Leaderboard

My previous video link is dead. Here below you can watch how to use my plugin.

DNGuard HVM IS the strongest so far. PVLOG dotNet Protector although it's a bit old is another beast, at least for me.

Sir i created those tools. And took some references from JitUnpacker https://github.com/wwh1004/JitUnpacker-Framework

Up!

Server is up , woth better uplink !Use webdav client. like WinSCP host : https://eddynet.cz:9865 u: learn p: 4EKS9umUYme3WAZrC

Why? I don't depend on anyone.

https://www.youtube.com/watch?v=4G9jc5zD6K0

1. get your fasm 2. open .asm in FASMW.EXE and build it (CTRL+F9) we done

Use version.ASM to load your dll. compile with fasm.

I have already conducted testing before, and if you compile the 32-bit plugin according to the original source code provided here (https://bbs.kanxue.com/thread-282244.htm). Original 32-bit (Imperfect Version).zip This plugin is effective on Win7 x64 SP1; But it fails in Win10/11 x64. e.g. VMP_3.8.7_x86_32-bit.vmp.exe Win7 x64 SP1 √ Win10 x64 × Win11 x64 × By recompiling the 32-bit plugin according to the modified code provided by karan, the above issue has been resolved. The revised and recompiled complete version is now uploaded as follows, and has been tested to be effective in Win7/10/11 x64. ScyllaHide_2024_x86_x64_v0.002.zip

I tested the original author's code and found that it doesn't seem to bypass the protection properly on x86 systems. VMProtect does not appear to search through the entire Export Table to find the desired function. So, I modified the code to overwrite the last export function of ntdll.dll with wine_get_version and then place the original function right after it. As a result, the bypass worked successfully! void AddWineFunctionName(HANDLE hProcess) { BYTE* remote_ntdll = (BYTE*)GetModuleBaseRemote(hProcess, L"ntdll.dll"); if (!remote_ntdll) return; SIZE_T readed = 0; IMAGE_DOS_HEADER dos_header; ReadProcessMemory(hProcess, remote_ntdll, &dos_header, sizeof(IMAGE_DOS_HEADER), &readed); if (dos_header.e_magic != IMAGE_DOS_SIGNATURE) return; IMAGE_NT_HEADERS pe_header; ReadProcessMemory(hProcess, (BYTE*)remote_ntdll + dos_header.e_lfanew, &pe_header, sizeof(IMAGE_NT_HEADERS), &readed); if (pe_header.Signature != IMAGE_NT_SIGNATURE) return; DWORD export_adress = pe_header.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; if (!export_adress) return; DWORD export_size = pe_header.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; BYTE* new_export_table = (BYTE*)VirtualAllocEx(hProcess, remote_ntdll + 0x1000000, export_size + 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); IMAGE_EXPORT_DIRECTORY export_directory; ReadProcessMemory(hProcess, remote_ntdll + export_adress, &export_directory, sizeof(IMAGE_EXPORT_DIRECTORY), &readed); BYTE* tmp_table = (BYTE*)malloc(export_size + 0x1000); if (tmp_table == nullptr) return; // Copy functions table BYTE* new_functions_table = new_export_table; ReadProcessMemory(hProcess, remote_ntdll + export_directory.AddressOfFunctions, tmp_table, export_directory.NumberOfFunctions * sizeof(DWORD), &readed); WriteProcessMemory(hProcess, new_functions_table, tmp_table, export_directory.NumberOfFunctions * sizeof(DWORD), &readed); g_log.LogInfo(L"[VMPBypass] new_functions_table: %p", new_functions_table); // Copy ordinal table BYTE* new_ordinal_table = new_functions_table + export_directory.NumberOfFunctions * sizeof(DWORD) + 0x100; ReadProcessMemory(hProcess, remote_ntdll + export_directory.AddressOfNameOrdinals, tmp_table, export_directory.NumberOfNames * sizeof(WORD), &readed); WriteProcessMemory(hProcess, new_ordinal_table, tmp_table, export_directory.NumberOfNames * sizeof(WORD), &readed); g_log.LogInfo(L"[VMPBypass] new_ordinal_table: %p", new_ordinal_table); // Copy name table BYTE* new_name_table = new_ordinal_table + export_directory.NumberOfNames * sizeof(WORD) + 0x100; ReadProcessMemory(hProcess, remote_ntdll + export_directory.AddressOfNames, tmp_table, export_directory.NumberOfNames * sizeof(DWORD), &readed); WriteProcessMemory(hProcess, new_name_table, tmp_table, export_directory.NumberOfNames * sizeof(DWORD), &readed); g_log.LogInfo(L"[VMPBypass] new_name_table: %p", new_name_table); free(tmp_table); tmp_table = nullptr; // Setup new name & name offset BYTE* wine_func_addr = new_name_table + export_directory.NumberOfNames * sizeof(DWORD) + 0x100; WriteProcessMemory(hProcess, wine_func_addr, "wine_get_version\x00", 17, &readed); DWORD wine_func_offset = (DWORD)(wine_func_addr - remote_ntdll); WriteProcessMemory(hProcess, new_name_table + export_directory.NumberOfNames * sizeof(DWORD), &wine_func_offset, 4, &readed); // Set fake ordinal WORD last_ordinal = export_directory.NumberOfNames; WriteProcessMemory(hProcess, new_ordinal_table + export_directory.NumberOfNames * sizeof(WORD), &last_ordinal, 2, &readed); // Get address of GetCurrentTeb function to be placed after the new function BYTE* get_current_teb = reinterpret_cast<BYTE*>(GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCurrentTeb")); DWORD get_current_teb_offset = (DWORD)(get_current_teb - remote_ntdll); // Set new function address (wine_get_version) and GetCurrentTeb function address DWORD new_function_offset = get_current_teb_offset; WriteProcessMemory(hProcess, new_functions_table + export_directory.NumberOfFunctions * sizeof(DWORD), &new_function_offset, 4, &readed); // Setup new directory export_directory.NumberOfNames++; export_directory.NumberOfFunctions++; DWORD name_table_offset = (DWORD)(new_name_table - remote_ntdll); export_directory.AddressOfNames = name_table_offset; DWORD function_table_offset = (DWORD)(new_functions_table - remote_ntdll); export_directory.AddressOfFunctions = function_table_offset; DWORD ordinal_table_offset = (DWORD)(new_ordinal_table - remote_ntdll); export_directory.AddressOfNameOrdinals = ordinal_table_offset; // Change the offset of header data DWORD old_prot; VirtualProtectEx(hProcess, remote_ntdll + export_adress, sizeof(IMAGE_EXPORT_DIRECTORY), PAGE_EXECUTE_READWRITE, &old_prot); WriteProcessMemory(hProcess, remote_ntdll + export_adress, &export_directory, sizeof(IMAGE_EXPORT_DIRECTORY), &readed); VirtualProtectEx(hProcess, remote_ntdll + export_adress, sizeof(IMAGE_EXPORT_DIRECTORY), old_prot, &old_prot); } I confirmed that my Windows 10 version works fine. cheers! ScyllaHide_x86.zip

try learning x64dbg script 👍 DeleteBPX bp VirtualProtect SetBreakpointCommand VirtualProtect, "vtp" erun vtp: rtr 2 step rtu step find cip,"E9EF" cmp $result,0 je ER bp $result erun bc sti sto 8 sti memset cip+19603, EB,1//bypass cmp to jmp log "OEP:{a@cip}" mov 1004A8D64, #62 6F 6E 00#//set caption run exit ER:

.DLL Hijack bypass all protect 😁 bb2018.dll = Patcher version.dll = loader Hook Api = Bypasser First, use x64dbg debug to find patch points. Change from 84 to FE. First, we need to find the module .dll will notice that there.A lot of dlls, but I'm going to use version.dll. Example Code Patch : DWORD64 MR.BB2018 = Module + (DWORD64)0x2F931; // rva Patch PVOID rva1 = reinterpret_cast<PVOID>(MR.BB2018); BYTE rva2[] = { 0xFE }; WriteProcessMemory(hProcess, rva1, rva2, sizeof(rva2), NULL); Tools : X64dbg : https://github.com/x64dbg/x64dbg/releases Visualstudio : https://learn.microsoft.com/en-us/visualstudio/releases/2019/release-notes hijack dll Source Code Generator. support x86/x64 : https://github.com/strivexjun/AheadLib-x86-x64/releases/tag/1.2 I'm still naive about the reverse. If it's a mistake, apologize. 😁

@collins: apparently h4sh3m deleted it. Copy attached. version.rar

Hi, The steps I take for unpack this: 1. Change HWID. I used LCF-AT's script from here 2. VM Fixing and OEP Rebuilding. I used LCF-AT's script from here. 3. File Optimizing. I used SHADOW_UA's method from here. Unpacked files: here Salam.

Double checked your icon and it looks to be head banging... Ted.