|
VMSweeper 1.3 (beta 12):
- ���ݧߧ�� �ӧ����ѧߧ�ӧݧ֧ߧڧ� �ڧާ����� ����ݧ� VMProtect - �����ѧߧ֧� ��֧ԧާ֧ߧ� .vm, �� �ڧ��ݧ֧է�֧ާ�ާ� ��ѧۧݧ� �ҧ�ݧ��� �ߧڧ�֧ԧ� ��֧�ݧ��� �ߧ� �ߧ�اߧ� - ��ݧ���֧� ���ڧ�� ����֧� �ӧ��է� �� �ӧ� - ��ݧ���֧ߧ� ��ѧ���٧ߧѧӧѧߧڧ� ��ڧ��� �ӧ� - shortcut Shift+F1 ������ѧ֧� ����է�ݧا֧ߧڧ� �ѧߧѧݧڧ٧� �ܧ�է� �ӧ� - ��ӧ֧ݧڧ�֧ߧ� ��ҧ�֧� �ҧ������է֧ۧ��ӧڧ� ���� �ӧ�֧� ���֧�ѧ�ڧ�� - ���ӧ���֧� �����֧ߧ� ����֧�ߧ�� �է֧ܧ�ާ�ڧݧ��ڧ� �ܧ�է� ���� VmProtect (����֧�ߧѧ� �էݧ� �ާ֧ߧ� - �ܧ�ԧէ� �ҧ�ݧ֧� 50% �ܧ�է� ��ѧ���٧ߧѧߧ� �� �ӧ����ѧߧ�ӧݧ֧ߧ� �ѧӧ��ާѧ�ڧ�֧�ܧ�, �� 100% �ӧ����ѧߧ�ӧݧ֧ߧڧ� �ܧ�է� ���ܧ� �ӧ�٧ާ�اߧ� ���ݧ�ܧ� �� 5-10% ��ݧ��ѧ֧� �� ���ݧ�ܧ� �ߧ� �ߧ֧ܧ������� �ӧ֧��ڧ�� VmProtect, �� �ܧѧܧڧ� �ߧ֧ڧ٧ӧ֧��ߧ� ��.��. ��� �� ��֧ҧ� �ߧ� ����ҧ�ѧ֧�) - ��ҧߧ�ӧݧ֧ߧ� ����ܧ�ӧ�է��ӧ� ���ݧ�٧�ӧѧ�֧ݧ�, �� �ܧ�����ԧ� �� ��ݧ֧է�֧� �ߧѧ�ѧ��... Who wants to can convert themselves from Russian into their native language. http://rghost.net/3481244/private/2c41de505ab28d742ab19cc6db7e02c0 |
VMSweeper 1.3 (beta 13)
- some internal fixes http://rghost.net/3505157/private/c90edf1ea4c2dd9ce4342d188232f756 |
VMSweeper 1.4 beta 1 (with surprise)
http://rghost.net/3619113 |
Hello,
@ BoRoV Cool a new version but this time your plugin crashes always. :( Any Olly.I try to Analyse all VM references and then it crashes or closed Olly.The other version are working till now. So I have test also diffrent dbghelp.dll versions but I get the same bad result. Code:
VM Sweeper.dll greetz |
Ooo God I think LCF-AT faster than me.
anyway I have done some tests too . and I got the same result as LCF-at . this is a flash file of what happen . hxxp://www.filesend.net/download.php...b41755226d09fb bs: Thanks LCF-At for ur hints in unpack Vmprotect . but I think ur way will not work always in upper OS ( Win 7.0 and Vista) I am working on small way I will send the details to u after I check that it will work . It will help ur script and push the target to run on different OS . Thanks u for ur hard work and thanks for progopis and BoRoV and the Author of vmsweeper . by the way I was absent for some time because I was very ill . I hope I will recover soon . the file include this : VMS_test from modified olly >>>>. trc files and the log files tested with modify olly VMS_test from original olly >>>>. trc files and the log files tested with original olly VMSweeper-problem flash movie |
ahmad:
Get well! ;) Your post showed up twice, so I deleted the second copy, after making sure they were both the same. Regards, |
I am sorry JMI :D I think the Illness make me unwill :p
|
test it VMSweeper 1.4 beta 3
http://rghost.net/3641920 |
@BoRoV : the same problem at the end of "Analyse all VM references"
olly shutdown !!! failed I try it on modified olly and original olly . by the way ,did u see this movie . http://www.filesend.net/download.php...b41755226d09fb Thanks for support |
Hello,
@ BoRoV & progopis Thanks for the new version so now it does no more crash.I have test the new version again and I get this problems. Code:
Can't make marking IAT to address - 0043421C.Code:
VMS Decompiling intermediate code...a12 finalCode:
VM Reference WindowNice to see you again.Back in town. :) So if the file not work with win Vista or 7 then try to disable the ASLR feature.So its a OS setting.Dont ask me where to find this so I just heard it also for the first time from a other win7 user. So on the other hand it can be that Vista / Win7 are using some other APIs which you need to translate...something like for win 2000 with... RtlGetLastWin32Error = GetLastError RtlSetLastWin32Error = SetLastError ...maybe..you know.So unfortunately I can't test it by myself so I have just winXP and no more a VM Ware with a other OS where I can test to find the problems. :( Maybe you can figure out something. greetz |
Hi LCF-At :
Thanks for ur nice word's , yes I am back ,but I still weak (ill) . anyway about "ASLR feature" as u describe it ,it is feature in upper OS like win 7 & Vista . and disable it not that good , I have read this Quote:
anyway as I told u I have a plane to support ur script , but I have to be sure it will be work ,and I will send all the details to u when finish , maybe we could prove it and improve it :D . let hope it will work . thanks for all ur great work . by the way for me the plugin not work on my target , can u try it on ur PC ,thanks |
Hhmmm,ah ok.I will send you some power up's. :)
Seems to be really a problem with the ASLR stuff.Oh I am curious for your plan & results. :) I will wait till you are done. So do you mean the S Eye app?If yes then I have to say that the target is no more on my HDD. Or do you mean your VB target which you have attached here on board?If yes then I can say that I have test it again with the latest plugin version and it still not work and hangs again on 21 % durring the VM Analyzing.Nothing happend after this.So I think BoRoV & progopis should use this VB target too to find the problem. greetz |
Quote:
Quote:
Quote:
|
Good tool.
3Q. |
Sorry guys, but last Vamit builds have no my changes. I have no time for commit my work to SVN... Maybe a few weeks later I will do it.
The problem of OllyDbg disasm annoys me. It incorrectly decodes FPU instructions. And plug-in doesn't work with FullDisasm by Beatrix together... I need free time for this problem. P.S. The fact that I'm getting married soon, lol) |
Nice to know that my friend :D ....Good for u .
and happy marry ..... take care after married u will not have a time for us at all ;) . epically if she is beautiful :rolleyes: . so take ur time , no problem we can wait . things make u happy ,will make us happy too ... :) Best Reagrds note: we will wait the pictures :p |
Yes happy marry to progopis! :) Now you are going right into the jail! ;) Good luck and keep your money together.
So did someone of you already test the VMP Debugger? greetz |
VMSweeper 1.4 beta 6
http://rghost.net/4045176/private/f7fe4133d63053c4345acb0c4cf085cc |
I cannot get this plugin working on CodeVirtualizer targets. It errors with "Error at determine type VM entry point" for every VM'd function.
From the log: Code:
Instr: 15 parsing - 0x00454D4F: lock dword ptr ds:[edi + 30h], ecx |
thanks for public
|
VMSweeper 1.4 beta 7
http://rghost.net/4113758/private/631d9353dbb15d81dd381bef1cba8721 |
mirror post#61
Code:
http://www.multiupload.com/6D3JAK38OU |
@ BoRoV
Testet: VMSweeper 1.4 beta 7 Target: Project1.vmp.exe by ahmadmansoor Results: Decoding stops at 21.0% // still the same problem like always. Environments used: ---------------- OllyDBG // clean Olly VMSweeper 1.4 beta 7 plugin dbghelp.dll version 6.10.3.233 WinXP SP2 So maybe you can also use this Project1.vmp.exe which was attached on this topic by ahmadmansoor.Use this and see whether you get also the same problem and if yes then try to fix it.Also it would be good if you would add some more checks in your plugin for different problems like the scan problem and then you can add some more message / error infos which the user can see then to tell you then the error problem etc. you know what I mean.So I hope that you can find a solution for this problem. greetz |
What file? I looked topic and not found him.
|
my friend he mean this
http://forum.exetools.com/showpost.php?p=70255&postcount=34 by the way this plugin become more and more powerful . Fix IAT very Good ,except in some cases when double dll load in one section ,as the bad message which appear . Keep Good work thanks . |
VMSweeper 1.4 beta 8
http://rghost.net/4201251/private/1938124d1d9a7ea573094e319e9bcc2a |
@ BoRoV
New version. :) Unfortunately is the "Project1.vmp.exe" still not working with your plugin and hangs still on 21% :( Where is the problem with this file?So I thought you would test this target to make the plugin working before release a new version.So can we get some infos about this problem? It would also be good if you can write a english history.txt file so I can't let translate this letters.... Code:
1. Óë����øå��î ð��ñïîç����â������å ��ð����ç������ûõ ��å��î��. |
I just release a plugin, I'm not the author. The author reads your message.
|
@BORoV : my friend ...if u like invite the author here .
this will make it easy to discuss , if this is not a problem . many thanks for u and for the author . note : if he accept the invite let me know I do the job ,, just PM me his nick name . |
04.02.2011 VMSweeper 1.4 beta 8
Added: 1. Improved detection of transit tags. 2. Improved detection of conditional jumps. 3. Improved detection of the use of a variable when its partial re-appropriation. 4. Removal of decoding addresses unconditional jump. 5. The second algorithm for calculating CRC VMProtect version above 2.0 6. Protect DRx registers (hardware breakpoints) from VMProtect. 7. Direct Call Processing API after the coded output of the VM. Fixed: 1. Restructuring promkoda. Sometimes a direct line after a conditional branch was not on the next block. 2. Restructuring promkoda. For a nondegenerate unconditional transition is added to the zone label. 3. Recognition of use of the register VM in line with its initialization. 4. Devirtualizatsiya instructions retn xx is no longer dependent on the number of variables in the VM stack. 5. Tag degenerate transition is not deleted if it goes the other transitions. 6. Fixed a stack overflow exception and to match the registers of the VM and the CPU cycle. 7. When automatic restart of the program is not an option avtivirovalas AntiAntiDebug. 28.01.2011 VMSweeper 1.4 beta 7 Added: 1. Option AntiAntiDebug. 2. Option Break on TLS. 3. Initial treatment AntiDump. 4. Devirtualizatsiya instructions retn xx. 5. Devirtualizatsiya instructions sub without flags. 6. Restoring the hidden procedure call (type push xx; retn) 7. Correction of bias in addressing the stack through esp. 8. Improved detection of the beginning of the cycle in the VM CodeVirtualizer. Fixed: 1. Restructuring promkoda. Sometimes a direct line after a conditional jump was in the middle of the next block. 2. Correction pointer esp when decompiling mov esp, [esp] 3. Restoration of indirect procedure calls. 4. Recognition of Conformity CPU registers and on the instructions of the VM pop xx. |
@Ember: so we can conclude that u r the author ;) .
if yes let me know .... and many thanks for Great work :cool: |
Quote:
|
VMSweeper 1.4 beta 9
Added: 1. Share all files created VMSweeper. 2. Instead of counting the CRC correction is CRC. 3. Handlers FPU instructions: fsub, fmul, fdiv and fabs. 4. Blocking "Analyze all VM references" to re-start. 5. Optimization log, trc and map files. 6. Processing of transit tags in promkode in the absence of transition. 7. Restructuring promkoda. Processing of the entrance to the VM, combined with the label. 8. Devirtualizatsiya instruction cpuid. 9. Removing AntiDump and AntiTrace code. 10. Improved converter PMB to GDL. Fixed: 1. Restoring the factor in the SIB addressing. 2. Restructuring promkoda. Removal of unnecessary branches. http://rghost.net/4378966/private/a6fbf50e271378d8a6d41211005ef35a |
Damn nice tool,
However got around to testing this properly and it seems it always stops on a "not recognize a VM primitive 61" error. In Vmprotect. Will try some others. It also has problems recognizing a fully deobfuscated oreans VM. (Should be easier?) And it can't recognize obfuscated hash keys which are not just push xxxxx jumps. (Macro's and API's) |
Ah took a look at the new beta 9.
Seems it solved the primitive issue. Nice. :) Which I suspect was some floating point instruction. Also took a look at the intermediate code generated, and my decompiler seems to be in agreeance with yours. I always wondered if my code was simply just bonkers, since Oreans VM intermediately decompiled is way more clear. But it seems it's just how VMprotect is. (love how you dump everything cleanly including opcodes, mine just ditches instructions and skips unknown handlers.) However it seems it's not breaking on some external code breakpoints. It works on a few detours however it gets lost eventually and the program just starts. (No, one of the normal code exits doesn't start it. ;) ) Could be the VMware crappy hw breakpointing though. (Also really doesn't like unfixed CPUID antidumps, which is expectable though. ) Restarting it and breaking on the correct location works fine though. Detects this and simply proceeds. (Small note, sometimes the retn's of the external code aren't properly detected and dumped it the trace, unlikely to matter though since you won't decompile it.) Also this restarting won't work if the external code is called multiple times thoughout the program, since it'll then break on a earlier call and try to DeVM some other code. (a check for the return address in esp would solve this.) Will see if I can make it gen some ASM. anyways it's pretty awesome. :) regards, q. |
@BoRoV : I have a target which make olly fall (Crash ).
I load the target and reach the OEP , and do the vmsweeper plugin , it reach to 50 % then olly exit . I unpacked the target , and it work fine , but it came the same result . I would like to upload it to make u make some test and send it to progopis or to the Author of this nice plugin . Thanks in adv |
I'm still getting that lock handler error on every CV target I try this on.
|
You can contact the author in this topic http://forum.tuts4you.com/index.php?showtopic=25077
He was there answering questions. |
Hi!
Quote:
|
Welcome Vam between us .... and Thanks for response .
I will send the target to ur PM , sorry from all , it is a private software . Edit: after it decoded "kernel32.GetVersion" , it produce the trc file , but not produce log file and olly exit Quote:
Quote:
Quote:
Quote:
|
| All times are GMT +8. The time now is 18:35. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX