 001C(00000007) 10312050 0018 10312056 MOV BYTE PTR [EBP+0xffffc5bb],DL 10312088 MOV BYTE PTR [EBP+0xfffffffc],0x6 103120A2 LEA ECX,DWORD PTR [EBP+0xffffffb8] 103120F6 CALL 0x10002160 |
The Following User Says Thank You to estelle For This Useful Post: | ||
Indigo (07-19-2019) |
#18
|
||||
|
||||
Quote:
@all A CRITICAL ERROR was found on version 1.3 and lower, if the unvirtualization routine has SHL, SHR, ROR, ROL, RCL, RCR, It was wrong unvirtualized. It will be fixed on next version (along with the ImageBase, ESP+REG32+MOFFS, minor bugs) PD2: People are/is asking about RISC UnVirtualization, Today I've managed to get my first Handler dumps about this machine, but unfortunately, the final handlers are mix of the original (I mean three or 4 thunks make one Virtual Handler on the exe/dll), it doesn't preserve registers (possible lost of data when deofuscation). However if the small thunks are enough predictable, I'll do my best effort to bring you this feature (Not promise yet ) |
The Following User Says Thank You to Deathway For This Useful Post: | ||
Indigo (07-19-2019) |
#19
|
|||
|
|||
Quote:
|
The Following User Says Thank You to estelle For This Useful Post: | ||
Indigo (07-19-2019) |
#21
|
|||
|
|||
Jesus just came back and saw this plugin. Awesome work Deathway
|
#22
|
||||
|
||||
Quote:
Anyone who wants to fix the bytes overwritten by NOP at the end of UnVMed routine (in case of DLLs with altered ImageBase), should patch following address: Code:
10070412 |. 83C0 10 ADD EAX,10 -> 0D Deathway, please add an additional check in case of Long JMP to add only 0x0D NOPs (Maybe your plugin can not find actual ImageBase properly ). Regards.
__________________
In memory of UnREal RCE... Last edited by Newbie_Cracker; 04-24-2011 at 17:02. |
The Following User Says Thank You to Newbie_Cracker For This Useful Post: | ||
Indigo (07-19-2019) |
#23
|
||||
|
||||
To day I used the plugin on Windows 7 SP1 x64. Fortunately the mentioned problem (crashing of OllyDbg on second unvirtualization) was not occured!
Does anybody else have this problem on Windows XP SP3 x86?
__________________
In memory of UnREal RCE... |
The Following User Says Thank You to Newbie_Cracker For This Useful Post: | ||
Indigo (07-19-2019) |
#24
|
||||
|
||||
This is an impressive plugin! Keep up the good work
|
The Following User Says Thank You to Polaris For This Useful Post: | ||
Indigo (07-19-2019) |
#25
|
|||
|
|||
Any news about RISC?
Of course good job. |
#26
|
||||
|
||||
[v1.4]
- Fixed Cisc - CALL [REG32+IMMC] - Fixed Cisc - SHL REG32, IMMC - Fixed an issue with odbg when using context menu - Added TAB key on windows - Added autofill on FindReferences window - Risc-64 machine function - Added OreansAssember_Risc.cfg Well, it was a long journey to deal with Risc, but i'ts almost finished, hope you like it Some info about RISC machines - It's still on debug mode, so it may take long time for deofuscate it - 128 variant is not avaible, it could fail on that machine - The example provided was modified in order to show how to deal when deofuscation fails - In case of failure, two errors may popup (1) About Follow jump, this has a trail-error solution: press reload and then the other option, (2) about could not find XXXX handler, in this case the left list control show the current vm entry, and the right one the 'ideal handler', on 80% of cases, the red instruction is the problem, the yellow part shows the handler that could not be identified, press delete after selecting the 'wrong instruction' on the left panel (could be more than one) - The example was compiled with full protection 64variant - Can't read some opcodes like movzx, xchg, movsx, muls, div, etc Deathway. Example link: http://www.sendspace.com/file/fa45ny PD: Example solution Put a HWBP on execution at 00401058 and press F9 (could be on normal olly, doesn't have debug detection) Click on 00401058 and press Alt - I First error: press 'No' Second error: On left panel select 00D5DFE4 and press delete Third error: On left panel select 00D781CC and press delete then select 00D781CE and press delete On the next popup window insert 005FC4DC and press enter |
The Following User Says Thank You to Deathway For This Useful Post: | ||
Indigo (07-19-2019) |
#27
|
||||
|
||||
[v1.5]
- Fixed Unvirtualize with Jump on CISC machines - Fixed some errors when handling signed constants on RISC - Fixed an issue when processing MOVS instrution on CISC machine - Fixed some inversion data when processing COMM, REGX, REGX (like XOR EDI,ESI was decoded as XOR ESI,EDI) - Fixed a problem when handling AH CH DH BH registers on COMM2 instructions - Added MOVSX - MOVZX - XCHG - IMUL - MUL - DIV - IDIV - PUSHFD - POPFD instructions on RISC - Added CALL [ESP+IMMC] on Cisc Machine - Added support of dump files on RISC machines - OreansAssember_Risc.cfg updated - DLL Support on CISC and RISC machines There is a fix regarding Risc machines, if you unvirtualized the opcodes, there is a high chance that you obtain the inversed form of this opcodes COMM REGX,REGX (like XOR EDI,ESI was decoded as XOR ESI,EDI). This errrors is fixed on the latest version DLL support is now avaible, however Risc machines must be initialized first (not a problem, since risc machines are always encrypted). On both machines, it's recommended the devirtualization once the eip reach the oep. Deathway. Last edited by Deathway; 03-10-2012 at 08:23. |
The Following 11 Users Gave Reputation+1 to Deathway For This Useful Post: | ||
chessgod101 (03-10-2012), deepzero (03-10-2012), Ember (03-12-2012), foosaa (03-14-2012), giv (03-10-2012), kienmanowar (03-10-2012), Loki (03-12-2012), mdj (03-14-2012), Newbie_Cracker (03-25-2012), uLysse (03-10-2012), ZeNiX (03-10-2012) |
The Following User Says Thank You to Deathway For This Useful Post: | ||
Indigo (07-19-2019) |
#28
|
||||
|
||||
[v1.6]
- RISC machine re-designed - Added RISC V2 machines (new branch tech) - Added Pushad-popad instructions on risc machines - Fixed some issues with end jump - Added new detection for virtual machines - Added abort button |
The Following 14 Users Gave Reputation+1 to Deathway For This Useful Post: | ||
BAHEK (12-25-2012), besoeso (12-25-2012), chessgod101 (12-25-2012), cracki (12-27-2012), deepzero (12-25-2012), Ember (12-25-2012), giv (12-26-2012), JeRRy (12-25-2012), mak (01-10-2013), N0P (12-26-2012), pertican (12-26-2012), riverstore (12-25-2012), wilson bibe (12-26-2012) |
The Following User Says Thank You to Deathway For This Useful Post: | ||
Indigo (07-19-2019) |
#29
|
|||
|
|||
Hello,
I was wondering if you have an updated version for TIGER and FISH new VM ? |
Tags |
codevirualizer, decompiler |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
[VB. NET 2010] Oreans Unvirtualizer plugin file processor | giv | Source Code | 0 | 07-21-2015 16:18 |