![]() |
#1
|
|||
|
|||
Simple VMProtect Loader (C++)
Here is a simple VMProtect loader to avoid "The file has been modified or cracked" error you get if you modify vmprotect binaries.
I know that people has been using sleep to avoid both checks but this is really unstable as it will be "computer-speed" dependent. This solution is much more sufficent. As I'm quite new here i thought it might be the time to contribute a little ![]() Code:
// ConsoleApplication.cpp : Defines the entry point for the console application. // #include "stdafx.h" #include Last edited by 0x22; 10-18-2014 at 23:34. |
The Following 15 Users Gave Reputation+1 to 0x22 For This Useful Post: | ||
#3
|
|||
|
|||
Hi,
Nice stuff, but could you also explain where you got the constants 0x447E2A and 0x00A89010 ? Greetings |
#4
|
|||
|
|||
Quote:
0x00A89010 is taken from the dump window, anywhere near your previous patch(explained above). The loader will now know exactly when to patch, not a second before and not a second later(to avoid being caught by the VMP self checks) In other words when 0x00A89010 is being read by the loader it will read the first bytes in the buffer 0xE4 and then second buffer 0xA6. If this equals, it will know that "now is the time to insert patch". Might also explain this: buffer[0] = 0x90; buffer[1] = 0x90; buffer[2] = 0x90; buffer[3] = 0x90; buffer[4] = 0x90; 0x90 = nop as we all know, It will now nop 5 times at 0x00447E2A, -> 90 90 90 90 90 Last edited by 0x22; 10-19-2014 at 04:18. |
The Following User Gave Reputation+1 to 0x22 For This Useful Post: | ||
mr.exodia (10-19-2014) |
#5
|
|||
|
|||
compile this source please
|
#6
|
|||
|
|||
sent you compiled version.
|
#7
|
|||
|
|||
Works fine for Safengine Shielden as well.
|
#8
|
|||
|
|||
you have made the permissions of the section where the patch if there is only writetable
I have this error or code can not fully unpacked before patched? --------------------------- Adrenalin.exe --------------------------- File corrupted!. This program has been manipulated and maybe it's infected by a Virus or cracked. This file won't work anymore. --------------------------- ОК --------------------------- |
#9
|
|||
|
|||
You misunderstood how this loader works. read my reply further up.
You need to tell the loader when the file is unpacked and ready to patch, i explained this very detailed in post number 3 in this thread. Last edited by 0x22; 10-19-2014 at 07:13. |
#10
|
|||
|
|||
This is unreliable method . Readprocessmemory passes through kernel calls and has no exact cycle count to estimate each loop time . I am not criticizing what you did, its a decent method of course . rather i will advice you to use proxy dll methods to detect it, its much faster and less chance to miss the spot as the dll can read the memory space directly.(i personally use proxy dll to trick themida bypassing the vmware checks .)
|
#11
|
|||
|
|||
@Conquest: Maybe share your DLL source code with us then
![]() |
The Following User Gave Reputation+1 to mr.exodia For This Useful Post: | ||
b30wulf (10-19-2014) |
#12
|
|||
|
|||
Quote:
|
#13
|
|||
|
|||
I don't like the snippet. You didn't give a real explanation.
0x00A89010 -> This memory is dynamically allocated. This can change with every process start. Using this as hardcoded address doesn't seem smart. Why do you read and write 12 bytes? You need only 2 (5) bytes. It even looks like you don't need a 2nd ReadProcessMemory. If it is unpacked, it is unpacked. Why check it 2 times?
__________________
My blog: https://ntquery.wordpress.com |
#14
|
|||
|
|||
Quote:
I do agree that memory addresses change which wouldnt work properly. However you dont need to use memory addresses. Code:
ReadProcessMemory(procInfo.hProcess, (LPVOID)0x00409605, buffer, 12, &nSize); if ((buffer[0] == 0xF6) && (buffer[1] == 0xC1)) { ReadProcessMemory(procInfo.hProcess, 0x409615, buffer2, 12, &nSize); if ((buffer2[0] == 0x74) && (buffer2[1] == 0x0C)) { buffer2[0] = 0x90; buffer2[1] = 0x90; //buffer2[2] = 0x01; //buffer2[3] = 0xEB; //buffer2[4] = 0x0B; //buffer2[5] = 0x90; //buffer2[6] = 0x90; //buffer2[7] = 0x50; //Sleep(570); printf("Address FOUND and patched!\n"); WriteProcessMemory(procInfo.hProcess, ADDRESS2, buffer2, 12, &nSize); } If you don't like the way i did it, then make it better and post it here so that people can benefit from your inputs. I agree on that you should dynamically set the bytes. I do two ReadProcessMemory to make sure I'm at the correct place. It's just something slapped together fast, and it works which is the most important thing for me. I'm not a good coder so, I do thank you for your constructive feedback and i'm sorry if it doesnt appeal to your coding ideology Please do your thing and post a better one, im sure both me and the community would be pleased. Have a good day ![]() Last edited by 0x22; 10-20-2014 at 00:26. |
The Following User Gave Reputation+1 to 0x22 For This Useful Post: | ||
mr.exodia (10-20-2014) |
The Following User Says Thank You to 0x22 For This Useful Post: | ||
niculaita (08-30-2016) |
#15
|
|||
|
|||
Quote:
Its same with even if you do proxy dll methods as well . @mr. exodia . i will try to find it out today. i used it for that "mushroom game" long ago when i couldnt make a working unpack out of themida |
The Following User Gave Reputation+1 to Conquest For This Useful Post: | ||
0x22 (10-20-2014) |
![]() |
Thread Tools | |
Display Modes | |
|
|
![]() |
||||
Thread | Thread Starter | Forum | Replies | Last Post |
Simple Task [make loader for UPX target]... | diablo2oo2 | General Discussion | 1 | 12-30-2004 07:03 |