[unpackme] VMProtect 2.06 unpackme

[EvOlUtIoN]

Here it is an unpackme wioth maximum VMProtect protection.

It have also a boxed dll which should be a good and never seen target to unpack.

Good luck.

VMProtector_2.06_unpackme.rar

[LCF-AT]

Hi EvOlUtIoN,

hmmmm nice.

Thank you for creating this new UnpackMe version.Exe & Temp dll file.

Ok I got the exe unpacked and it works [+with maybe message & without Exit / Button working] + AntiDump.

Now I have also the boxed.dll which I need to unpack now.So only problem which I have at the moment is the dll CRC check.You know file corruped message so this I need to find now.Til later.

greetz

[Teddy Rogers]

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

[EvOlUtIoN]

i knew you like it!

Just make all possilbe to have it working, no more and no less. you are also not forced to unpack the boxed dll, feel free to make all working just like packed one.

Sorry for completely virtualize content of code section, but code was very poor so a master like you for sure does not have problem on it.

PS How you fix CPUID antidump in these new version? i still miss it.

[LCF-AT]

Hi EvO,

yes I like it and this DLL thing is also new for me.Never seen this before in any VMP target.Yes I got this DLL too which I have dumped [no normal dumping] at the EP but I can not find this CRC check in the DLL at the moment.So now I tried to dump the DLL at the OEP but the problem there is now....where is the DLL OEP!?Whole DLL is one section in memory and I find just the DlgProc & ExitAll and my DLL OEP is set on the DlgProc 1024 RVA but this is wrong.Dll used also AntiDump check. Maybe you can tell me the where the DLL OEP is then I can also test whether my DLL is working or not.

Ok I see the main app is breaking on one CPUID command.I also have no 2. OS where I can test it to see whether is need to patch something here or not.So now I created first 2 unpacked files.One normal and one where I have patched the CPUID at 0046A790 [jmp xxx you will see it].No ideas whether its working or not so just test both files and tell me the reults.

0046A78E    CPUID  
0046A790    CMP SI,0EACD
0046A795    CMP AH,85
0046A798    SUB EBP,0C
0046A79B    PUSHAD
0046A79C    CMP DWORD PTR SS:[EBP+C],1

PS: So if it start then you get also the "maybe you forgot..." message and OK [exit] does not work.Maybe I can find the DLL OEP then I can send you the DLL too or you tell me the DLL OEP to test my DLL.

greetz

2x_VMProtector_2.06_Unpacked_Test_Files.rar

[Syntax]

VMProtector_2.06_U+CPUID.exe = Works with "maybe you forgot..." message and OK [exit] does not work.

VMProtector_2.06_U.exe - Not working (Crashes)

Tested in XPSP3.

[LCF-AT]

@ (*_*)

Ah very good and thanks for testing and the info.So it seems that I have patched the CPUID right.

greetz

[vinnie]

Seems like getting the main exe unpacked is not too hard, but to get the boxed.dll to still export functions for the OK button to close app properly seems very hard. (well for me anyway).

I hope someone does unpack it and writes a tut.

[EvOlUtIoN]

well ok, your patched file is perfectly working here. Congratz LCF-AT. Of course i will wait for the dll to be unpacked. It is not hard because there is few code, so you can for sure find OEP by yourself, also because it is more simple than you think

[LCF-AT]

Hi,

ah ok.So i have checked the dll a little bit and I see it hooks the intern API.

0012FB28   004D5E3C  /CALL to LoadLibraryA
0012FB2C   00403000  \FileName = "boxed.dll"00B38732  PUSHFD         ; boxed EP00446373  MOV DWORD PTR DS:[EAX],EDX  EDX=00400000 (Kopie_vo.00400000)
DS:[00403050]=00400000 (Kopie_vo.00400000)00464742  MOV DWORD PTR DS:[EAX],EDX    ; 2EDX=00B01024 (boxed.00B01024)
DS:[00403054]=00B01024 (boxed.00B01024)00448C2E   MOV EAX,DWORD PTR DS:[EAX]DS:[00B01024]=0167A5E9
EAX=00B01024 (boxed.00B01024)77D13A5C   CALL DWORD PTR SS:[EBP+8]           ; boxed.00B0102400B01024   JMP 00B177CE                     ; DlgProc 1 export
00B01029   PUSH DWORD PTR SS:[ESP+44]   
00B0102D   POPFD
00B0102E   PUSH ESI                      
00B0102F   PUSH 514D555C
00B01034   LEA ESP,DWORD PTR SS:[ESP+50]
00B01038   JMP 00B0E1E7             
00B0103D   JMP 00B0D5DD                   
00B01042   CALL 00B0C51A               
00B01047   JECXZ SHORT 00B0101A    00B01049   JMP 00B177BE                     ; ExitAll  2 export
00B0104E   PUSHFD
00B0104F   MOV DWORD PTR SS:[ESP+8],EDX   
00B01053   JMP 00B0809B                 
00B01058   MOV CX,CS
00B0105A   CALL 00B1685B              
00B0105F   CALL FAR 0000:00000000       00464742   MOV DWORD PTR DS:[EAX],EDX       ; 2EDX=00B01049 (boxed.00B01049)
DS:[00403054]=00B01049 (boxed.00B01049)0012FFBC   004A6790  /CALL to ExitProcess from VMProtec.004A678B
0012FFC0   00000001  \ExitCode = 1

Switching loops.

Maybe the OEP is the same like

push 0

call GetModuleHandleA

jmp xxxxxx

Seems to be still a bit tricky or I think wrong.

EDIT: I still can't find the DLL OEP.Now I have the DLL + AntiDump & CPUID too but no OEP.Can you give a hint about the OEP address?

greetz

Edited November 7, 2010 by LCF-AT

[EvOlUtIoN]

OEP pof dll in this case you can do severl things, one is to think a little on position of exported functions and where probably can be the oep. The other is to rebuild yourself a simple typical oep of a dll. A hint can be that i written it using a standard winasm template, and removing all procedures from DLL_PROCESS_ATTACH etc., so oep is completely alone.

[LCF-AT]

Hi Evo,

ah ok and thanks for the info,so now I have created the DLL OEP like this.

021F1070 <>PUSH EBP
021F1071   MOV EBP,ESP
021F1073   MOV EAX,DWORD PTR SS:[EBP+8]
021F1076   MOV DWORD PTR DS:[IBStore],EAX
021F107B   MOV EAX,1
021F1080   LEAVE
021F1081   RETN 0C

But I forgot one thing!!!

So in the main app I get the dll imagebase of 00B00000 and with the unpacked file I get a other imagebase and the xyz addresses does not match by the VMP code.So is there a way to give this DLL a static imagebase of 00B00000 too?So if not then I have to unpack the DLL again and this time I have to try to give the dll a imagebase of 10000000 if possible.Ok I try go on.

greetz

[-Alex-]

PE Tools -> Preferences -> PE Rebuilder -> check the option "Change ImageBase to:" -> 00B00000

Then rebuild dll, and u should be done

Alex

Edited November 7, 2010 by -Alex-

[LCF-AT]

Thanks for this info -Alex- but this does not work in this dll.Also my unpacked main exe has already a big virtual size--

address 400000 - 01D27FFE

So its clear now why the dll get not the imagebase of 00B00000 so its already used by my target. So I need to unpack all again and this time I have to handle better the used size.I also tried to redirect the allocated address for the dll and changed them to a higher address but then the target makes some trouble.I try it again.

greetz

[LCF-AT]

Hi,

ok now I got the DLL with a high imagebase on a next fresh dll unpack.Now the exe & DLL are working toghether. Ok I upload again 2 files [DLLs] which are the same except CPUID patching.

boxed.dll

-------------

Yes_CPUID_boxed.dll

NO_CPUID_boxed.dll

Info: Just remove the Yes_CPUID_ or NO_CPUID_ in the name and then test.

-------------

I don't know whether the CPUID patch is also needed in this dll or not so this is the reason why I send 2 dll files which you can both test with my exe files from the other post.

I also see 2 diffrents.If I run my CPUID patched dll with CPUID patched exe file then it starts but after a short time I get some kind of integry check [ExeCryptor style] and the target closed.Its not happend always but to offten.So I think I have patched the CPUID a little bit wrong....but I can not test it under a other OS to find the exactly reason for this problem at the moment.So both files exe & dll without CPUID patching are working 1A without any problems.

So just try to run the exe a few times if you get starting problems.

@ EvO

So thats all for the moment what I can do at the moment.I hope that the dll is working now.So there was nothing to fix [APIs] inside this dll.If you have 2 OS then you can check the CPUID problem and check what is wrong there and also what is necessary to patch there and what not.Dll CPUID patch can you see at 023C10A0 / 2 times.

PS: DLL ImageBase is 023C0000 so this should work now without to get a other IB.So if you get a other IB then load the exe in Olly at system BP and then inject the dll with Olly then you will get this imagebase.

greetz

2x_VMProtector_2.06_DLL_Test_Files.rar

[LCF-AT]

@ All

And does the DLL + exe work for you or not?

Some infos please.

greetz

[vinnie]

I tested it on XPSP3 and WIN7 and they both work but do not have the imported function from DLL and can not terminate process. I had to kill process manually with Process Explorer.

I am also have worked a bit on this and have the main exe unpacked with dll but can not find where the ExitAll function is being imported in the main exe to rebuild that import.

I am sure you will get it, then hopefully you write a tut.

Edited November 10, 2010 by vinnie

[EvOlUtIoN]

yes but...is really necessary to import a function to call it?

[Nooby]

not properly terminating the process may due to dllbox's attempt to manupilate Ldr loaded module list, I have seen this under win7 with vmprotect.exe

the other thing is not having CRT's dllmain called for unloading.

[EvOlUtIoN]

I checked better the unpacked exe with CPUID fixed...well it's not working.

I explain better

You patched at 46a790 with a jmp to redirect the CPUID result. But in fact after a while the exe will check integrity of bytes at that address, and will crash without apparently a reason.

To verify it put an hardware breakpoint on access at byte 46a790, sooner or later you will break, and after program crashes.

This is the strongest integrity check i ever seen.

I tried to solve the rpoblem using several ways, but with no grat success.

The fact is that if you patch any of the VMP bytes in the code section, it will be checked for sure and program will crach, even the integrity check procedure themselves are checked form pother procedures.

I was thinking about redirect the check to a new attached section with code section untouched, but still not found a good way to do it.

Any ideas?

[LCF-AT]

Yes you are right! It checks the whole code.So at the moment I would say that there is no way to prevent this selfchecking.I created already some diffrent loops but also without success.Looks like a neck breaker.So how to patch without to change a byte....hmmmm.

So maybe you can write something like a dll file with some custom exports etc.So I am no coder.

Exsample:

-------------------------
0046A790   CMP SI,0EACD  66 81 FE CD EA | 5 Bytes
to 
0046A790   JMP 0040115D  | 5 Bytes
--------------------------Checks x3 places:
004640BF   XOR AL,BYTE PTR DS:[EDX]  // Export 1 Hook
--------
0046A790   xor al, 66
0046A791   xor al, 8100462B00   XOR AL,BYTE PTR DS:[EDX]  // Export 2 Hook
--------
0046A792   xor al, FE
0046A793   xor al, CD00462B00   XOR AL,BYTE PTR DS:[EDX]  // Export 3 Hook
--------
0046A794   xor al, EA
--------------------------cmp edx, 0046A790
je P1
cmp edx, 0046A791
je P2
------
jmp P1_out
------
P1:
xor al, 66
jmp P1_out
------
P2:
xor al, 81
jmp P1_out
-----------
-----------
-----------
cmp edx, 0046A792
je P3
cmp edx, 0046A793
je P4
------
jmp P2_out
------
P2:
xor al, FE
jmp P2_out
------
P3:
xor al, CD
jmp P2_out
-----------
-----------
-----------
cmp edx, 0046A794
jne P3_out
xor al, EA
jmp P3_out

So just a idea.No idea whether its possible or not but you know what I mean.

greetz

[vinnie]

I not get that far but what if you patched the VM jmp/ret table for it to return to an added section? From there you can patch in right cpu values and also try to restore the table back to original before integrity check.

[EvOlUtIoN]

lcf-at i tried several ways with the method you are explaining, but unfortunately it needs to replace some bytes near cpuid, and to fix them you have to patch also control routine. but replacing them means that you have to check another time for the second patch you done, and again and again...this may not be a solution imho, also because in complex program it's not possible to know exactly how many checks there are, in fact some places are checked by more than one routine.

Vinnie, i tried it but also same problems, maybe it is easy to fix a small program, but for biggers?

[vinnie]

I actually find it's easier in bigger programs cause you have more things to hook to restore the table. Small apps like this unpackme might be hard cause not that many options to hook into to provide a way to restore the table

[EvOlUtIoN]

yes, but that way you don't have to patch a lot of addresses?