All Activity

That's the way it is. Oreans is still far ahead in terms of virtualization compared to VMProtect. For example, VMProtect in version 3.8.* started using some tricks that Oreans has been using for at least 7-8 years already (combined handlers) You can also see the number of public tools for VMProtect devirtualization (<= 3.5). There are also people with private devirtualizers for version 3.8.* For Oreans, I couldn't even find people with private devirtualizers (it doesn't mean they don't exist, they're just harder to find)

This will not work if you know how to use Themida You can test it on this target

Ok i understand...so what about code virtualizer what do you think about this solution?

you'll update us soon!

This tool can unpack All themida 3.x?

before you go that path try to make a small POC and then use this tool

You are right thank you...i think i'll go to oreans solutions

@overdose some people say that themida is better than vmprotect, others say vise versa. I read a thread in the forum that the themida is better than vmprotect. but people say how you use the SDKs of each protectors would decide the result. Regards. sean.

Thank you for your answer...i know everything Can be cracked...but m'y questions is what is the best virtualizer and the best packer between vmprotect and oreans (themida+code virtualizer)

@overdose Hello. The virtualization of the serial key checking routine and some other critical parts are the best way to defense againt the cracking your product. however, some skilled talents can crack your product even if you use the anti cracking sofware. Regards. sean.

@X0rbyhi brother If you have more informations to add here please help us to get the best road to protect my softwares So can you answer to my questions about a good Packer and virtualizer Thank you

Hey Ted, you are right! In the other dialog window its using a other font as in main dialog window.... FONT 8,"Tahoma" <-- IDD_MAIN DIALOGEX FONT 8,"MS Sans Serif" <-- IDD_DLGEDIT DIALOGEX .... ...somehow funny. Just because of the used font. Thank you for that info Ted. So I don't wanna bother you go on because of that WideChar / Multi function stuff but do you have some another advice how to deal with it? I know you told already lots of thing about it and it looks like my method using the function as I told you works so far but still not sure about it because you said something else you know. I would like to handle those different string stuff / codepage things. greetz

New Uploads Process Injection Mini Course eCRE - Reverse Engineer Professional 2022 The Beginner Malware Analysis Course by 0verfl0w Dark Vortex - Malware on Steriods Maldev Modules

Thank you mate

Yes There are no public devirtualization methods for Themida/Code Virtualizer

What is the character code/ hex value of the incorrect character? Assuming all the functions used are Unicode and the edit control styles are all good I would check the font is capable of displaying character "ƒ", try another font.... Ted.

Very good one (any.run alternative i guess): https://tria.ge/reports/public Search: https://tria.ge/s

Hello mate, The code virtualizer is it stable ? And if there is a public devirtualizer script in Ida or ollY Thank you I Can Do it with a demo version?

you can create a crack-me here for challenge and see 😁.

Themida / Code Virtualizer

Hello friends, I'm a developper and i've some softwares to protect againt code Analysis and reversing engineering, i know basics of reversing engineering and i know also all codes can be reversed and cracked! i need help to choose a good code virtualizer and packer to protect my softwares 32 bit (Language Is Delphi 7) and to virtualize some critical functions like verification serial... What about Vmprotect 3.8.8 Virtual Machine is there is a way to devirtualize the code? And what is the best Exe protector Thank you teams

Hey Ted, thanks again Ted. Lots of input what does confusing me more & more now. Alright, so I thought ANSI = ASCII just other term. So at the moment I'm just using codepage flag CP_UTF8 for both API's MultiByteToWideChar (reading my content file I did save before) & WideCharToMultiByte (convet my app internal UNICODE text / chars to export it in my content file). The text I have to deal with is already just in UNICODE only and all chars getting displayed alright so far like edit controls / listview etc. UNICODE text / char || WideCharToMultiByte,CP_UTF8 || WriteFile = Content Export text is CP_UTF8 CP_UTF8 text / char || ReadFile || MultiByteToWideChar,CP_UTF8 = Content Export is UNICODE So this is how I use the function now and it seems to work so I don't see or get any issues yet. Beside, that problem (I still don't know how to handle it correctly for 100% - above) I found another displaying problem. Look at this image below... ...so here you can see my listview above with text / symbols I did add and all are displaying correctly so far also in the EDIT control below = selected command with ƒƒƒƒƒƒ is displaying in the EDIT control below and all using same buffer. Now I want to edit the entry 5 in my listview and double click it to call the new EditBox DialogBox where you can see 2 EDIT controls displaying the same content of selected LV entry 5 but in this case (new dialogbox Edit controls) its not displaying the ƒƒƒƒƒƒ chars correctly! But why? What is the problem here? In the EDIT control under the LV it does display the ƒƒƒƒƒƒ and in the other one not but both using same style / ex values and using same buffer. Do you know what the problem in this case is? greetz

When you are referring to ANSI do you actually mean the displayable/ printable 7-bit ASCII Latin-1 character set within Windows-1252 code-page or the ANSI supplementary set above it? ANSI in Windows-1252 and ISO-8859-1 code-pages is the 8-bit character set that supplements the 7-bit ASCII character set. If you don't know what I mean it may be worth doing a Google and reading up on these code-pages; Windows-1252, UTF-8 and UTF-16. Windows-1252 code-page is segregated like this... ; 0-31 - ASCII Control Characters ; - Control characters (not intended for display or printing). ; 32-126 - ASCII Characters ; - Display and printable characters. ; 127 - ASCII Control Character ; - Control character (not intended for display or printing). ; 128-159 - ANSI Characters ; - Windows-1252 and ISO-8859-1 control characters. ; 160-225 - ANSI Characters ; - Windows-1252 and ISO-8859-1 characters. We can create a Windows-1252 code-page quite easily with a bit of code... cbMultiByte = 256 *lpMultiByteStr_1252 = AllocateMemory(cbMultiByte) If *lpMultiByteStr_1252 For Char = 0 To 255 PokeB(*lpMultiByteStr_1252+Char, Char) Next Char Debug PeekS(*lpMultiByteStr_1252+32, cbMultiByte-32, #PB_Ascii) ShowMemoryViewer(*lpMultiByteStr_1252, cbMultiByte) FreeMemory(*lpMultiByteStr_1252) EndIf We can visually see the results in "Memory Viewer", found in the screenshot below, with the (ASCII and ANSI) character set displayed in the "Debug Output" window (starting at offset 32) the displayable/ printable ASCII characters. If we use MultiByteToWideChar and tell it the text being converted is UTF8 (CP_UTF8) this is how all the ASCII and ANSI characters of a Windows-1252 code-page will be mapped to UTF-16... EnableExplicit Define *lpMultiByteStr Define *lpWideCharStr Define cbMultiByte.i Define cchWideChar.i Define Char.l cbMultiByte = 256 *lpMultiByteStr = AllocateMemory(cbMultiByte) If *lpMultiByteStr ; Create the character set 0 through to 255 (0xFF). For Char = 0 To 255 PokeB(*lpMultiByteStr+Char, Char) Next Char cchWideChar = MultiByteToWideChar_(#CP_UTF8, #MB_PRECOMPOSED, *lpMultiByteStr, cbMultiByte, #Null, #Null) If cchWideChar cchWideChar = cchWideChar * 2 *lpWideCharStr = AllocateMemory(cchWideChar) If *lpWideCharStr Debug MultiByteToWideChar_(#CP_UTF8, #MB_PRECOMPOSED, *lpMultiByteStr, cbMultiByte, *lpWideCharStr, cchWideChar) Debug PeekS(*lpWideCharStr+64, cbMultiByte-32, #PB_Unicode) ShowMemoryViewer(*lpWideCharStr, cchWideChar) EndIf FreeMemory(*lpWideCharStr) EndIf FreeMemory(*lpMultiByteStr) EndIf In the screenshot above you can see the ANSI character/ controls are all 0xFFFD. The reason for this is because those character codes (the number it represents) do not exist within the UTF8 code-page and can't be mapped to UTF-16. 0xFFFD is a UTF-16 replacement for unknown characters/ controls and is visually represented with the question mark within the diamond. How do we map the ANSI code-page to UTF8? First use MultiByteToWideChar to convert to UTF-16 using CP_ACP (or Windows-1252 code-page if not the system default) which then maps the ANSI characters (0xFFFD's) to known locations within the UTF-16 code-page. Once that is complete use WideCharToMultiByte to then on-convert from UTF-16 to UTF-8... EnableExplicit Define *lpMultiByteStr_1252 Define *lpMultiByteStr_UTF8 Define *lpWideCharStr_UTF16 Define cbMultiByte.i Define cbMultiByte_UTF8.i Define cchWideChar.i Define Char.l ; Create the Windows-1252 character set 0 through to 255 (0xFF). ; 0-31 - ASCII Control Characters ; - Control characters (not intended for display or printing). ; 32-126 - ASCII Characters ; - Printable characters. ; 127 - ASCII Control Character ; - Control character (not intended for display or printing). ; 128-159 - ANSI Characters ; - Windows-1252 and ISO-8859-1 control characters. ; 160-225 - ANSI Characters ; - Windows-1252 and ISO-8859-1 characters. cbMultiByte = 256 *lpMultiByteStr_1252 = AllocateMemory(cbMultiByte) If *lpMultiByteStr_1252 For Char = 0 To 255 PokeB(*lpMultiByteStr_1252+Char, Char) Next Char ; Get the required buffer size, in characters, for *lpWideCharStr_UTF16. cchWideChar = MultiByteToWideChar_(#CP_ACP, #MB_PRECOMPOSED, *lpMultiByteStr_1252, cbMultiByte, #Null, #Null) If cchWideChar ; Convert SBCS -> DBCS by multiplying by two (2) and allocate the memory. cchWideChar = cchWideChar * 2 *lpWideCharStr_UTF16 = AllocateMemory(cchWideChar) If *lpWideCharStr_UTF16 ; Convert the string and update cchWideChar with the number of characters written to *lpWideCharStr_UTF16. cchWideChar = MultiByteToWideChar_(#CP_ACP, #MB_PRECOMPOSED, *lpMultiByteStr_1252, cbMultiByte, *lpWideCharStr_UTF16, cchWideChar) If cchWideChar ; Get the required buffer size, in bytes, for *lpMultiByteStr_UTF8. cbMultiByte_UTF8 = WideCharToMultiByte_(#CP_UTF8, #Null, *lpWideCharStr_UTF16, cchWideChar, #Null, #Null, #Null, #Null) If cbMultiByte_UTF8 ; Allocate the memory. *lpMultiByteStr_UTF8 = AllocateMemory(cbMultiByte_UTF8) If *lpMultiByteStr_UTF8 If WideCharToMultiByte_(#CP_UTF8, #Null, *lpWideCharStr_UTF16, cchWideChar, *lpMultiByteStr_UTF8, cbMultiByte_UTF8, #Null, #Null) Debug "Win-1252: " + PeekS(*lpMultiByteStr_1252+32, 224, #PB_Ascii) Debug "UTF-16 : " + PeekS(*lpWideCharStr_UTF16+64, cbMultiByte-32, #PB_Unicode) Debug "UTF-8 : " + PeekS(*lpMultiByteStr_UTF8+32, cbMultiByte_UTF8-32, #PB_UTF8 | #PB_ByteLength) ;ShowMemoryViewer(*lpMultiByteStr_1252, 256) ;ShowMemoryViewer(*lpWideCharStr_UTF16, cbMultiByte) ShowMemoryViewer(*lpMultiByteStr_UTF8, cbMultiByte_UTF8) EndIf FreeMemory(*lpMultiByteStr_UTF8) EndIf EndIf EndIf EndIf FreeMemory(*lpWideCharStr_UTF16) EndIf FreeMemory(*lpMultiByteStr_1252) EndIf To sum up all the above... if you are sure your text contains ANSI characters give MultiByteToWideChar the correct code-page to use. If you intend converting ASCII/ ANSI strings you may be better using the ENG functions as they have a simpler parameter requirement; EngWideCharToMultiByte, EngMultiByteToWideChar, EngMultiByteToUnicodeN, see attached example... Ted. EngMultiByteToUnicodeN.zip

View File The Enigma Protector (x32 & x64 DEMO) This is an encryption example using The Enigma Protector 7.50 encryption. Enigma 7.5_x64_DEMO.rar TEP_7.5x32_DEMO.rar Submitter lengyue Submitted 04/29/2024 Category UnPackMe  

Really? Did you change it from what you posted? So maybe this is what you thought you did, not what you actually did? invoke MultiByteToWideChar,CP_UTF8,0,ansi$("TEST"),esi,0,0 mov ebx, eax add eax, eax <--- double size to alloc mov edi, alloc(eax)