339 replies to this topic

[LCF-AT]

Hello,

so this time I will release my newest script for VMProtect targets and dll files.So it's a completly new wriiten script and no compare to my older VMProtect OEP & Unpack Helper script.So I have added many new features which will help you to get your VMP target unpacked so that you can use it also on other systems.I also record again some movies for you where I explain what you have to do and I collected 18 diffrent VMP UnpackMe's from 1.7 - 2.06 which you will also see in the movies.I will add the UnpackMe's too in the next post.

VMProtect API Turbo Tracer 1.1
***************************************************
( 1.) Basic OEP Finder            [Intelli Version]  
( 2.) VP & LA & HEAP Anti Dump Redirection & Dumper         
( 3.) Auto API Scanner             [Value & System]  
( 4.) Manually Section Serach Choice             x3  
( 5.) API Value Calculator                           
( 6.) Auto API Section Writer & Dumper               
( 7.) Use This Script Also For Dumped Files!         
( 8.) Supports VMProtect 1.8 - 2.x                   
( 9.) Exe & DLL Support            [NO VMP DLL Box]  
( 10.) Borland Delphi v.2010 Support! OEP 2. Sec.     
( 11.) NO CPUID Fixing!                               
***************************************************

These are all features which I have added in the new script and I think that the script can also handle your targets too.In the movies you will also see how to rebuild some stolen OEP bytes in some UnpackMes.

View in that order:
***************************************************
Movie 01| Manually OEP Find & Rebuild Exsamples
Movie 02| Script OEP Find & Rebuild Exsamples
Movie 03| Script Unpack API FIX OF A Exe File
Movie 04| Script Unpack API FIX OF A Dll File

So I have to split the whole package in two parts so it has more than 20 MB and I will add part 2 of 2 and the UnpackMe's on the next post.So then have fun and if something not works or you have a question about it then post a post on this topic.

*************************
EDIT: UPDATE to 1.1
*************************
Added: Ordinals Patcher!
Added: Better API Scan & Write Patch with a compare!
Added: Auto Codesection Scan to the Scan List!
Added: Possible HEAP Anti-Dump Redirection!

*************************
EDIT: UPDATE to 1.2
*************************
Added: More Alloc Sizes & Fixed some small bug's!
Added: now all section's to the API scan list!
Added: Disabled the User VMP enter function's!
Added: Olly Setup & Patching Pic's!
Added: OllyScript v1.77.3 Plugin!

Short Info: Ok I added now again the the 1.2 version so in the last 1.2 was one label missing at line 1656.If you see there just a "s" letter and change this line with the label "FOUND_SECTION:" and save or donwload the new added script which you can see on the last place now.

Attached Files

•  VMProtect API Turbo Tracer 1.0.rar   10.94K   681 downloads
•  VMProtect API Turbo Tracer 1.0 Tutorial Part 1 of 2.rar   17.32MB   1643 downloads
•  VMProtect API Turbo Tracer 1.1.rar   11.77K   606 downloads
•  Olly Setup & Patching Pics.rar   338.38K   1315 downloads
•  ODBGScript-Plugin 1.77.3.rar   77.55K   968 downloads
•  VMProtect API Turbo Tracer 1.2.rar   12.16K   1239 downloads

Edited by LCF-AT, 23 November 2010 - 10:38 PM.

[LCF-AT]

Ok and here comes part 2 of 2 and the UnpackMes.

@ Teddy
We need more upload size! Maybe you can set it higher to 30 MB if you can do this.Thank you.

Attached Files

•  VMProtect API Turbo Tracer 1.0 Tutorial Part 2 of 2.rar   2.65MB   1072 downloads
•  VMP 1.7 - 2.06 UnpackMes.rar   7.45MB   877 downloads

[adys]

Nice script......Thanks for your share。。。。

[EvOlUtIoN]

of course the script does not fix the new CPUID antidump with memory protection on vmprotect opcodes...true?

[Syntax]

of course the script does not fix the new CPUID antidump with memory protection on vmprotect opcodes...true?

@LCT-AT.
Finally it released , going to test
Thank you very much , You are great contributor .

@EvO
( 11.) NO CPUID Fixing!

Edited by (*_*), 17 November 2010 - 03:27 AM.

[Hexsky]

very nice script ；

[quosego]

Don't forget the heap antidump.

[wuqing1501]

Hi LFC-AT ,your script is very strong ! Good job !
but , it do not support some api like MFC42.#1001 ....

[wuqing1501]

3q 4 u share

Edited by wuqing1501, 17 November 2010 - 04:21 AM.

[huzhao23]

good, so nice tutorial. thanks

[Probie_fhs]

nice~~~

[EvOlUtIoN]

@quosego
Yes, but heap antidump can be fixed easily also

@wuqing1501
afaik vmprotect does not protect mfc42 (and some runtime others) apis, this is probably the reason why the script does not support them, you can easily fix with imprec.

[wuqing1501]

@quosego
Yes, but heap antidump can be fixed easily also
@wuqing1501
afaik vmprotect does not protect mfc42 (and some runtime others) apis, this is probably the reason why the script does not support them, you can easily fix with imprec.

vmprotect does not protect mfc42 (and some runtime others) apis？？
i dont think so !
i have a targets with mfc42.dll apis protected by VMP ,
i use the script fixed like this:

01110030    68 15681101     PUSH 01116815                            ; ASCII "MFC42.DLL"
01110035    E8 C8FFFFFF     CALL <JMP.&kernel32.LoadLibraryA>
0111003A    68 1F681101     PUSH 0111681F                            ; ASCII "#6453"
0111003F    50              PUSH EAX
01110040    E8 C3FFFFFF     CALL <JMP.&kernel32.GetProcAddress>

the target does not work ,

but if fixed like this :

01110030    68 15681101     PUSH 01116815                            ; ASCII "MFC42.DLL"
01110035    E8 C8FFFFFF     CALL <JMP.&kernel32.LoadLibraryA>
0111003A    68 35190000     PUSH 1935 //1935(16)=6453(10)
0111003F    50              PUSH EAX
01110040    E8 C3FFFFFF     CALL <JMP.&kernel32.GetProcAddress>

it works well! it does not fix with imprec.

maybe i need write a little script to solve this question.

Edited by wuqing1501, 17 November 2010 - 06:16 AM.

[Lexlx]

thanks, is very strong !

[quosego]

@ wuqing1501

You do realize there's no import protection visible in that code snippet of yours. Just some code getting a MFC42 API. This stuff normally doesn't get protected.
If the name here is identical to the ordinal which is the case I think with those dll's, getprocaddress should have no problems. You just changed it to import by ordinal.

If it doesn't work there might be some other problem prevented getprocaddress from importing by name. You can indeed change it to ordinal as you did, however if this function is also responsible for retrieiving other API's it might fail eventually. .

Edited by quosego, 17 November 2010 - 06:35 AM.

[K0serve]

I recently started studying VM protection and this will help me alot. Thank you sir!

[EvOlUtIoN]

i never seen some runtime dll imports protected by vmprotect, but it's not impossible though.
Anyway since mfc42.dll is a dll that not change, fixing with ordinal number is the only solution fyi. Exports from that runtime dll and some others don't have names...

[LCF-AT]

Thanks for the feedback.

@ EvOlUtIoN

CPUID is not supported.So I still need a 2. OS to make some better tests to know better what it really checks.Also the mem protection [like your unpackme] is a hard thing.I try to create a solution for this.

@ quosego

Hmmm,so maybe I got no target where I have seen this til now.I just testet all VMP files which I have found and have not get any problems.
EDIT: Ah no I know what you mean. I had already one target where I have seen and fixed this too but I forgot it to add this feature in the script now.

@ wuqing1501

I have also not seen any VMP mfc42 file til now.Just send me the target then I will check this too.
EDIT: Yes I forgot to add the export ordinal stuff!I see it now.
#109.SHLWAPI.dll // with # <--
push 6D

So I will add some more checks + ordinal pushes if needed. Thanks for the info.

greetz

Edited by LCF-AT, 17 November 2010 - 11:50 AM.

[wuqing1501]

Thanks for the feedback.

@ EvOlUtIoN

CPUID is not supported.So I still need a 2. OS to make some better tests to know better what it really checks.Also the mem protection [like your unpackme] is a hard thing.I try to create a solution for this.

@ quosego

Hmmm,so maybe I got no target where I have seen this til now.I just testet all VMP files which I have found and have not get any problems.
EDIT: Ah no I know what you mean. I had already one target where I have seen and fixed this too but I forgot it to add this feature in the script now.

@ wuqing1501

I have also not seen any VMP mfc42 file til now.Just send me the target then I will check this too.
EDIT: Yes I forgot to add the export ordinal stuff!I see it now.
#109.SHLWAPI.dll // with # <--
push 6D

So I will add some more checks + ordinal pushes if needed. Thanks for the info.

greetz

HI LFC-AT I've updata my unpackmes ! test it ! i use your scr unpack it but do not work, after i fixed the MFC api it can run in my pc but it can not run in another pc ,maybe i have something to fix,but the api is fixed .

vmp_unpakme.rar
http://u.115.com/file/t56513a82

http://dl.dbank.com/c0g4wsldjh

http://www.mediafire.com/file/tbwb349sz2lozb9/vmp%20unpakme.rar

Edited by wuqing1501, 17 November 2010 - 11:25 PM.

[estelle]

@LCF-AT



Want to support the next version of fix antidump

vmp207 unpack me
http://www.mediafire...1h9im5zs94irzsh

Edited by estelle, 17 November 2010 - 10:46 PM.