Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Grumble: VMProtect Woes
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #5  
Old 04-27-2009, 17:46
redbull redbull is offline
Friend
  
Join Date: Mar 2004
Posts: 160
Rept. Given: 17
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 6 Times in 6 Posts
redbull Reputation: 5
Hey All,

Thanks for the offers of help. I was actually closer than I thought when I first posted the message.

My target was crashing, but not because the OEP was wrong, but because even after running UIF, the IAT was still farked.

It was my stupidity in not realising I was at OEP.

I am performing the following steps to get a clean dump file:
1. Run trial mode exe in debugger, break somehwere in process code.
2. Run UIF and do not directly fix imports.
3. Dump (even procdump worked quite well)
4. Locate OEP, and edit EXE file.
5. Fixing Imports by hand (in progress) (dump as you go to save changes to a new exe)
6. IAT rebuild (not done, using hand or script)
7. Test, rinse, repeat. (not done)
8. Optimize dumped exe structure. (not done)

My target as mentioned before was Delphi app.
Nothing too special except that the intialization code at OEP was a bit more complex than expected.

Finding the OEP

Delphi programs have a string identifier after each method (n debug mode, and important methods are flagged in release mode).

Example for sort is:
Quote:
RETN
db 0
dw 0
dd ?
dd ?
identifier: db "aspectsorter"
dw 0
The OEP of all my other samples (From Delhi 5.0 to Delphi 2009 vcl) showed that the last "marked method" in the active ".code" block is the Entry Point. (This can be changed at compile time).

A quick scan for this binary string in Olly "E8 ?? ?? ?? ?? 00 00" found what I needed, I then traced back to find the OEP (push ebp).

Interestingly RDGPD got it right first time, with its Delphi entry point scanner (runtime one), run against my clean dump.

Quote:
Delphi OEP code (v6.0 and v7.0)

push ebp
mov ebp, esp

; .... Intialization code with far calls ... lots of work with EAX. Stack is clean

call far
db 0
dw 0
dd ?
dd ?
identifier: db <exename without ext (eg delphi project name)>
dw 0
Rebuilding IAT by hand

I break at OEP using hardware breakpoints on the real exe.

Then I open the file I am fixing.

Searching for the jmp tables is easy, my Olly search string is "FF 25 ?? ?? ?? ?? 8B C0 FF 25". I am also locating them by running Olly on the dump to trap exceptions.

in dumped file:
Quote:
0040761E 8BC0 MOV EAX,EAX
00407610 - FF25 78563412 JMP NEAR [DWORD DS:12345678] ; garbage
00407616 8BC0 MOV EAX,EAX
in good copy:
Quote:
0040761E 8BC0 MOV EAX,EAX
00407610 - FF25 DCA37600 JMP NEAR [DWORD DS:76A3DC] ; advapi32.AdjustTokenPrivileges
So I just copy and replace the the bytes from the orignal process over to the new dump.

Olly has such a nice binary copy function.

I started doing that yesterday, have not played with the target in a while.

Any advice on how to clean up the exe once I am finished ??
Last edited by redbull; 04-27-2009 at 17:53.
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
VMProtect v1.6 help _503_ General Discussion 3 02-21-2009 13:06


All times are GMT +8. The time now is 23:40.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )