Exetools
Page 3 of 3 12 3
Show 40 post(s) from this thread on one page

Exetools (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   【 Reproduction】VMProtect Leaked Source Code Full (https://forum.exetools.com/showthread.php?t=20778)

Pansemuckl 12-11-2023 07:06
TQN? Could anyone provide a working source for VMPROTECT (compiling out of the box GUI)?

Jaspreet Singh 12-11-2023 07:31
Quote:
Originally Posted by Pansemuckl (Post 129568)
TQN? Could anyone provide a working source for VMPROTECT (compiling out of the box GUI)?
The source provided by TQN already compiles out of box. It has the modified files. You would need to install the Qt and dependencies ofc.

Stingered 12-12-2023 02:02
Quote:
Originally Posted by Pansemuckl (Post 129564)
Debug version provided, NOT the original (packed) one, posted here
https://forum.exetools.com/showpost.php?p=129549&postcount=21

Error message given:
https://picr.eu/images/2023/12/10/VHekF.png
I have the exact same error. My VM is Win7, so I wonder if it's an OS problem?

sendersu 12-12-2023 02:48
qwindows.dll present?

kernel 12-12-2023 05:09
Quote:
Originally Posted by Stingered (Post 129574)
I have the exact same error. My VM is Win7, so I wonder if it's an OS problem?
Just install VS 2022 and it will run. It is Debug version built with VS 2022.
A little test made with it. Just vmprotected notepad.exe - 68kb with only EP virtualized and the output file size is 5626kb. For compare the same output with 3.09 is 2222kb. With 3.4 is 5249kb. With 3.5.1 is 6828kb and with 3.6 is 6136kb.
So conclusion this are Vmprotect 3.5 sources most likely.

Jaspreet Singh 12-12-2023 07:26
Quote:
Originally Posted by Stingered (Post 129574)
I have the exact same error. My VM is Win7, so I wonder if it's an OS problem?
I've already answered this yesterday.
Adding more details, this debug version requires debug version of the MSVCRT.
Easiest way to do this is to run this on a machine with VS 2022 installed. Or you can install the debug version of the MSVCRT.
Both ways work.

Third way: If you googled it, it's coming as the first hit for me. :D

Fyyre 12-22-2023 03:08
Did someone say Citrix? You can hear VMP screaming from here.

0xc3 01-20-2024 16:53
I manually compiled one, and there is indeed a lot of content that needs to be configured

CodeCracker 10-20-2024 17:53
VMRotect 3.5.1 disable renaming
 
1 Attachment(s)
VMRotect 3.5.1 disable renaming:
\core\dotnetfile.cc
void NETArchitecture::RenameSymbols()
{
..
if (full_name == "System.Reflection.ObfuscateAssemblyAttribute") {
...

}

00B7C3D1 . 897F 04 MOV DWORD PTR DS:[EDI+0x4],EDI
00B7C3D4 . 893F MOV DWORD PTR DS:[EDI],EDI
00B7C3D6 . 897F 08 MOV DWORD PTR DS:[EDI+0x8],EDI
00B7C3D9 . C743 04 00000000 MOV DWORD PTR DS:[EBX+0x4],0x0
00B7C3E0 . 8B5D C4 MOV EBX,DWORD PTR SS:[EBP-0x3C]
00B7C3E3 . F703 00000400 TEST DWORD PTR DS:[EBX],0x40000
00B7C3E9 . 74 07 JE SHORT 00B7C3F2 ; VMProtec.00B7C3F2
00B7C3EB . 8BCE MOV ECX,ESI
00B7C3ED . E8 8EB70000 CALL 00B87B80 ; VMProtec.00B87B80
00B7C3F2 > FFB3 D8000000 PUSH DWORD PTR DS:[EBX+0xD8]
00B7C3F8 . 8B8E 94000000 MOV ECX,DWORD PTR DS:[ESI+0x94]



rename of symbols from assembly:
00BA7B80 $ 55 PUSH EBP
to be changed to ret to not rename
00B87B80 $ 55 PUSH EBP


for (i = 0; i < rename_token_list.size(); i++) {
RenameToken(rename_token_list[i]);
}
reference_list.UpdateNames();

void NETArchitecture::RenameToken(ILToken *token)
{
...
id |= 0xA0000000;
new_name = string_format("%.8X", id);

}


00D0A790 $ 55 PUSH EBP // RenameToken
Local calls from 00BAA600, 00BAF6BB, 00BCD754, 00BCDAC8, 00BDE233
The 00BAF6BB

00BAF1B4 . /74 5D JE SHORT 00BAF213 ; VMProtec.00BAF213

00BAF6AE . 85FF TEST EDI,EDI
00BAF6B0 . 74 19 JE SHORT 00BAF6CB ; to jump
00BAF6B2 > FF34B2 PUSH DWORD PTR DS:[EDX+ESI*4]
00BAF6B5 . 8B8D 4CFEFFFF MOV ECX,DWORD PTR SS:[EBP-0x1B4]
00BAF6BB . E8 D0B0FFFF CALL 00BAA790 ; VMProtec.00BAA790
00BAF6C0 . 8B95 38FEFFFF MOV EDX,DWORD PTR SS:[EBP-0x1C8]
00BAF6C6 . 46 INC ESI
00BAF6C7 . 3BF7 CMP ESI,EDI
00BAF6C9 .^ 72 E7 JB SHORT 00BAF6B2 ; VMProtec.00BAF6B2




if (!HWID.IsCorrect(value))
{
ShowMessage("This application cannot be executed on this computer.");
return false;
}






loader_string_list[FACE_UNREGISTERED_VERSION] = AddCommand(EncryptString(
#ifdef DEMO
true
#else
(ctx.options.flags & cpUnregisteredVersion)
#endif
? os::FromUTF8(VMProtectDecryptStringA("This application is protected with unregistered version of VMProtect.")).c_str() : os::unicode_string().c_str(), string_key));
VMProtectEnd();



#ifndef DEMO
if (VMProtectGetSerialNumberState() == SERIAL_STATE_SUCCESS) {
options.flags |= cpEncryptBytecode;
if ((options.flags & cpMemoryProtection) == 0)
options.flags |= cpLoaderCRC;
} else
options.flags |= cpUnregisteredVersion;
#endif

int VMP_API VMProtectGetSerialNumberState()
{
#ifdef WIN_DRIVER
return SERIAL_STATE_FLAG_INVALID;
#else
if (!g_serial_is_correct)
return SERIAL_STATE_FLAG_INVALID;
if (g_serial_is_blacklisted)
return SERIAL_STATE_FLAG_BLACKLISTED;

int res = 0;

char buf[256];
if (GetIniValue("TimeLimit", buf, sizeof(buf))) {
int running_time = atoi(buf);
if (running_time >= 0 && running_time <= 255) {
uint32_t dw = GetTickCount();
int d = (dw - g_time_of_start) / 1000 / 60; // minutes
if (running_time <= d)
res |= SERIAL_STATE_FLAG_RUNNING_TIME_OVER;
}
}

if (GetIniValue("ExpDate", buf, sizeof(buf))) {
int y, m, d;
if (sscanf_s(buf, "%04d%02d%02d", &y, &m, &d) == 3) {
uint32_t ini_date = (y << 16) + (static_cast<uint8_t>(m) << 8) + static_cast<uint8_t>(d);
uint32_t cur_date;
#ifdef VMP_GNU
time_t rawtime;
time(&rawtime);
struct tm local_tm;
tm *timeinfo = localtime_r(&rawtime, &local_tm);
cur_date = ((timeinfo->tm_year + 1900) << 16) + (static_cast<uint8_t>(timeinfo->tm_mon + 1) << 8) + static_cast<uint8_t>(timeinfo->tm_mday);
#else
SYSTEMTIME st;
GetLocalTime(&st);
cur_date = (st.wYear << 16) + (static_cast<uint8_t>(st.wMonth) << 8) + static_cast<uint8_t>(st.wDay);
#endif
if (cur_date > ini_date)
res |= SERIAL_STATE_FLAG_DATE_EXPIRED;
}
}

if (GetIniValue("MaxBuildDate", buf, sizeof(buf))) {
int y, m, d;
if (sscanf_s(buf, "%04d%02d%02d", &y, &m, &d) == 3) {
uint32_t ini_date = (y << 16) + (static_cast<uint8_t>(m) << 8) + static_cast<uint8_t>(d);
uint32_t cur_date;
#ifdef VMP_GNU
time_t rawtime;
time(&rawtime);
struct tm local_tm;
tm *timeinfo = localtime_r(&rawtime, &local_tm);
cur_date = ((timeinfo->tm_year + 1900) << 16) + (static_cast<uint8_t>(timeinfo->tm_mon + 1) << 8) + static_cast<uint8_t>(timeinfo->tm_mday);
#else
SYSTEMTIME st;
GetLocalTime(&st);
cur_date = (st.wYear << 16) + (static_cast<uint8_t>(st.wMonth) << 8) + static_cast<uint8_t>(st.wDay);
#endif
if (cur_date > ini_date)
res |= SERIAL_STATE_FLAG_MAX_BUILD_EXPIRED;
}
}

if (GetIniValue("KeyHWID", buf, sizeof(buf))) {
char buf2[256];
GetIniValue("MyHWID", buf2, sizeof(buf2));
if (strcmp(buf, buf2) != 0)
res |= SERIAL_STATE_FLAG_BAD_HWID;
}

return res;
#endif
}

0045A2B2 . F7D0 NOT EAX
0045A2B4 . 2385 C0FEFFFF AND EAX,DWORD PTR SS:[EBP-0x140]
0045A2BA . 8985 C0FEFFFF MOV DWORD PTR SS:[EBP-0x140],EAX
0045A2C0 . A9 00040000 TEST EAX,0x400
0045A2C5 . 75 0B JNZ SHORT 0045A2D2 ; VMProtec.0045A2D2
0045A2C7 . 25 FFFFFDFF AND EAX,0xFFFDFFFF
0045A2CC . 8985 C0FEFFFF MOV DWORD PTR SS:[EBP-0x140],EAX
0045A2D2 > FF15 08B26500 CALL DWORD PTR DS:[0x65B208] ; VMProt_1.VMProtectGetSerialNumberState
0045A2D8 . 85C0 TEST EAX,EAX
0045A2DA . 8B85 C0FEFFFF MOV EAX,DWORD PTR SS:[EBP-0x140]
0045A2E0 . 75 19 JNZ SHORT 0045A2FB ; VMProtec.0045A2FB

VMProt_1.VMProtectGetSerialNumberState
is from VMProtectSDK32.dll

I realize all you have to do is place VMProtectLicense.ini in same directory.

sendersu 10-20-2024 18:55
@CodeCracker
why do you need to patch smth on binary level if you have got full VMP sources?


All times are GMT +8. The time now is 14:01.
Page 3 of 3 12 3
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX