Exetools and exe-scene

Yea, that's the sad part. Whether it is a fair trade off remains to be seen. We also make this trade off when we decide to use VM code.

But at the moment, we still do not have a good instrumentation tools for PE files. There are very useful tools for Java VM (ObjectWeb ASM), and probably .NET CLR too. This is probably what holds us back from seeing realizations of such dynamicism.

Maybe the next step in evolution is a morphing VM. Let us wait and see.

[quosego]

As for morphing VM, well themida has got all already..

Bytes -> handler = dynamic (if 00 equals mov in the first instruction it will be different the second, and also different between programs.)
handler sequence = dynamic/random
byte encryption = carrying, modified by each byte(s) and each next byte(s) is encrypted with it.
+ Handler obfuscation
+ VM_code obfuscation

Not much more they could've done..

Quote:

Originally Posted by quosego

As for morphing VM, well themida has got all already..

I've really no clue on how Themida works, so I'm just guessing blindly here.

To me, morphing means the code is changed in each __run__, not in each __application__. Or even better if the code is changed after some condition, even in one run.

[quosego]

Well doable but that won't change it much.. If you'd make the handler -> bytes changeable and the accompanying handler location as well, it would however open a massive security problem.. I can force the VM to become static, by shutting down it's randomization, this way I get an Identical VM on all apps.. Making it a lot weaker then it is now.

If you'd morph VM_code however, you can attack the morpher which can interpret VM_code to morph it and very likely extract usable info from it. (If not pure asm.)