Jump to content
Tuts 4 You
EvOlUtIoN

[unpackme] VMProtect 2.06 unpackme

Rate this topic

Recommended Posts

EvOlUtIoN

Here it is an unpackme wioth maximum VMProtect protection.

It have also a boxed dll which should be a good and never seen target to unpack.

Good luck.

VMProtector_2.06_unpackme.rar

Share this post


Link to post
Share on other sites
LCF-AT

Hi EvOlUtIoN,

hmmmm nice. :)

Thank you for creating this new UnpackMe version.Exe & Temp dll file.

Ok I got the exe unpacked and it works [+with maybe message & without Exit / Button working] + AntiDump.

Now I have also the boxed.dll which I need to unpack now.So only problem which I have at the moment is the dll CRC check.You know file corruped message so this I need to find now.Til later.

greetz

  • Like 1

Share this post


Link to post
Share on other sites
Teddy Rogers

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Share this post


Link to post
Share on other sites
EvOlUtIoN

i knew you like it!

Just make all possilbe to have it working, no more and no less. :) you are also not forced to unpack the boxed dll, feel free to make all working just like packed one.

Sorry for completely virtualize content of code section, but code was very poor so a master like you for sure does not have problem on it.

PS How you fix CPUID antidump in these new version? i still miss it.

Share this post


Link to post
Share on other sites
LCF-AT

Hi EvO,

yes I like it and this DLL thing is also new for me.Never seen this before in any VMP target.Yes I got this DLL too which I have dumped [no normal dumping] at the EP but I can not find this CRC check in the DLL at the moment.So now I tried to dump the DLL at the OEP but the problem there is now....where is the DLL OEP!?Whole DLL is one section in memory and I find just the DlgProc & ExitAll and my DLL OEP is set on the DlgProc 1024 RVA but this is wrong.Dll used also AntiDump check. :) Maybe you can tell me the where the DLL OEP is then I can also test whether my DLL is working or not.

Ok I see the main app is breaking on one CPUID command.I also have no 2. OS where I can test it to see whether is need to patch something here or not.So now I created first 2 unpacked files.One normal and one where I have patched the CPUID at 0046A790 [jmp xxx you will see it].No ideas whether its working or not so just test both files and tell me the reults.

0046A78E    CPUID  
0046A790 CMP SI,0EACD
0046A795 CMP AH,85
0046A798 SUB EBP,0C
0046A79B PUSHAD
0046A79C CMP DWORD PTR SS:[EBP+C],1

PS: So if it start then you get also the "maybe you forgot..." message and OK [exit] does not work.Maybe I can find the DLL OEP then I can send you the DLL too or you tell me the DLL OEP to test my DLL.

greetz

2x_VMProtector_2.06_Unpacked_Test_Files.rar

Share this post


Link to post
Share on other sites
Syntax

VMProtector_2.06_U+CPUID.exe = Works with "maybe you forgot..." message and OK [exit] does not work.

VMProtector_2.06_U.exe - Not working (Crashes)

Tested in XPSP3.

Share this post


Link to post
Share on other sites
LCF-AT

@ (*_*)

Ah very good and thanks for testing and the info.So it seems that I have patched the CPUID right. :)

greetz

Share this post


Link to post
Share on other sites
vinnie

Seems like getting the main exe unpacked is not too hard, but to get the boxed.dll to still export functions for the OK button to close app properly seems very hard. (well for me anyway).

I hope someone does unpack it and writes a tut.

Share this post


Link to post
Share on other sites
EvOlUtIoN

well ok, your patched file is perfectly working here. Congratz LCF-AT. Of course i will wait for the dll to be unpacked. It is not hard because there is few code, so you can for sure find OEP by yourself, also because it is more simple than you think :D

Share this post


Link to post
Share on other sites
LCF-AT

Hi,

ah ok.So i have checked the dll a little bit and I see it hooks the intern API.

0012FB28   004D5E3C  /CALL to LoadLibraryA
0012FB2C 00403000 \FileName = "boxed.dll"00B38732 PUSHFD ; boxed EP00446373 MOV DWORD PTR DS:[EAX],EDX EDX=00400000 (Kopie_vo.00400000)
DS:[00403050]=00400000 (Kopie_vo.00400000)00464742 MOV DWORD PTR DS:[EAX],EDX ; 2EDX=00B01024 (boxed.00B01024)
DS:[00403054]=00B01024 (boxed.00B01024)00448C2E MOV EAX,DWORD PTR DS:[EAX]DS:[00B01024]=0167A5E9
EAX=00B01024 (boxed.00B01024)77D13A5C CALL DWORD PTR SS:[EBP+8] ; boxed.00B0102400B01024 JMP 00B177CE ; DlgProc 1 export
00B01029 PUSH DWORD PTR SS:[ESP+44]
00B0102D POPFD
00B0102E PUSH ESI
00B0102F PUSH 514D555C
00B01034 LEA ESP,DWORD PTR SS:[ESP+50]
00B01038 JMP 00B0E1E7
00B0103D JMP 00B0D5DD
00B01042 CALL 00B0C51A
00B01047 JECXZ SHORT 00B0101A 00B01049 JMP 00B177BE ; ExitAll 2 export
00B0104E PUSHFD
00B0104F MOV DWORD PTR SS:[ESP+8],EDX
00B01053 JMP 00B0809B
00B01058 MOV CX,CS
00B0105A CALL 00B1685B
00B0105F CALL FAR 0000:00000000 00464742 MOV DWORD PTR DS:[EAX],EDX ; 2EDX=00B01049 (boxed.00B01049)
DS:[00403054]=00B01049 (boxed.00B01049)0012FFBC 004A6790 /CALL to ExitProcess from VMProtec.004A678B
0012FFC0 00000001 \ExitCode = 1

Switching loops.

Maybe the OEP is the same like

push 0

call GetModuleHandleA

jmp xxxxxx

Seems to be still a bit tricky or I think wrong. :)

EDIT: I still can't find the DLL OEP.Now I have the DLL + AntiDump & CPUID too but no OEP.Can you give a hint about the OEP address? :)

greetz

Edited by LCF-AT (see edit history)

Share this post


Link to post
Share on other sites
EvOlUtIoN

OEP pof dll in this case you can do severl things, one is to think a little on position of exported functions and where probably can be the oep. The other is to rebuild yourself a simple typical oep of a dll. A hint can be that i written it using a standard winasm template, and removing all procedures from DLL_PROCESS_ATTACH etc., so oep is completely alone.

Share this post


Link to post
Share on other sites
LCF-AT

Hi Evo,

ah ok and thanks for the info,so now I have created the DLL OEP like this.

021F1070 <>PUSH EBP
021F1071 MOV EBP,ESP
021F1073 MOV EAX,DWORD PTR SS:[EBP+8]
021F1076 MOV DWORD PTR DS:[IBStore],EAX
021F107B MOV EAX,1
021F1080 LEAVE
021F1081 RETN 0C

But I forgot one thing!!! :)

So in the main app I get the dll imagebase of 00B00000 and with the unpacked file I get a other imagebase and the xyz addresses does not match by the VMP code.So is there a way to give this DLL a static imagebase of 00B00000 too?So if not then I have to unpack the DLL again and this time I have to try to give the dll a imagebase of 10000000 if possible.Ok I try go on.

greetz

Share this post


Link to post
Share on other sites
-Alex-

PE Tools -> Preferences -> PE Rebuilder -> check the option "Change ImageBase to:" -> 00B00000

Then rebuild dll, and u should be done ;)

Alex

Edited by -Alex- (see edit history)

Share this post


Link to post
Share on other sites
LCF-AT

Thanks for this info -Alex- but this does not work in this dll.Also my unpacked main exe has already a big virtual size--

address 400000 - 01D27FFE

So its clear now why the dll get not the imagebase of 00B00000 so its already used by my target. :) So I need to unpack all again and this time I have to handle better the used size.I also tried to redirect the allocated address for the dll and changed them to a higher address but then the target makes some trouble.I try it again. :)

greetz

Share this post


Link to post
Share on other sites
LCF-AT

Hi,

ok now I got the DLL with a high imagebase on a next fresh dll unpack.Now the exe & DLL are working toghether. :) Ok I upload again 2 files [DLLs] which are the same except CPUID patching.

boxed.dll

-------------

Yes_CPUID_boxed.dll

NO_CPUID_boxed.dll

Info: Just remove the Yes_CPUID_ or NO_CPUID_ in the name and then test.

-------------

I don't know whether the CPUID patch is also needed in this dll or not so this is the reason why I send 2 dll files which you can both test with my exe files from the other post.

I also see 2 diffrents.If I run my CPUID patched dll with CPUID patched exe file then it starts but after a short time I get some kind of integry check [ExeCryptor style] and the target closed.Its not happend always but to offten.So I think I have patched the CPUID a little bit wrong....but I can not test it under a other OS to find the exactly reason for this problem at the moment.So both files exe & dll without CPUID patching are working 1A without any problems. :)

So just try to run the exe a few times if you get starting problems.

@ EvO

So thats all for the moment what I can do at the moment.I hope that the dll is working now.So there was nothing to fix [APIs] inside this dll.If you have 2 OS then you can check the CPUID problem and check what is wrong there and also what is necessary to patch there and what not.Dll CPUID patch can you see at 023C10A0 / 2 times.

PS: DLL ImageBase is 023C0000 so this should work now without to get a other IB.So if you get a other IB then load the exe in Olly at system BP and then inject the dll with Olly then you will get this imagebase.

greetz

2x_VMProtector_2.06_DLL_Test_Files.rar

Share this post


Link to post
Share on other sites
LCF-AT

@ All

And does the DLL + exe work for you or not?

Some infos please. :)

greetz

Share this post


Link to post
Share on other sites
vinnie

I tested it on XPSP3 and WIN7 and they both work but do not have the imported function from DLL and can not terminate process. I had to kill process manually with Process Explorer.

I am also have worked a bit on this and have the main exe unpacked with dll but can not find where the ExitAll function is being imported in the main exe to rebuild that import.

I am sure you will get it, then hopefully you write a tut. :lol:

Edited by vinnie (see edit history)

Share this post


Link to post
Share on other sites
EvOlUtIoN

yes but...is really necessary to import a function to call it? :)

Share this post


Link to post
Share on other sites
Nooby

not properly terminating the process may due to dllbox's attempt to manupilate Ldr loaded module list, I have seen this under win7 with vmprotect.exe

the other thing is not having CRT's dllmain called for unloading.

Share this post


Link to post
Share on other sites
EvOlUtIoN

I checked better the unpacked exe with CPUID fixed...well it's not working.

I explain better

You patched at 46a790 with a jmp to redirect the CPUID result. But in fact after a while the exe will check integrity of bytes at that address, and will crash without apparently a reason.

To verify it put an hardware breakpoint on access at byte 46a790, sooner or later you will break, and after program crashes.

This is the strongest integrity check i ever seen.

I tried to solve the rpoblem using several ways, but with no grat success.

The fact is that if you patch any of the VMP bytes in the code section, it will be checked for sure and program will crach, even the integrity check procedure themselves are checked form pother procedures.

I was thinking about redirect the check to a new attached section with code section untouched, but still not found a good way to do it.

Any ideas?

Share this post


Link to post
Share on other sites
LCF-AT

Yes you are right! :) It checks the whole code.So at the moment I would say that there is no way to prevent this selfchecking.I created already some diffrent loops but also without success.Looks like a neck breaker.So how to patch without to change a byte....hmmmm.

So maybe you can write something like a dll file with some custom exports etc.So I am no coder.

Exsample:

-------------------------
0046A790 CMP SI,0EACD 66 81 FE CD EA | 5 Bytes
to
0046A790 JMP 0040115D | 5 Bytes
--------------------------Checks x3 places:
004640BF XOR AL,BYTE PTR DS:[EDX] // Export 1 Hook
--------
0046A790 xor al, 66
0046A791 xor al, 8100462B00 XOR AL,BYTE PTR DS:[EDX] // Export 2 Hook
--------
0046A792 xor al, FE
0046A793 xor al, CD00462B00 XOR AL,BYTE PTR DS:[EDX] // Export 3 Hook
--------
0046A794 xor al, EA
--------------------------cmp edx, 0046A790
je P1
cmp edx, 0046A791
je P2
------
jmp P1_out
------
P1:
xor al, 66
jmp P1_out
------
P2:
xor al, 81
jmp P1_out
-----------
-----------
-----------
cmp edx, 0046A792
je P3
cmp edx, 0046A793
je P4
------
jmp P2_out
------
P2:
xor al, FE
jmp P2_out
------
P3:
xor al, CD
jmp P2_out
-----------
-----------
-----------
cmp edx, 0046A794
jne P3_out
xor al, EA
jmp P3_out

So just a idea.No idea whether its possible or not but you know what I mean.

greetz

  • Like 2

Share this post


Link to post
Share on other sites
vinnie

I not get that far but what if you patched the VM jmp/ret table for it to return to an added section? From there you can patch in right cpu values and also try to restore the table back to original before integrity check.

Share this post


Link to post
Share on other sites
EvOlUtIoN

lcf-at i tried several ways with the method you are explaining, but unfortunately it needs to replace some bytes near cpuid, and to fix them you have to patch also control routine. but replacing them means that you have to check another time for the second patch you done, and again and again...this may not be a solution imho, also because in complex program it's not possible to know exactly how many checks there are, in fact some places are checked by more than one routine.

Vinnie, i tried it but also same problems, maybe it is easy to fix a small program, but for biggers?

Share this post


Link to post
Share on other sites
vinnie

I actually find it's easier in bigger programs cause you have more things to hook to restore the table. Small apps like this unpackme might be hard cause not that many options to hook into to provide a way to restore the table

Share this post


Link to post
Share on other sites
EvOlUtIoN

yes, but that way you don't have to patch a lot of addresses?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×