EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 11-10-2010, 19:55
progopis progopis is offline
CrackTool coder
 
Join Date: Jan 2009
Location: ru
Posts: 231
Rept. Given: 90
Rept. Rcvd 152 Times in 57 Posts
Thanks Given: 1
Thanks Rcvd at 8 Times in 4 Posts
progopis Reputation: 100-199 progopis Reputation: 100-199
Here is example of usage.

http://www.multiupload.com/DGV8WI410B

This example fails on decompilation, so maybe I will attach the working example later.
Reply With Quote
  #17  
Old 11-10-2010, 21:28
progopis progopis is offline
CrackTool coder
 
Join Date: Jan 2009
Location: ru
Posts: 231
Rept. Given: 90
Rept. Rcvd 152 Times in 57 Posts
Thanks Given: 1
Thanks Rcvd at 8 Times in 4 Posts
progopis Reputation: 100-199 progopis Reputation: 100-199
Exclamation

Fixed an issue that I mentioned in a previous post.
Attached Files
File Type: rar VMSweeper.rar (264.6 KB, 103 views)
Reply With Quote
  #18  
Old 11-10-2010, 22:25
freecat
 
Posts: n/a
tools is very good~
Reply With Quote
  #19  
Old 11-10-2010, 22:32
besoeso's Avatar
besoeso besoeso is offline
Family
 
Join Date: May 2010
Posts: 149
Rept. Given: 414
Rept. Rcvd 100 Times in 39 Posts
Thanks Given: 232
Thanks Rcvd at 22 Times in 16 Posts
besoeso Reputation: 100-199 besoeso Reputation: 100-199
can upload Fixed vmswipeer in mediafire??

Good work!!
Reply With Quote
  #20  
Old 11-10-2010, 22:36
progopis progopis is offline
CrackTool coder
 
Join Date: Jan 2009
Location: ru
Posts: 231
Rept. Given: 90
Rept. Rcvd 152 Times in 57 Posts
Thanks Given: 1
Thanks Rcvd at 8 Times in 4 Posts
progopis Reputation: 100-199 progopis Reputation: 100-199
Mirror:
http://www.mediafire.com/?87qbsfzmtc6ssif
Reply With Quote
The Following 2 Users Gave Reputation+1 to progopis For This Useful Post:
besoeso (11-10-2010), dnvthv (11-10-2010)
  #21  
Old 11-11-2010, 01:55
Nooby Nooby is offline
Friend
 
Join Date: Nov 2008
Posts: 40
Rept. Given: 0
Rept. Rcvd 14 Times in 8 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Nooby Reputation: 14
can you also provide an example target that works (100% functional) with this plugin ? I wish I can help you on improving.
Reply With Quote
The Following User Gave Reputation+1 to Nooby For This Useful Post:
ahmadmansoor (11-11-2010)
  #22  
Old 11-11-2010, 03:39
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 985
Rept. Given: 456
Rept. Rcvd 354 Times in 131 Posts
Thanks Given: 152
Thanks Rcvd at 150 Times in 38 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
yes ... agree with nooby in this point .
for me now ....
after I try it on my Target ... No results !!!!
did it work with the mixed protection ( Winlic & VMprotect ) ???
r this tool just for VMprotect alone ??
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #23  
Old 11-11-2010, 03:43
progopis progopis is offline
CrackTool coder
 
Join Date: Jan 2009
Location: ru
Posts: 231
Rept. Given: 90
Rept. Rcvd 152 Times in 57 Posts
Thanks Given: 1
Thanks Rcvd at 8 Times in 4 Posts
progopis Reputation: 100-199 progopis Reputation: 100-199
It's NOT for any WL/TM vm!!! Just CodeVirtualizer and VMProtect. I will upload some good targets.
Reply With Quote
  #24  
Old 11-11-2010, 03:52
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 985
Rept. Given: 456
Rept. Rcvd 354 Times in 131 Posts
Thanks Given: 152
Thanks Rcvd at 150 Times in 38 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
anyway ..my friend I have a Target with mixed protection .
2 layer or 3 , VMProtect is first one then Winlic .
the first plugin u upload it was working , but the next file not work ??!!
and I have try both on the same Target !!
so any Idea ?
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #25  
Old 11-11-2010, 03:57
progopis progopis is offline
CrackTool coder
 
Join Date: Jan 2009
Location: ru
Posts: 231
Rept. Given: 90
Rept. Rcvd 152 Times in 57 Posts
Thanks Given: 1
Thanks Rcvd at 8 Times in 4 Posts
progopis Reputation: 100-199 progopis Reputation: 100-199
Can you tell me what do you mean about "not work"? Handler was not recognized, any error message by VMProtect or what? I hope you applying plug-in on already unpacked file! Because it's not an unpacker. Can you send me your file via PM?
Reply With Quote
  #26  
Old 11-11-2010, 04:28
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 985
Rept. Given: 456
Rept. Rcvd 354 Times in 131 Posts
Thanks Given: 152
Thanks Rcvd at 150 Times in 38 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
yes I know that is not an unpacker .
I run the program then when reach to place where I could try the plugin .It give Handler was not recognized or stop at 49 % and olly hung.
it is Licgenerator ,but the problem it is locked to one PC ( my friend PC ) .
and I'm trying to study the reg routine .
anyway I will wait ur example .
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #27  
Old 11-11-2010, 04:38
progopis progopis is offline
CrackTool coder
 
Join Date: Jan 2009
Location: ru
Posts: 231
Rept. Given: 90
Rept. Rcvd 152 Times in 57 Posts
Thanks Given: 1
Thanks Rcvd at 8 Times in 4 Posts
progopis Reputation: 100-199 progopis Reputation: 100-199
Exclamation

Ok. Here is very artificial example.

Use the following params:
Code section: 00401000 - 00403000
VM section: 00406000 - 00413000

Steps:
1. Analyze all VM references
2. Set breakpoint at 0x40146F and break on it.
3. Press F1.
4. On messages "Process still active" press "Yes".
5. You will get error "Code not created" for some reason.

Now look at 0x40146F instruction. It replaced by jump to intermediate code:
Quote:
00414040 68 68874F2F PUSH 2F4F8768
00414045 68 92576ED3 PUSH D36E5792
0041404A 53 PUSH EBX
0041404B 53 PUSH EBX
0041404C 55 PUSH EBP
0041404D 52 PUSH EDX
0041404E 51 PUSH ECX
0041404F 9C PUSHFD
00414050 56 PUSH ESI
00414051 57 PUSH EDI
00414052 50 PUSH EAX
00414053 FF35 7E104000 PUSH DWORD PTR DS:[40107E]
00414059 68 00000000 PUSH 0
0041405E 8F05 0C404100 POP DWORD PTR DS:[41400C]
00414064 68 D6D3638B PUSH 8B63D3D6
00414069 58 POP EAX
0041406A 010424 ADD DWORD PTR SS:[ESP],EAX
0041406D 9C PUSHFD
0041406E 8F05 14404100 POP DWORD PTR DS:[414014]
00414074 8F05 14404100 POP DWORD PTR DS:[414014]
0041407A 8F05 28404100 POP DWORD PTR DS:[414028]
...
It looks better than VM picode
Also look log file (40146F.log):
Quote:
++++++++++++++++++++++++++++++++++++
Section a11
++++++++++++++++++++++++++++++++++++

004140F6: eax = [ebp + 0xFFFFFFD4]
00414100: edx = 0
00414121: ecx = [ebp + 0xFFFFFFE0]
0041412B: idiv ecx
00414173: [ebp + 0xFFFFFFF0] = eax
00414194: [ebp + 0xFFFFFFD8] = edx
00414207: jmp 0x0040148E


++++++++++++++++++++++++++++++++++++
Section asm
++++++++++++++++++++++++++++++++++++

004140F6: mov eax, dword ptr [ebp + 0xFFFFFFD4]
00414100: mov edx, 0
00414121: mov ecx, dword ptr [ebp + 0xFFFFFFE0]
0041412B: idiv ecx
00414173: mov dword ptr [ebp + 0xFFFFFFF0], eax
00414194: mov dword ptr [ebp + 0xFFFFFFD8], edx
I really don't know why it crashes on this step, but you see clean decompiled and deobfuscated code, and you can paste it back manually

But listen again: this tool is Beta (!) - many bugs, many features was not realized and it should be tested. Also remember that there are many versions of VMProtect. We worked only on last 2.0x builds.
Attached Files
File Type: rar VmpVirtTest1.rar (40.7 KB, 44 views)
Reply With Quote
The Following User Gave Reputation+1 to progopis For This Useful Post:
besoeso (11-11-2010)
  #28  
Old 11-11-2010, 04:43
progopis progopis is offline
CrackTool coder
 
Join Date: Jan 2009
Location: ru
Posts: 231
Rept. Given: 90
Rept. Rcvd 152 Times in 57 Posts
Thanks Given: 1
Thanks Rcvd at 8 Times in 4 Posts
progopis Reputation: 100-199 progopis Reputation: 100-199
Quote:
Originally Posted by ahmadmansoor View Post
It give Handler was not recognized
You can give me log file + trc file which were created last. And I can add support of this handler or fix handler determination.
Reply With Quote
  #29  
Old 11-11-2010, 06:06
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 985
Rept. Given: 456
Rept. Rcvd 354 Times in 131 Posts
Thanks Given: 152
Thanks Rcvd at 150 Times in 38 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Lightbulb

Thanks progopis ..
this is just a flash on how it work . applied on ur target .
now back to test on some other targets .
Attached Files
File Type: rar progopis.rar (1.37 MB, 109 views)
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #30  
Old 11-11-2010, 06:13
besoeso's Avatar
besoeso besoeso is offline
Family
 
Join Date: May 2010
Posts: 149
Rept. Given: 414
Rept. Rcvd 100 Times in 39 Posts
Thanks Given: 232
Thanks Rcvd at 22 Times in 16 Posts
besoeso Reputation: 100-199 besoeso Reputation: 100-199
@ahmadmansoor

Can share in mediafire?

I will like check it too.

Thanks
Reply With Quote
Reply

Tags
codevirualizer, decompiler, vmprotect, vmsweeper

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is there linux vm tool like vmprotect? swlepus General Discussion 4 12-23-2011 10:07


All times are GMT +8. The time now is 04:35.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX