vinnie Posted November 15, 2010 Posted November 15, 2010 (edited) Well the patch can be a bit big depending on how many times the app goes back to cpuid check routine and how many times it checks the 3 dwords in this unpackme. For this one it seems to check the cpuid extremely often and at the same time it checks the 3 dwords in between a couple of cycles. This little unpackme is does more checks than any of the commercial apps I have seen so there maybe some more random checks i missed. But I think I got it, you give it a try and tell me if it works. the patch is quite long and I was a bit messy with the patch because I was only interested with extracting the boxed dll when I first started playing with this. I have not tested on WIN7 cause I think it will fail but on XPSP3 I have tested it by letting it stay open for a while and then dragging the window. It seems to work. if it works maybe it will help you adapt it for WIN7. if it doesn't fully work then at least you can see what i mean. I also have not extracted the DLL cause I am stuck on it so maybe you can show me how to do that later XXXX//hotfile.com/dl/82700083/df6c89f/CPUFinal_IF.exe.html Edited November 16, 2010 by vinnie
cooooldog Posted December 6, 2010 Posted December 6, 2010 The unpackme is detected as virus by McAfee.
EvOlUtIoN Posted December 6, 2010 Author Posted December 6, 2010 so you need to exclude it or (better) to change antivirus 1
Conquest Posted December 7, 2012 Posted December 7, 2012 (edited) @LCF-ATSorry to revive a dead thread but if you can kindly explain how to dump the boxed dll since its been like over a year i have been trying to dump it.(though lost interest a long ago but recently a new vmprotect app has made me interested in vmp again)Its ok if you are not willing to really reveal it since everyone deserves to keep some private techniques of their own but again even if it is plausible can you please give us some hint about how to dump it(the boxed dll). Edited December 8, 2012 by Conquest
LCF-AT Posted December 7, 2012 Posted December 7, 2012 @ Conquest There is no special techniques etc. Just check what happend in Olly.Here a quick exsample which you can try. Run target press ok button.Now check in Olly...--------------------------------------------------------Memory map, item 35 Address=00BE0000 Size=0003F000 (258048.) Owner=boxed 00BE0000 (itself) Section= Contains=PE header Type=Map 00041002 Access=R Initial access=RWEPE+$+28 > 32870300 DD 00038732 ; AddressOfEntryPoint = 38732$+34 > 0000BE00 DD 00BE0000 ; ImageBase = BE0000$+50 > 00F00300 DD 0003F000 ; SizeOfImage = 3F000 (258048.)$+C0 > 905A0300 DD 00035A90 ; TLS Table address = 35A90$+C4 > 20000000 DD 00000020 ; TLS Table size = 20 (32.)00BE0000+35A90 = 00C15A90TLS$ ==> 00C15A90 00BFB000 boxed.00BFB000$+4 00C15A94 00BFB014 boxed.00BFB014$+8 00C15A98 00BFB018 boxed.00BFB018$+C 00C15A9C 00C15AA8 boxed.00C15AA8 <-- call back Pointer$+10 00C15AA0 00000000$+14 00C15AA4 00000000$+18 00C15AA8 00C11A56 boxed.00C11A56 <-- call back ADDR 00C11A56$+1C 00C15AAC 00000000TLS call back--------------------------------------------00C11A56 60 PUSHADEP--------------------------------------------00C18732 9C PUSHFDSet HWBP on write at 00BE0000 and restartFill bytes to 00BE0000--------------------------------------------004BF220 881429 MOV BYTE PTR DS:[ECX+EBP],DLCompare written bytes00482988 39D0 CMP EAX,EDXEnd of bytes written = 400 bytes of PE Header + others004992BD 8D2C45 B054706F LEA EBP,DWORD PTR DS:[EAX*2+6F7054B0]Break on it till the dll in mem was raw written then you can dump the mem dll.Problem is that you can not use it because CRC.After this you can use PE Tools dump fixer to correct the values.The dll stops at EP from here you can start to unpack the dll.The dll does not use imports only 2 exports DlgProc & ExitAll so the RVA addresses can you find in your dumped & fixed raw dll or PE Header in memory.00001024 | DlgProc 00001049 | ExitAll Also you will not find a OEP in the dll so this you have to rebuild manually.Just try this. greetz 2
Conquest Posted December 8, 2012 Posted December 8, 2012 @ Conquest There is no special techniques etc. Just check what happend in Olly.Here a quick exsample which you can try....................................greetz  thank you, thank you master LCF-AT. I did went till finding the new mapped section 00BE0000 but after that it was nothing familiar with the one you had provided. Now it becomes clear why is that (duh! packed). Its your very generosity , now lets see if i can make the dll running or not.
mm10121991 Posted December 8, 2012 Posted December 8, 2012 (edited) may be the base address of the boxed dll is different in your pc from the one mentionned by LCF. but you can use size of memory block to find it Edited December 8, 2012 by mm10121991
LCF-AT Posted December 8, 2012 Posted December 8, 2012 @ Conquest So if you press the ok button on the main target then after the boxed dll will loaded into memory so now you can open the E or M map and you see boxed.dll as one section and there you see also the used ImageBase which is mostly the same on XP but it can also differ.Ok so today I check this older unpackme again and I see the unpacking is not hard. Used boxed features: ------------------------ 1. LoacalAlloc AD = redirect it 2. One Import is used = EndDialog = catch & redirect it! 3. Create dll OEP 4. Unpack dll twice with diffrent ImageBases on the same way! 5. Create relocs 6. CPUID etc is used. ----------------------- If you do all steps right then the dll works also with the packed file.Do you wanna have a video how to do it? greetz 3
LCF-AT Posted December 8, 2012 Posted December 8, 2012 ***************************************** Unpacking of a VMProtect Boxed dll *****************************************Hi again,ok I have now created a little video tutorial for you and all others how you can deal with that boxed dll of this unpackme from this topic.Just a exsample of course.Just follow my video and try it after by yourself.I added also the unpacked files [No CPUID - RDTSC etc fixed!] for testing and checking / analysing etc.Read the Short Tutorial.txt there you can get all infos what to do etc so I have made also a quick steplist + infos.So I hope you this video will answer your more than one year long trying. greetz Unpacking of a VMProtect Boxed dll.rar 4
Lostin Posted December 8, 2012 Posted December 8, 2012 Amazing work LCF-AT as always Thanks for the video will surely look into it when i have the time
vinnie Posted December 9, 2012 Posted December 9, 2012 LOL!! OMG LCF-AT!!!! I lost interest in this/gave up on the boxed dll after 1 week and forgot about it until now. That was a year ago. Thanks.
Conquest Posted December 9, 2012 Posted December 9, 2012 (edited) may be the base address of the boxed dll is different in your pc from the one mentionned by LCF. but you can use size of memory block to find it the address is same for me(xp sp3) but you wont find anythng similar to the unpacked dll. i tried to hex search bytes from the unpacked dll, but failed(cuz its packed)  @LCF-AT Thank you so much for such a beautiful tutorial. definitely helped me a lot.You are always the one we can trust .  I have a question -  why did you zero-d some addresses in the tls section around 12:10 min of the tutorial movie. Can you explain please, i have seen some other themida unpacked files as well where authors zero some import addresses(which can be left intact and the dump would still run.) Edited December 9, 2012 by Conquest
LCF-AT Posted December 9, 2012 Posted December 9, 2012 (edited) @ ConquestSo you have to check whether your files used a TLS callback and check whether its needed to start the unpack process from this address.If you start from EP and if you get a debug detection message then you need to start from TLS + remove one short BP [you can setup your strongOD plugin for this 2 issues].So if you have a dll then my old unpack script "VMProtect API Turbo Tracer 1.2" does check it at line 494 & 496 so that you can run the script with dlls from EP.Set Olly to stop at system BP for exe files [did not add a TLS check in this script].If you need to stop at TLS with a dll then the script does work too.Exe - Set Olly to stop at system BPDll - Works with TLS & EP Note: If you have files like .ocx etc then rename this to .dll.PS: Did you got the boxed dll unpacked now so far?greetzEDIT: TLS callback Pointer address and TLS callback address are not needed anymore [only by protector itself] thats the reason why I zero both.If you don't zero the callback address then the unpacked file will also stop first at this address and not at your EP.So you can fill both with zero after unpacking. Edited December 9, 2012 by LCF-AT 1
Conquest Posted December 10, 2012 Posted December 10, 2012 (edited) @ ConquestPS: Did you got the boxed dll unpacked now so far?greetz Yes Master LCF-AT, i got it working for now. I will try to unpack some custom made dlls next. I will probably need help sometime later. Thank you so much for answering. Edited December 10, 2012 by Conquest
Dreamer Posted December 10, 2012 Posted December 10, 2012 can someone upload LCF-AT  tut   Unpacking of a VMProtect Boxed   download start and  stop at  99%  and  again start itself  and bam  server time out
Teddy Rogers Posted December 10, 2012 Posted December 10, 2012 can someone upload LCF-AT  tut   Unpacking of a VMProtect Boxed   download start and  stop at  99%  and  again start itself  and bam  server time out  Working fine here, check your antivirus software...  Ted. 1
Dreamer Posted December 10, 2012 Posted December 10, 2012 heh  you are right Teddy  its my antivirus  thx
av999 Posted August 3, 2013 Posted August 3, 2013 (edited) because boxed.dll created after unpacking EXEso another way of unpacked.exe Edited August 6, 2013 by av999
av999 Posted August 6, 2013 Posted August 6, 2013 (edited) some video about cpuid fix and unpacked http://www.sendspace.com/file/k1fzks Edited August 6, 2013 by av999 1
LCF-AT Posted August 6, 2013 Posted August 6, 2013 Hi av999, your unpacked file with the boxed patch does not work.Intern boxed dll will not created [see LoadLibraryA API stop | ZwQueryAttributesFile return from VM = C0000034 (OBJECT NAME NOT FOUND)] and then it goes wrong forward so it will never reached the ZwMapViewOfSection API.Also your download-link is no more working. Video about cpuid "cpuid-hash.fbr" RecorderEdition BB FlashBack4_RUS RecorderVersion 4.1.2.2592Why do you send a fbr file and no playable video? greetz
LCF-AT Posted August 7, 2013 Posted August 7, 2013 Hi av999, good work so now its working with c:\temp path only. Also I have seen your CPUID video where you use the VMP Debugger.So maybe you can explain it a little more if possible. 00446C37 CALL 0062A640 0045E36B CALL 0062A640 0046369C CALL 0062A640 00464C83 CALL 0062A640 00464FA3 CALL 0062A640 00468F5F CALL 0062A640 00627863 CALL 0062A640 0062A640 9C PUSHFD0062A641 837D 00 05 CMP DWORD PTR SS:[EBP],50062A645 75 3B JNZ SHORT 0062A6820062A647 817D 04 00104000 CMP DWORD PTR SS:[EBP+4],4010000062A64E 7E 32 JLE SHORT 0062A6820062A650 817D 04 80C26200 CMP DWORD PTR SS:[EBP+4],62C2800062A657 7F 29 JG SHORT 0062A6820062A659 817D 0C 00104000 CMP DWORD PTR SS:[EBP+C],4010000062A660 7E 20 JLE SHORT 0062A6820062A662 817D 0C 80C26200 CMP DWORD PTR SS:[EBP+C],62C2800062A669 7E 09 JLE SHORT 0062A6740062A66B 817D 0C 00000010 CMP DWORD PTR SS:[EBP+C],100000000062A672 7E 0E JLE SHORT 0062A6820062A674 8B45 04 MOV EAX,DWORD PTR SS:[EBP+4]0062A677 83C0 05 ADD EAX,50062A67A 8B00 MOV EAX,DWORD PTR DS:[EAX]0062A67C F7D0 NOT EAX0062A67E 40 INC EAX0062A67F 8945 08 MOV DWORD PTR SS:[EBP+8],EAX0062A682 8B45 00 MOV EAX,DWORD PTR SS:[EBP]0062A685 9D POPFD0062A686 C3 RETN----------------Local AD Hook 00466867-------------------------------0062A687 81FE F0F45000 CMP ESI,50F4F00062A68D 74 05 JE SHORT 0062A6940062A68F ^ E9 D8C1E3FF JMP 0046686C0062A694 8915 3CB66200 MOV DWORD PTR DS:[62B63C],EDX ; edx = check DWORD0062A69A C605 8EA66200 00 MOV BYTE PTR DS:[62A68E],00062A6A1 ^ EB EC JMP SHORT 0062A68FSo what is now the CPUID fix?In your video I see you fill after CPUID the 4 registers to 00 and then it writes a DWORD in my case [0017472C | 0277CFC5].Don't understand the first patch block of your code + call hooks.greetz
av999 Posted August 7, 2013 Posted August 7, 2013 1st block - crc fix - no more about it2block - is cpuid fixvideo only demonstrate how cpuid may be fixed and shows what mem-dword deals with cpuid-hashin my exe i did that: -set breakpoints on all appropriate commands CPUID  and mem bp on Local ADblock-run and founded latest CPUID befory mem break on Local AD-restart and trace from latest CPUID to mem bp in run trace log you will found place where some REG32=[mem dword from Locall Ad block] and esi asindicatorso in that place we have: esi,reg32
LCF-AT Posted August 7, 2013 Posted August 7, 2013 Hi av999, not clear so far. 00629186 0FA2 CPUID0012F688 006293F1 /CALL to LocalAlloc0012F68C 00000000 |Flags = LMEM_FIXED0012F690 00000068 \Size = 68 (104.)EAX 001A4020 <--ECX 7C809A90 kernel32.7C809A90EDX 001A0608EBX 25CB31A3ESP 0012F688EBP 0012F78CESI 00626945 VMProtec.00626945EDI 0012F694EIP 7C809A90 kernel32.7C809A90006293F1 MOVZX CX,ALmem bp access at 001A0000 | 00005000Start run trace00629054 MOV DWORD PTR ES:[EAX],EDX EAX 001A4020ECX 006275AA VMProtec.006275AAEDX FF68A82DEBX 2A864552ESP 0012F668EBP 0012F798ESI 0061BC91 VMProtec.0061BC91EDI 0012F694EIP 00629054 VMProtec.00629054--------------0062991D MOV DWORD PTR DS:[EAX],EDXEAX 001A405C // 001A4020 + 3CECX 00629FA5 VMProtec.00629FA5EDX 0001B0CE <-- LA DWORDEBX 2B791BE3ESP 0012F684EBP 0012F798ESI 0054940E VMProtec.0054940EEDI 0012F694So the last CPUID before calling LocalAlloc was on 00629186 then stop at LocalAlloc ret = Block address 001A4020.Then I stop at 00629054 where it filled the local DWORDs start 001A4020 till 68 bytes and 001A4020 + 3C = 001A405C | 00000002 <-- get filled on command above.So now the next stop at 001A405C is at 0062991D where it filled DWORD 0001B0CE [in my case] = end and check value later.The question now are: ---------------------------------- - where did you start the run trace to get the address of 50F4F0 - did you redirect LocalAlloc/ret eax to 0062B600 and if yes = 0062B600 no original file address = not there. - how did you find possible check location at 00466867 for checking 50F4F0 - so is then in edx always the actual check DWORD of each xy CPU which you then just let fill into check location (my case in your file = 0062B63C | FFA9BAAE) Would be nice if you can post some more addresses or exsample video [in Olly] of this UnpackMe about the CPUID first if possible. So I see your patch does work so first CPUID is checking at "0046A78E" on unpacked file and if I change it in your file the file starts ok.Coolio! greetz
av999 Posted August 8, 2013 Posted August 8, 2013 (edited) we have unpacked.exe and so needed trace from cpuid to break on LocalADblock only in unpacked.exe!why 00629186 ???nearest (to break on LocalADblock  )  command CPUID may be have different address for one unpacked to other45f0b6 - my unpack 46a78e - other unpack psmy LA=62b600 videohttp://www.sendspace.com/file/mbfveq Edited August 8, 2013 by av999
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now