VM decompiler tool (VMProtect, CodeVirtualizer)

[JMI]

ahmad:

Get well!

Your post showed up twice, so I deleted the second copy, after making sure they were both the same.

Regards,

[ahmadmansoor]

I am sorry JMI I think the Illness make me unwill

[BoRoV]

test it VMSweeper 1.4 beta 3
http://rghost.net/3641920

[ahmadmansoor]

@BoRoV : the same problem at the end of "Analyse all VM references"
olly shutdown !!! failed
I try it on modified olly and original olly .
by the way ,did u see this movie .
http://www.filesend.net/download.php...b41755226d09fb

Thanks for support

[LCF-AT]

Hello,

@ BoRoV & progopis

Thanks for the new version so now it does no more crash.I have test the new version again and I get this problems.

Code:

Can't make marking IAT to address - 0043421C.
Two DLL (ƒÄ‹ÆëÚÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ���l
 - ) are in one section,
create intersections dividers and repeat analysis!

Now I tried to decompile the VM Entry and I get this.

Code:

VMS Decompiling intermediate code...a12 final

Unknown identifier in xor efl, eax

VMS: Error Code not created

Short question: can you mabye add in the VM Reference a option where I can set BPs?Somthing like this.

Code:

VM Reference Window

Set BPs on all
Set BPs on all Postponed
Set BPs on all Processing

@ ahmadmansoor

Nice to see you again.Back in town.
So if the file not work with win Vista or 7 then try to disable the ASLR feature.So its a OS setting.Dont ask me where to find this so I just heard it also for the first time from a other win7 user.
So on the other hand it can be that Vista / Win7 are using some other APIs which you need to translate...something like for win 2000 with...

RtlGetLastWin32Error = GetLastError
RtlSetLastWin32Error = SetLastError

...maybe..you know.So unfortunately I can't test it by myself so I have just winXP and no more a VM Ware with a other OS where I can test to find the problems. Maybe you can figure out something.

greetz

[ahmadmansoor]

Hi LCF-At :
Thanks for ur nice word's , yes I am back ,but I still weak (ill) .
anyway about "ASLR feature" as u describe it ,it is feature in upper OS like win 7 & Vista .
and disable it not that good , I have read this

Quote:

Unfortunately there is no legitimate way to disable ASLR on Windows Vista and later. In fact, it is a security enhancement and no one should try disabling it.

I have try to disable it by a command line (get it form the net ),and my OS fail .
anyway as I told u I have a plane to support ur script , but I have to be sure it will be work ,and I will send all the details to u when finish , maybe we could prove it and improve it . let hope it will work .
thanks for all ur great work .

by the way for me the plugin not work on my target , can u try it on ur PC ,thanks

[LCF-AT]

Hhmmm,ah ok.I will send you some power up's.

Seems to be really a problem with the ASLR stuff.Oh I am curious for your plan & results. I will wait till you are done.

So do you mean the S Eye app?If yes then I have to say that the target is no more on my HDD.

Or do you mean your VB target which you have attached here on board?If yes then I can say that I have test it again with the latest plugin version and it still not work and hangs again on 21 % durring the VM Analyzing.Nothing happend after this.So I think BoRoV & progopis should use this VB target too to find the problem.

greetz

[ahmadmansoor]

Quote:

Originally Posted by LCF-AT

Hhmmm,ah ok.I will send you some power up's.

Ooops ..... Ooo pls ,because I needed

Quote:

Originally Posted by LCF-AT

Seems to be really a problem with the ASLR stuff.Oh I am curious for your plan & results. I will wait till you are done.

it will be soon - dll file I hope or maybe 2 dll file -

Quote:

Originally Posted by LCF-AT

So do you mean the S Eye app?If yes then I have to say that the target is no more on my HDD.
Or do you mean your VB target which you have attached here on board?If yes then I can say that I have test it again with the latest plugin version and it still not work and hangs again on 21 % durring the VM Analyzing.Nothing happend after this.So I think BoRoV & progopis should use this VB target too to find the problem.
greetz

yes my friend both , but the first one is Good example , I think .

[΢Цһ��]

Good tool.
3Q.

[progopis]

Sorry guys, but last Vamit builds have no my changes. I have no time for commit my work to SVN... Maybe a few weeks later I will do it.

The problem of OllyDbg disasm annoys me. It incorrectly decodes FPU instructions. And plug-in doesn't work with FullDisasm by Beatrix together... I need free time for this problem.

P.S. The fact that I'm getting married soon, lol)

[ahmadmansoor]

Nice to know that my friend ....Good for u .
and happy marry ..... take care after married u will not have a time for us at all .
epically if she is beautiful .
so take ur time , no problem we can wait .
things make u happy ,will make us happy too ...

Best Reagrds

note: we will wait the pictures

[LCF-AT]

Yes happy marry to progopis! Now you are going right into the jail! Good luck and keep your money together.

So did someone of you already test the VMP Debugger?

greetz

[BoRoV]

VMSweeper 1.4 beta 6
http://rghost.net/4045176/private/f7fe4133d63053c4345acb0c4cf085cc

[Ember]

I cannot get this plugin working on CodeVirtualizer targets. It errors with "Error at determine type VM entry point" for every VM'd function.
From the log:

Code:

Instr: 15 parsing - 0x00454D4F: lock dword ptr ds:[edi + 30h], ecx
#ERROR# TraceCodes: Instruction lock has no handler!

thanks for public