Jump to content
Tuts 4 You

Leaderboard

  1. Teddy Rogers

    Teddy Rogers

    Administrator


    • Points

      22

    • Content Count

      8,864


  2. kao

    kao

    Full Member+


    • Points

      22

    • Content Count

      2,303


  3. Washi

    Washi

    Junior+


    • Points

      20

    • Content Count

      20


  4. CodeExplorer

    CodeExplorer

    Moderator


    • Points

      16

    • Content Count

      3,087



Popular Content

Showing content with the highest reputation since 05/06/2020 in all areas

  1. 7 points
  2. 6 points
    It might have a few weird instructions since i'm new to this Crackme-cleaned-Devirtualized2.zip Info: This is the first version of eaz that i analyze so i can't say how 2019.x is different from 2020.1 but its definitely not uncrackable Steps i took (as i should have included since the beginning): 1 Learn how CIL works / CIL fundamentals (there are some nice ebooks that i can't link here ) 2 Learn how the assembly reader/writer of your choice works (dnlib for example) 3 Learn how a simple VM works ( https://github.com/TobitoFatitoNulled/MemeVM (the original creator of this vm left so this is a fork to keep the project alive)) 4 https://github.com/saneki/eazdevirt See how the previous devirt was made (and you could also check previous eazvm protected executables) 5 Practice your skills trying to make MemeVM Devirt, you can message me if you have any issues with this step (You can always disable renaming on memevm to make the process easier to understand). 6 Start renaming a EazVM test assembly (you can make your own with trial) with all the knowledge you got from the previous steps (and find how crypto streams are initialized, where opcodes are located & how they are connected to the handlers etc etc etc, things that you would find in a vm) Editing saneki's eazdevirt might be a good idea, though i was more comfortable making my own base.
  3. 5 points
    Is this a hidden feature of the protection or does the app just not work?
  4. 5 points
    What's the point of this? You ran my file under de4dot and repost it? i can recognise my file ya know, i intentionally left this out (i haven't finished local types yet but i manually set the third local to int32) + i added 9 locals when only 3 get used
  5. 4 points
  6. 3 points
    Personally, I like to use the Scylla plugin of x64dbg, doing it manually by going to the memory map of x64dbg and dump the relevant memory ranges from there, or using WinDbg .writemem or the !savemodule sos extension command, depending on which debugger I am using at the moment. Also, once you're able to open the app in dnSpy, dnSpy can also reconstruct .NET modules from memory, by going to Debug > Windows > Modules and then right clicking the module you want to dump. There are probably also other tools out there that can do the same.
  7. 3 points
    New features, interesting. File correct? ggggg_cleaned.zip
  8. 3 points
    BinaryNinja has announced the new prices, and with no surprise are slowly also pushing themselves away from many users. https://binary.ninja/2020/05/11/decompiler-stable-release.html A personal (named) license is now $299 with the only 'new' thing being the not-so-exciting decompiler as seen above. They are starting to push themselves closer to IDA pricing, which is just plain stupid on their part. Ghidra's decompiler can be made to run anywhere, and thus, why would anyone pick BinaryNinja over IDA when it comes down to features? I don't feel like they are branding themselves well at all and are trying to target the wrong setups/situations. Their new blog post mentions things like: "Support for MacOS, Linux, and Windows. You’re not buying each platform separately." - Sorry but people that generally use this kind of software are users that stick to one primary OS for the most part. At most, people spin up a VM if they 'must' use a secondary OS for anything. This is not a selling point in my opinion at all. "Decompiler for all architectures." - Again, the decompiler is not impressive so far. Ghidra's can be made to run in BinaryNinja and IDA (along with anywhere else) and is 100% free. The value for this being a new reason to increase the price of BinaryNinja is just not there, at all. And sadly, like most other software companies, they still have this mindset that everyone is a student and consider their software "openly available for everyone" because they offer student pricing. Really wish companies would just stop with this nonsense. Price yourself better in general, don't selectively single out 1 small demographic. I'd wager most people in the RE scene are hobbyists, not students and are not directly in a career path that includes the use of these kinds of tools directly. The only thing BNinja has going for it that most people praise it for is a good API. Outside of that, you don't really hear anything else good/interesting about it. So this price jump is honestly a stupid move in my opinion.
  9. 2 points
    Here's the old content of Ubbelol.
  10. 2 points
    Who are you to say that it's shit? Have you made an unpacker for it? If you do, you are free to correct me but if you don't you shouldn't make these silly comments, in my opinion.
  11. 2 points
    View File Example CrackMe - Debug Blocker x64 This is an example for submitting a CrackMe in the Downloads section of the site. You can download the file and run Debug Blocker x64. Nothing too exciting will happen! The challenge here would be to patch the debug-blocker function so that it does not spawn a second process. Submitter Teddy Rogers Submitted 02/23/2020 Category CrackMe  
  12. 2 points
    This is a notification of intent to cease and close the Blogs section of the site in a months time. The reasons for the change are; lack of use, activity and popularity, and for the most part the forum categories have been and are more than capable to host similar blog like content in the future. This notification gives you the opportunity to copy any information from Blogs that you wish to retain and/ or repost in the appropriate forum... Ted. Backups - Blogs.rar
  13. 2 points
    CCtor => 0x06000034 => Clean the antitamper => Clean cflow => clean string encryption and that's it Most cleans are done by tweaking some public cleaners. The right key is "Youdidit!"
  14. 2 points
    Hi it's because of your assembly code ! read about used instruction here(repne scasb) : https://c9x.me/x86/html/file_module_x86_id_287.html Fixed code : procedure TForm1.BitBtn1Click(Sender: TObject); var pointer_check, pointer_dummy: pointer; label bp_found, bp_not_found; begin pointer_check := @check_credentials; pointer_dummy := @Dummy; asm cld mov edi,pointer_check mov ecx,pointer_dummy sub ecx, pointer_check mov al,$CC repne scasb jz bp_found jmp bp_not_found end; bp_found: application.terminate; exit; //you will findout why you should use this bp_not_found: check_credentials('user', 'pass'); end; BR, h4sh3m
  15. 2 points
    Hi , A disassembler is a software that coverts machine code (Hex) into assembly language mnemonic ex ( mov al,1) . A debugger is a program that allow you to detect and correct errors in other computer programs. A decompiler is a software which try to reverse the process of compilation to attempt to get the source code from a compiled executable . PS : try to use the google and the search button . Regards
  16. 1 point
    Hi, you dont need to parse the ASCII strings like "MZ" with each other.Just read the hex values and use them to compare it with any other values you did read in hex from any other file etc. You can use CFF Explorer to see whole PE infos at once.Maybe you wanna do or handle it like that too etc. greetz
  17. 1 point
    To clarify - I meant the "e_cblp" field you were asking about. You can put any value in it. "e_magic" of course has to be "MZ".
  18. 1 point
    I really like how you give your approach not as a full tutorial but with explanation instead of only saying "unpacked + file". Thanks you for your explanation !
  19. 1 point
    asking me ? hope @Reza-HNA PM u.
  20. 1 point
    View File VMProtect v3.4.0.1155 Try to unpack or alternatively provide a serial. If there is no solution provided by Saturday 11am (GMT+0) I will attach the same without debugger detection. Protections used: Debugger detection (User-mode + Kernel-mode) Ultra (Mutation + Virtualization) Disabled protections: Virtual Machine Packer Submitter whoknows Submitted 05/20/2020 Category UnPackMe (.NET)  
  21. 1 point

    Version 11.10.2017

    26 downloads

    When using OllyDbg as a portable version (e.g. on an USB stick) there are always problems with the UDD/Plugin path not being set correctly. The features: DLL, which sets Plugins, UDD and win32.hlp paths automatically Dummy export so it's easy to add the DLL to your olly mod Open source Attached is DLL + Source, I hope it's useful for somebody. Feel free to modify to your needs, just credit where you think it's needed. P.S. To add the DLL to your mod: Use CFF explorer to add the import "dummy" (which does nothing) to ollydbg.exe, this will execute the DllMain function (which can be considered illegal) and set the paths in the INI file. OllyPath2.dll must be in the same directory than ollydbg.exe
  22. 1 point
    View File KoiVM Modified (ConfuserEx-Mod-By-Bed 1.4.1) KoiVM is a virtualizing protector for .NET applications, as a plugin of ConfuserEx. ConfuserEx is a open-source protector for .NET applications. It is the successor of Confuser project. This file is protected with KoiVM using; MD5 Hash Check Constants Renamer Anti-Tamper I took KoiVM from https://github.com/BedTheGod/ConfuserEx-Mod-By-Bed (1.4.1) and modified it to make OldRod fail devirt. Submitter 0x72 Submitted 05/20/2020 Category UnPackMe (.NET)  
  23. 1 point
    Civ VI Free on Epic Store https://www.epicgames.com/store/en-US/product/sid-meiers-civilization-vi/home
  24. 1 point
    @Reza-HNA shared the solution through PM, restore body method and decrypt the string.
  25. 1 point
  26. 1 point
    Have to agree with this here. As far as I know, tuts4you is a place for educational content, not a place for showing off. What's the point of sharing just the unpacked binary, other than for bragging rights?
  27. 1 point
    Still around, but not really doing any RE nowadays. :) It truly is weird hearing yourself on video 8 years later..
  28. 1 point
    Okay asked ubbe to make videos public again it should be fine now https://www.youtube.com/user/UbbeLoLHF/videos
  29. 1 point
    Short reply is yes. Of course a Malware Analyser must know more things, not only about reversing.
  30. 1 point
    Thank you for all replies. Is RE a technique that hackers and crackers using it to find security vulnerabilities and crack software? For example, a hacker find a vulnerability like it: https://www.exploit-db.com/shellcodes/48355 Is the author of this exploit did RE to found this vulnerability? I'm thankful if anyone answer me clearly. Thank you.
  31. 1 point
    1.Remove Anti Damp 2.Dump 3.Fix x86 Calls 4.Fix Delegates 5.Fix Calls 6.Constants Decode 7.Remove Fake Attributes 8.Remowe Control Flow 9.Rename Module 10.De4Dot For Rename and Clean Unused Methods Easy >.< Unpack_Me-d_noX86-Cleaned_patched-Cleaned-ConstantDec_fix_nodelegate-Cleaned-cleaned-cleaned.exe
  32. 1 point
  33. 1 point
    There are jobs like security analyst out there too but they are generally protocol oriented with background in cryptography and mathematics. Government agencies in all countries also recruit top talent. Otherwise, as a career choice unless as a malware analyst or software protection analyst or something it's too much of a niche to talk about. I got into RE because I enjoyed the challenge, and liked learning at lower levels or under the hood of how things work. Having a deeper understanding is my style for everything. That shadowy world lurks out there too but it's as organized and controlled as anything. It is a whole package deal to take that route, a lifestyle even. And even then you cant lose sight of what is right and what is wrong and where the laws draw the boundary. Fortunately merely toying around with some RE stuff is not really an issue. Software businesses and RE community have an interesting relationship but it's mostly been win-win despite occasional spats. Best hobby you can have though IMO
  34. 1 point
    If the only reason you want to learn RE is to have a unique skill for your resume/job application, you're very mistaken. Don't even try that. Anyone can learn to write (crappy) JavaScript/PHP/CSS in a few weeks and call himself/herself a "freelance web developer". Not everyone can become a reverse engineer - it requires a specific mindset and dedication. As for job positions, it really depends where you live and what your area of expertise would be. Analyzing malware requires a totally different skillset than finding bugs in hardware chips. Entry level positions usually are paid similarly to entry level developer positions. However, as a developer, you will have a pretty well-defined career path. As a reverse engineer, the path is less defined and really depends on your talent and dedication. It is possible to freelance and make a good living out of it - but again, it depends on your area of expertise. One of the best recent examples that come to mind, is Azeria (https://twitter.com/Fox0x01) - her ARM reverse engineering skills are superb. And there are freelancers who make $100k/year on HackerOne - but that's quite an extreme example. And then there is "dark side" - reverse engineers that work on not-exactly-legit tasks. For example, the entire game hacking industry is based on those. If you're a superstar, the customers will wait in line and the money is great. If you're just starting, you won't be able to make more than few hundred bucks a month - as you'll be competing with hundreds of Indians, Filipinos and Vietnamese in a very crowded market. First step would be to define the area you want to explore. As I mentioned above, reverse engineering hardware chips is totally different from reversing Windows malware. Once you know exactly what you want to learn, it will be much easier to suggest a specific book or course. Hope this helps. kao.
  35. 1 point
    I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator I try my best to introduce it using English 1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5) 2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run 3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod" 4.fix pe header and maybe you shoud also fix .net header This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies. If you can not understand it, you can reply me. Best wish.
  36. 1 point
    if you understand how vm's works you can devirtualize any .net target. for start you can read saneki's eazdevirt source code. Crackme_2-devirtualized.rar
  37. 1 point

    9 downloads

    A video tutorial on keygenning BadSector CrackMe #1.
  38. 1 point

    9 downloads

    I made a video presenting an interesting keygenme. In this video you can see what is done and how is done to reverse a keygenme. If is too fast please press pause. Steps: 1. Running for the first time the keygenme 2. Detecting protection 3. Unprotecting 4. Analyse of the algo 5. Creating the keygen in VB. NET Express 2010 6. Bug testing 7. Finalising keygen 8. Testing keygen Hope someone will find this useful.
  39. 1 point

    11 downloads

    A Shockwave Flash movie tutorial showing a method of keygenning a simple KeygenMe. Example code is in Delphi.
  40. 1 point
    Hey there, i've been playing with VirusTotal graph since some weeks. Originally i did a graph just for building a landscape of files for ATM Wall, the graph can be seen here: https://www.virustotal.com/graph/embed/g9521270d163a4778aa5bc376c0d80375b11f2d95beee484498dbdaafc989ee5f I got the idea of doing this after having seen the work of @vanjasvajcer about ATM malware classification. But i started to got vicious with VT graph so here is some interesting graphs i did based with VT and kernelmode.info: Zeus World (v2.1.0.1 and inferior): https://www.virustotal.com/graph/embed/gf17a46025f554bc4a4d0edaff78d4aabee6388c959584ac8981961ae32af6994 Big nebula of zeus builders since code leak of v2.0.8.9, contain also few very old builders and some have funny messages inside destined to AV vendors. IceIX World (v1.2.5 and v1.2.6): https://www.virustotal.com/graph/embed/g3e3dfb66d191404593284509fbf9028c5253ee1651ee4da9b24225bf262634bf Citadel World (v1.3.4.5 and v1.3.5.1): https://www.virustotal.com/graph/embed/g1d0637aa096e45b2b1336844fe81e1e286a588fa049a4d529357c0a1d2f1646d Atmos World (v1.01): https://www.virustotal.com/graph/embed/ga7f70bed1f6f4394b4b503b5dcee997c66251a48418b4b3fba03119d3196389e Builders, releases, fews files. SpyEye World: https://www.virustotal.com/graph/embed/g98d5440408854a90b8e5fce2bd4003b40a7295519d5c4e0abe39a470a9fcadb5 Research about plugins are based on the spyeye thread on kernelmode.info, contain a nice timeline of the versioning and most of interesting files i guess. Carberp 'krabs.7z': https://www.virustotal.com/graph/embed/gd6210da59ece445f8e0469a7408a4905126fa5722cdb4b759330e073a29e7429 Files annotation based on kernelmode.info thread again (https://www.kernelmode.info/forum/viewtopic.php?f=16&t=2793), chaos mosaic at the image of the archive. BestAV affiliate: https://www.virustotal.com/graph/embed/g0741bdd40e4b4bc7a4c77e8240de0667f2ea89df4124484b87717ad081f741aa Lot of FakeAV files found with communicating IPs, graph based also on fews posts on kernelmode and also from my personal archive about thoses guys And not related to malware but you can do also funny things: Looking for an ollydbg modification ? https://www.virustotal.com/graph/embed/gd11e600f461c476082159553dadde7ac102288cd74df42d38f84291e97f2263a You have lost your SoftIce CD ? https://www.virustotal.com/graph/embed/g7534bcb28a2a439a8d466f69542374127b54265b605c4589adbf97191a1b0467 a small landscape about dongle piracy https://www.virustotal.com/graph/embed/g035609ac24c94751ae94aef309b6599010d8ccd1549f49f3b8ef7e20febd3f9f
  41. 1 point
  42. 1 point
    password: "viva la revolution" How the password verified? Here, check my entered password against the correct one, both encrypted. Obviously, the encrypted password at RVA 00011054 is 18 characters long. But, what is the encryption or decryption algorithm? Don't dive into that, instead I assume the algorithm is symmetrical. This time, I entered the right length password "123456789012345678". At entry of the subroutine, Ecx=004FF534, we can find the entered password at allocated buffer 008F0000: Copy and paste with the correct cipher password from RVA 00011054: 008F0000 12 EC C5 CB AC FC 86 96 23 7C 7D 57 46 5C 43 4F 008F0010 56 2D 2A 00 Run to the end of loop at 01323461, we got: 008F0000 12 76 69 76 61 20 6C 61 20 72 65 76 6F 6C 75 74 .viva la revolut 008F0010 69 6F 6E 00 ion.
  43. 1 point
    Nice... Tutorial Video İs Here.
  44. 1 point
    Finally Fully unpacked! steps i did to unpack: 1. I ran the application and i dumped it. 2. the anti dump got fixed by anti dump fixer. 3. i used my tool to remove all flood calls. 4. Converted all x86 methods to IL with my tool. 5. Decrypted all Constants with my tool. 6. Used de4dot to clean math mutations and junk Nops. 7. manually Removed Protection calls in Module .cctor. 8. Removed all delegates with @CodeExplorer's Delegate remover. 9. Cleaned junk nops with De4dot again. 10. Removed Proxy calls with TheProxy's Proxy call remover 11. Manually removed all fake/junk classes, attributes, and etc. 12. Renamed functions, methods, assembly, and etc. 13. Manually removed cflow (dont have good cflow remover xd) if you're asking for the rest of the files that are barely unpacked to study it, just reply xd. File: ConsoleApp1_fixed-RemovedMethod-NoX86-StringDec-cleaned2_nodelegate-cleaned_noProxy2-Renamed2.exe
  45. 1 point
    Heres ilprotector removed Unpackme_dump_bodyRestored.exe
  46. 1 point
    Run the unpacker in netbox 4.0 :
  47. 1 point
    Can't you repost this challenge but with x64 version of vmp? (If you are struggling finding such a version pm-me)
  48. 1 point

    Version 1.0.0

    47 downloads

    Hello friends. I try to prepare a classic logo for the forum. -Feel free to use in your projects or documents. I hope you will like it. note:Source file only xcf format. for GIMP. sory for photoshop users. Detailed previw ( click to support button in forum page.)
  49. 1 point
    Perhaps It was about time I should share my tool with you guys. This is a Debugger and Devirtualizer for VMP virtualized code. Notice that When I mean devirtualizer, I mean it shows what machine instructions it executes (not the actual x86 original code). Allows you to debug and place breakpoints. Please try it, and if you like it, please develop it further. Confused? Read the intro.txt file and try to follow the example. VMPDBG_0_1_0_SRC.zip
  50. 1 point
    Frankly speaking, it's a challenging experiment I've never done before. I decided to take a try.On the WM_INITDIALOG message, a thread of which the lpStartAddress is 00401233 was created. The ThreadProc takes care of all the VK_1 ~ VK_7 keystrokes. This thread function itself is a loop, exits if user32.EndDialog flag set. vKey Functions00401259 E8 9F000000 CALL 004012FD ; VK_10040126F E8 E9000000 CALL 0040135D ; VK_200401285 E8 3F010000 CALL 004013C9 ; VK_30040129B E8 95010000 CALL 00401435 ; VK_4004012B1 E8 EB010000 CALL 004014A1 ; VK_5004012C7 E8 41020000 CALL 0040150D ; VK_6004012E0 E8 94020000 CALL 00401579 ; VK_7004012FD E9 24850000 JMP 004098260040135D E9 4F9B0000 JMP 0040AEB1004013C9 E9 2BC30000 JMP 0040D6F900401435 E9 3CD40000 JMP 0040E876004014A1 E9 C26B0000 JMP 004080680040150D E9 CD7E0000 JMP 004093DF00401579 E9 A9730000 JMP 00408927You can see, all jumps go to the ".vmp0" section, which means these functions are mutated or virtualized. Let's dive into several subroutines to look for something fun. As HellSpider stated, "most of the virtualized blocks of code are quite similar with each other." Procedures almost the same, call user32.wsprintfA to get the message and user32.MessageBoxA to display it. We focus mainly on how the "Control value" generated and on different features in the subroutine. ************* 004012FD VK_1 ************* Control Value: 0x04E6509A This part is for mutation demo, relative ease. Lots of branches VMProtect produced. Basically, all forks do identical operation, the result can be reached simply by tracing the main routine only. After demutation, the equivalent asm instructions look like: 004012FD C8 000100 ENTER 0x100, 0x000401301 60 PUSHAD00401302 9C PUSHFD00401303 BB 06000000 MOV EBX, 0x600401308 B8 E1020000 MOV EAX, 0x2E10040130D 33D2 XOR EDX, EDX0040130F F7FB IDIV EBX ; 05:7A00401311 83C2 03 ADD EDX, 0x3 ; 0800401314 92 XCHG EAX, EDX00401315 33C2 XOR EAX, EDX ; 7200401317 33D2 XOR EDX, EDX ; <- this seems useless00401319 69C0 B5000B00 IMUL EAX, EAX, 0xB00B5 ; 04E6509A0040131F 8D5C24 24 LEA EBX, [ESP+0x24]00401323 50 PUSH EAX ; Control value00401324 68 03214000 PUSH 0x402103 ; ASCII "VMProtect Mutation block has been executed!",CR,LF,CR,LF,"Control value: 0x%08X"00401329 53 PUSH EBX ; lpOut0040132A E8 E7020000 CALL 00401616 ; <JMP.&user32.wsprintfA>0040132F 83C4 0C ADD ESP, 0xC00401332 6A 40 PUSH 0x40 ; uType, combination of flags: MB_OK|MB_ICONASTERISK|MB_APPLMODAL00401334 68 5C204000 PUSH 0x40205C ; Title = "DevirtualzeMe"00401339 53 PUSH EBX ; Text: the message to be displayed0040133A FF75 08 PUSH DWORD PTR [EBP+0x8] ; hWnd of owner0040133D E8 F2020000 CALL 00401634 ; <JMP.&user32.MessageBoxA>00401342 9D POPFD00401343 61 POPAD00401344 C9 LEAVE00401345 C2 0400 RETN 0x4It can be considered as a template of the rest subroutines, only the algorithms of Control Value are different from each other. The only doubt here is Control Value algo. What is the mutation? "replacing the source instruction with its analog (or a certain instruction sequence), which gives the same result as the source instruction.", VMProtect officially claimed. So, I'm not very sure whether the control value algo does exist. Maybe the control value just PUSHed out there. It's hard to say, need HellSpider to confirm this.Note: the above patch works only when key '1' pressed, never stroke other number key, it crashes certainly. This area is full of the VM interpreter/handler code. ************* 0040135D VK_2 ************* Control Value: 0x0546416E Algorithm: 0000281B (= 00000009 ^ 00002812)0000281B ROR 3 = 60000503Low Byte 03 ^ 45(IMM) = 4660000546 SHL 10 = 0546000005460000 | 416E = 0546416EThis function is simply virtualized without additional options. Again, similar to mutation, it's also difficult to identify the primitive constants used in a target before getting protected. The only thing I can do is to guess from the hardcode immediates in this portion of virtualized bytecode. This part roughly covers 0x229 virtual machine instructions, not so complicated. ************* 004013C9 VK_3 ************* Control value: 0x0D619F21 Since virtualized with the "VM integrity check option", it's much sophisticated than the above. It's a painful journey, you’re gonna get brain-burned from this stuff!We trace the Control Value first. Here is an excerpt of virtual instructions executed for the Control Value calculation: HIWORD------StepNum. vEIP vOpcode Operand-------- ---- ------- -------000000C1 00407674: vPushImm4 8D175218000000C2 0040766F: vPushImm4 0040849E000000C3 0040766A: vPushImm4 ABD7E33F000000C4 00407665: vPushImm4 0040A816000000C5 00407660: vReadMemDs4 54281CC8 = [0040A816]000000C6 0040765F: vAdd4 54281CC8 + ABD7E33F = 00000007000000C8 0040765C: vPopReg4 vR1 00000007000000C9 0040765A: vReadMemDs4 72E8B450 = [0040849E]000000CA 00407659: vAdd4 72E8B450 + 8D175218 = 00000668000000CC 00407656: vPopReg4 vR14 00000668 dw [0040A816] = 54281CC8 + IMM32 ABD7E33F = 00000007 dw [0040849E] = 72E8B450 + IMM32 8D175218 = 00000668000000EE 0040761E: vIdiv4 00000000 00000668 / 00000007 = Q000000EA R00000002000001A7 004088E2: vAdd4 000000EA + 00000007 = 000000F10000029F 004088E2: vAdd4 000000EA + 000000F1 = 000001DB000003A3 00407FF9: vPushImm1 00000059000003A5 00407FF2: vPushImm4 80F30437000003C0 00407FB5: vReadMemDs4 7F0D323A = [00409269]000003C1 00407FB4: vAdd4 7F0D323A + 80F30437 = 00003671 dw [00409269] = 7F0D323A + IMM32 80F30437 = 00003671000003C4 00407FAF: vNand4 000001DB ~& 00003671 = FFFFC804000003C8 00407FAA: vNand4 FFFFC804 ~& FFFFC804 = 000037FB => 000001DB | 00003671 = 000037FB000003CB 00407FA5: vReadMemDs1 000000A9 = [0040882C]000003CC 00407FA4: vAdd1 000000A9 + 00000059 = 00000002 <- shift count b [0040882C] = A9 + IMM 59 = 02000003D1 00407F9D: vShrd 000037FB 000037FB >> 00000002 = C0000DFE 000037FB shrd 02 = C0000DFE <- *** byte3 0x0D shows up000003D4 00407F98: vPushImm1 00000059 IMM 59000003D5 00407F96: vPushImm4 0040862E000003D6 00407F91: vReadMemDs1 00000046 = [0040862E] b [0040862E] = 46000003D7 00407F90: vPushImm1 0000006F000003D8 00407F8E: vPushImm4 0040ADD1000003D9 00407F89: vReadMemDs1 000000A1 = [0040ADD1] b [0040ADD1] = A1000003DA 00407F88: vPushImm2 00006D8A000003DB 00407F85: vPushImm4 00410569000003DC 00407F80: vPushImm1 00000074 IMM 74000003DD 00407F7E: vPushImm4 0040BFD3000003DE 00407F79: vReadMemDs1 000000EC = [0040BFD3] b [0040BFD3] = EC + IMM8 74 = 60000003DF 00407F78: vAdd1 000000EC + 00000074 = 00000060000003E1 00407F75: vPushReg1 vR13LB 000000FE here vR13=C0000DFE(Step #000003D1)000003E2 00407F73: vPushReg1 vR13LB 000000FE000003E3 00407F71: vNand1 000000FE ~& 000000FE = 00000001000003E4 00407F70: vPopReg4 vR0 00000202000003E5 00407F6E: vNand1 00000001 ~& 00000060 = 0000009E000003E6 00407F6D: vPopReg4 vR0 00000282000003E7 00407F6B: vPushImm1 000000C9000003E8 00407F69: vPushImm4 00407567000003E9 00407F64: vReadMemDs1 000000D6 = [00407567]000003EA 00407F63: vAdd1 000000D6 + 000000C9 = 0000009F b [00407567] = D6 + IMM8 C9 = 9F000003EB 00407F62: vPopReg4 vR10 00000287000003EC 00407F60: vPushReg1 vR13LB 000000FE000003ED 00407F5E: vNand1 000000FE ~& 0000009F = 00000000000003EE 00407F5D: vPopReg4 vR7 00000246000003EF 00407F5B: vNand1 00000000 ~& 0000009E = 00000061 => 9F ^ FE = 61 <- *** byte2000003F0 00407F5A: vPopReg4 vR1 00000202000003F1 00407F58: vPopReg1 vR13LB 00000061 now vR13=C0000D61000003F2 00407F56: vReadMemDs2 00009276 = [00410569]000003F3 00407F55: vAdd2 00009276 + 00006D8A = 00000000000003F4 00407F54: vPopReg4 vR1 00000257000003F5 00407F52: vPushReg2 vR13LW 00000D61000003F6 00407F50: vPopReg4 vR1 00000D61000003F7 00407F4E: vAdd1 000000A1 + 0000006F = 00000010 b [0040ADD1] = A1 + IMM8 6F = 10 <- shift count000003F8 00407F4D: vPopReg4 vR10 00000213000003F9 00407F4B: vPushReg4 vR1 00000D61000003FA 00407F49: vShl4 00000D61 << 00000010 = 0D610000000003FB 00407F48: vPopReg4 vR5 00000206000003FC 00407F46: vPopReg4 vR0 0D610000 <- *** HIWORDLOWORD------000003FD 00407F44: vAdd1 00000046 + 00000059 = 0000009F b [0040862E] = 46 + IMM8 59 = 9F <- *** byte1000003FE 00407F43: vPushImm1 00000098000003FF 00407F41: vPushImm4 0040921D00000400 00407F3C: vReadMemDs1 00000089 = [0040921D] b [0040921D] = 89 + IMM8 98 = 21 <- *** byte000000401 00407F3B: vAdd1 00000089 + 00000098 = 0000002100000402 00407F3A: vPopReg4 vR10 00000A1700000403 00407F38: vPopReg1 vR0LB 00000021 now, vR0=0D61002100000404 00407F36: vPopReg4 vR10 00000A8600000405 00407F34: vPopReg1 vR0HB 0000009F now, vR0=0D619F21At this point we already have 0x405 steps, not yet including the two API calls. The computation process can be summarized and simplified as: 00000668 IDIV 00000007 => Quotient: 000000EA, Remainder: 00000002000000EA * 2 + 00000007 = 000001DB000001DB | 00003671 = 000037FB000037FB ROR 00000002 = C0000DFEC0000DFE ^ 9F = C0000D61C0000D61 SHL 00000010 = 0D6100000D610000 | 9F21 = 0D619F21The very important concept "VM integrity check" in VMProtect appears in the second half of virtualized code. There is an integrity check table. Each record in the table has a size of 9 bytes: DWORD - encrypted checking address RVABYTE - checking lengthDWORD - negative of the Valid HashChecking procedure: 1) generating a random number by vRdtsc handler 2) modulus operating the total records count of the table 3) multiplying it by the record size, got record offset in the table 4) decrypting address RVA in the record 5) computing the Hash by getHash(vCheck) handler 6) the result Hash + Valid Hash(NEG) + return address of vRet HandlerNoted here, the last step is the so-called "Silent Check"! No comparison, just a ADD operation! This implies that, if the integrity check failed, vRet will be lead to some unknown address, finally causing the application crash. Virtual instructions of this block: 00000444 00407EAC: vRdtsc 0000107E:804F0139 only LOWORD used00000451 00407E94: vNand2 32AA ~& FEC6 = 0111 ~32AA & 0139 = 011100000459 00407E83: vNand2 CDF1 ~& 0139 = 32060000045B 00407E80: vNand2 3206 ~& 0111 = CCE800000464 00407E6D: vDiv2 CCE8 / 002D = Q 048D R 001F CCE8 % 2D0000046B 00407E5E: vMul2 001F * 0009 = 00000117 idx * size = record ptr0000047B 00407E3A: vAdd4 0040642A + 00000117 = 00406541 offset in table0000048B 00407E17: vReadMemDs1 000000FA = [00406545] length: FA...000004C9 00407D95: vAdd4 B6B2EBF7 + 494D6A88 = 0000567F Offset RVA000004D0 00407D84: vAdd4 00400000 + 0000567F = 0040567F +Modulebase...000004D5 00407D7C: vCheck offset: 0040567F, length: 000000FA, Hash: A7563B85000004DE 00407D68: vReadMemDs4 58A9C47B = [00406546] NEG Hash stored in table000004DF 00407D67: vAdd4 58A9C47B + A7563B85 = 00000000 SHOULD BE ZERO!!!000004E0 00407D66: vPopReg4 vR3 00000257000004E1 00407D64: vAdd4 00000000 + 00401616 = 00401616 <- *** Silent Check000004E2 00407D63: vPopReg4 vR9 00000202 Address SHOULD BE Call user32.wsprintfA!!!000004E3 00407D61: vPushReg4 vR5 00000206000004E4 00407D5F: vPushReg4 vR0 0D619F21000004E5 00407D5D: vPushReg4 vR8 00000000000004E6 00407D5B: vPushReg4 vR2 00400000000004E7 00407D59: vPushReg4 vR15 000000EA000004E8 00407D57: vPushReg4 vR10 00C2FE84000004E9 00407D55: vPushReg4 vR7 00406541000004EA 00407D53: vPushReg4 vR4 004121F0000004EB 00407D51: vPushReg4 vR11 00C2FFA8000004EC 00407D4F: vPushReg4 vR0 0D619F21000004ED 00407D4D: vPushReg4 vR9 00000202000004EE 00407D4B: vRet 00401616 | <JMP.&user32.wsprintfA> [esp+00]: 0040E362 return address after call [esp+04]: 00C2FE84 out buffer [esp+08]: 004021A2 ASCII "VMProtect Virtualization (+ VM integrity check) block has been executed!",CR,LF,CR,LF,"Control value:..." [esp+0C]: 0D619F21 Control valueRandom Memory Check Table-------------------------Table address: 0040642A, Items: 0000002DItem. Offset <- Decrypt Length Hash Read <- NEG Hash Calc.#00000001: 00401302|BA017BA2 00000057 516DF676|AE92098A 516DF676#00000002: 00401362|BA0D7BA2 00000065 3290E84D|CD6F17B3 3290E84D...#00000020: 0040567F|B3B11BA2 000000FA A7563B85|58A9C47B A7563B85...#0000002C: 00406226|B025FBA2 000000FB 3C31C786|C3CE387A 3C31C786#0000002D: 00406321|B0055BA2 000000F6 A19E32E3|5E61CD1D A19E32E3Decrypt Algo. for Offset RVA: shrd 1F, ~, ++, shld 12, ~, ^6BA308FF, +B6B2EBF7Thereafter, the "VM Integrity Check" performed two times, each just before calling user32.MessageBoxA and vRet to return address of VK_3 subroutine.Have fun, see you.MistHill
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...