Exetools
Page 9 of 11 « First 78 9 1011
Show 40 post(s) from this thread on one page

Exetools (https://forum.exetools.com/index.php)
-   Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)
-   -   VM decompiler tool (VMProtect, CodeVirtualizer) (https://forum.exetools.com/showthread.php?t=13084)

Raham 04-30-2012 16:29
@Vam
Current Version is better than old... better detection of Handler.

But a 2big problem is still here.
1.VMProtect is stack based VM, so all stuff are pushed on stack for process.
even without add junk code,its obfuscated. why?
because:
push dword ptr [reg_C]
push 0041077C
pop eax
pop edx
mov dword ptr ds:[eax], edx ;00000005
is :
MOV DWORD PTR DS:[41077C],ECX

so its hard for to understand in Long analyse.
its better to use atleast pattern matching for deobfuscating this routine.
for example : handler : 0x50,0x60,0x40,0x70,0x80 if run together it will for example
equal to MOV R32,R32

if you do it, it will be very good.


Kind Regards.
Also im w8 for your new version;)

Vam 05-05-2012 14:43
Quote:
Originally Posted by Raham (Post 78599)
@Vam
its better to use atleast pattern matching for deobfuscating this routine.
for example : handler : 0x50,0x60,0x40,0x70,0x80 if run together it will for example
equal to MOV R32,R32
In principle, the intermediate code, about which you speak, explore the user does not need, it makes the intermediate code decompiler. Notice more attention to the analysis already decompiled code (log file) - with the right understanding of it is possible to manually restore source code of virtualization function nearly 100% of cases.

benney 05-09-2012 16:56
this really a great tool, it helps a lot.thanks

Raham 05-17-2012 22:22
Error Report
 
1 Attachment(s)
Hi Vam



let see this CrackMe.
i VMed it with minimum option.
your plugin will crash during analyze of it.




Kind Regards.

Raham 07-13-2012 03:20
@Vam

with Stolen Resource feature, sometimes vmpr will find the call FindResource in the code section ,and instead of just protecting import, it will redirect it to internal FindResource.
so not FindResource api will called. in this situation your VMSweeper will crash.
Please Fix It;)


Thanks

DMichael 07-22-2012 06:39
i have queastion what the diffrence in the virutalizer that made deathway and that one?o_O

felixcatx 08-18-2012 02:04
This tool can unpack Xenocode protection?

chessgod101 08-18-2012 09:54
Quote:
Originally Posted by felixcatx (Post 80044)
This tool can unpack Xenocode protection?
No, this tool is designed to aide in the unpacking of VMProtect and CodeVirtualizer, as the title indicates. ;)

Beyond2000! 09-12-2012 09:16
Thank you. Very nice work. I´ll give it a try.

Jupiter 10-04-2012 01:19
1 Attachment(s)
VMSweeper 1.5 beta 2

What's new:

2012-09-20

[i] VmProtect:
[+] "Empty" VM exit handler
[+] Switch-cases decompilation
[+] Handling of non-virtualized instruction "sbb"

(Attached)

mcp 10-04-2012 16:53
DeCV Decompiler
 
An open source code virtualizer decompiler is available here. Haven't tried it yet, though.

Vam 11-02-2012 22:18
Article Protect&Sweeper contains basic material of protection algorithms VmProtekt and remove it WmSweeper with the addition of exclusive not been previously published material.
It will be useful to anyone dealing with the decompiler and protector.

xp200798 06-03-2013 19:58
nice,i have never thought about that VMcode can be decompiled

BiMode 11-17-2013 14:25
Any chance for ollydbg v2?

progopis 12-05-2013 19:57
BiMode
Why do you want OllyDbg v2? OllyDbg v2 has new PDK API. It's hard to rewrite such big project to new API.


All times are GMT +8. The time now is 15:49.
Page 9 of 11 « First 78 9 1011
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX