Jump to content
Tuts 4 You

Leaderboard

Popular Content

Showing content with the highest reputation on 10/19/2020 in all areas

  1. pekill ASProtect 2.xx eng.pdfthis also contains a description of the aspro vm, and lists its static opcodes. edit: i also reuploaed my pep tutorial: https://forum.tuts4you.com/files/file/2155-private-exe-protector-v3-unpacking-by-deepzero/
    1 point
  2. You have to distinguish between unpacking and de-virtualization. For Unpacking you can mostly avoid full devirtualization, in fact it's common to dump and append the full VM to the unpacked file to easier circumvent antidump and other protections. This is done e.g. in some of the LCF-AT tutorials for Themida. With modern protectors you will also run into virtualization during api redirection, but here it's usually possible to trace execution and fish the wrapped API at specific locations ("press f9 16 times", etc.), thereby it's not necessary to fully defeat virtualization. All that is of course not helpful if you are dealing with properly configured protections and need to devirtualize the code, period. As others suggested, vnekrilov is good for this. The AsProtect VM is one of the early ones, and as such very basic and therefore suitable for getting into devirtualization. There is almost no obfuscation on the AsPro VM itself and it only virtualizes a small subset of instructions, so you frequently enter and exit the vm, which gives you good opportunity to trace and understand it. What's more opcodes are static ... and documented by vnekrilov. His tutorials are compiled in a big pdf somewhere - go find that. Additionally I can recommend my old Arteam release on unpacking Private Exe Protector v4, which includes dealing with a variety of modern protections, that were implemented in a somewhat basic way by PEP (again, therefore it's easy to understand and get into it). Disclaimer - I wrote it. (uff - accessroot.com is down, what a loss, and i cant find it a tuts4you either) More generally, you will want to google for "devirtualization" rather than unpacking, which should bring up a lot more results. I can recommend rolfs papers and blog articles (https://www.msreverseengineering.com/blog) or the more recent project which features a direct attack on VMprotect (not sure how far they got yet ... havnt checked in a while - https://github.com/vtil-project/VTIL-Core). Good luck.
    1 point
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...