Exetools  

Go Back   Exetools > General > Community Tools

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #11  
Old 04-30-2012, 16:29
Raham Raham is offline
Family
 
Join Date: Dec 2010
Posts: 24
Rept. Given: 7
Rept. Rcvd 45 Times in 15 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Raham Reputation: 45
@Vam
Current Version is better than old... better detection of Handler.

But a 2big problem is still here.
1.VMProtect is stack based VM, so all stuff are pushed on stack for process.
even without add junk code,its obfuscated. why?
because:
push dword ptr [reg_C]
push 0041077C
pop eax
pop edx
mov dword ptr ds:[eax], edx ;00000005
is :
MOV DWORD PTR DS:[41077C],ECX

so its hard for to understand in Long analyse.
its better to use atleast pattern matching for deobfuscating this routine.
for example : handler : 0x50,0x60,0x40,0x70,0x80 if run together it will for example
equal to MOV R32,R32

if you do it, it will be very good.


Kind Regards.
Also im w8 for your new version

Last edited by Raham; 04-30-2012 at 16:38.
Reply With Quote
The Following 2 Users Gave Reputation+1 to Raham For This Useful Post:
demon_da (05-01-2012), pertican (05-02-2012)
 

Tags
codevirualizer, decompiler, vmprotect, vmsweeper

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is there linux vm tool like vmprotect? swlepus General Discussion 4 12-23-2011 10:07


All times are GMT +8. The time now is 15:33.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )