Jump to content
Tuts 4 You
EvOlUtIoN

[unpackme] VMProtect 2.06 unpackme

Rate this topic

Recommended Posts

vinnie

Well the patch can be a bit big depending on how many times the app goes back to cpuid check routine and how many times it checks the 3 dwords in this unpackme. For this one it seems to check the cpuid extremely often and at the same time it checks the 3 dwords in between a couple of cycles. This little unpackme is does more checks than any of the commercial apps I have seen so there maybe some more random checks i missed.

But I think I got it, you give it a try and tell me if it works. the patch is quite long and I was a bit messy with the patch because I was only interested with extracting the boxed dll when I first started playing with this.

I have not tested on WIN7 cause I think it will fail but on XPSP3 I have tested it by letting it stay open for a while and then dragging the window. It seems to work. if it works maybe it will help you adapt it for WIN7. if it doesn't fully work then at least you can see what i mean.

I also have not extracted the DLL cause I am stuck on it so maybe you can show me how to do that later :D

XXXX//hotfile.com/dl/82700083/df6c89f/CPUFinal_IF.exe.html

Edited by vinnie (see edit history)

Share this post


Link to post
Share on other sites
cooooldog

The unpackme is detected as virus by McAfee. :dunno:

Share this post


Link to post
Share on other sites
EvOlUtIoN

so you need to exclude it or (better) to change antivirus :)

  • Like 1

Share this post


Link to post
Share on other sites
Conquest

@LCF-AT


Sorry to revive a dead thread but if you can kindly explain how to dump the boxed dll since its been like over a year i have been trying to dump it.(though lost interest a long ago but recently a new vmprotect app has made me interested in vmp again)


Its ok if you are not willing to really reveal it since everyone deserves to keep some private techniques of their own but again even if it is plausible can you please give us some hint about how to dump it(the boxed dll).


Edited by Conquest (see edit history)

Share this post


Link to post
Share on other sites
LCF-AT

@ Conquest

There is no special techniques etc. :) Just check what happend in Olly.Here a quick exsample which you can try.

Run target press ok button.Now check in Olly...--------------------------------------------------------Memory map, item 35 Address=00BE0000 Size=0003F000 (258048.) Owner=boxed    00BE0000 (itself) Section= Contains=PE header Type=Map  00041002 Access=R Initial access=RWEPE+$+28     >  32870300    DD 00038732          ;  AddressOfEntryPoint = 38732$+34     >  0000BE00    DD 00BE0000          ;  ImageBase = BE0000$+50     >  00F00300    DD 0003F000          ;  SizeOfImage = 3F000 (258048.)$+C0     >  905A0300    DD 00035A90          ;  TLS Table address = 35A90$+C4     >  20000000    DD 00000020          ;  TLS Table size = 20 (32.)00BE0000+35A90 = 00C15A90TLS$ ==>    00C15A90  00BFB000  boxed.00BFB000$+4      00C15A94  00BFB014  boxed.00BFB014$+8      00C15A98  00BFB018  boxed.00BFB018$+C      00C15A9C  00C15AA8  boxed.00C15AA8 <-- call back Pointer$+10     00C15AA0  00000000$+14     00C15AA4  00000000$+18     00C15AA8  00C11A56  boxed.00C11A56 <-- call back ADDR 00C11A56$+1C     00C15AAC  00000000TLS call back--------------------------------------------00C11A56    60                      PUSHADEP--------------------------------------------00C18732    9C                      PUSHFDSet HWBP on write at 00BE0000 and restartFill bytes to 00BE0000--------------------------------------------004BF220    881429               MOV BYTE PTR DS:[ECX+EBP],DLCompare written bytes00482988    39D0                 CMP EAX,EDXEnd of bytes written = 400 bytes of PE Header + others004992BD    8D2C45 B054706F      LEA EBP,DWORD PTR DS:[EAX*2+6F7054B0]
Break on it till the dll in mem was raw written then you can dump the mem dll.Problem is that you can not use it because CRC.After this you can use PE Tools dump fixer to correct the values.The dll stops at EP from here you can start to unpack the dll.The dll does not use imports only 2 exports DlgProc & ExitAll so the RVA addresses can you find in your dumped & fixed raw dll or PE Header in memory.

00001024 | DlgProc

00001049 | ExitAll

Also you will not find a OEP in the dll so this you have to rebuild manually.Just try this.

greetz

  • Like 1

Share this post


Link to post
Share on other sites
Conquest

@ Conquest

There is no special techniques etc. :) Just check what happend in Olly.Here a quick exsample which you can try.

...................................

greetz

 

thank you, thank you master LCF-AT. I did went till finding the new mapped section 00BE0000 but after that it was nothing familiar with the one you had provided. Now it becomes clear why is that (duh! packed).

Its your very generosity , now lets see if i can make the dll running or not.

Share this post


Link to post
Share on other sites
mm10121991

may be the base address of the boxed dll is different in your pc from the one mentionned by LCF. but you can use size of memory block to find it


Edited by mm10121991 (see edit history)

Share this post


Link to post
Share on other sites
LCF-AT

@ Conquest

So if you press the ok button on the main target then after the boxed dll will loaded into memory so now you can open the E or M map and you see boxed.dll as one section and there you see also the used ImageBase which is mostly the same on XP but it can also differ.Ok so today I check this older unpackme again and I see the unpacking is not hard.

Used boxed features:

------------------------

1. LoacalAlloc AD = redirect it

2. One Import is used = EndDialog = catch & redirect it!

3. Create dll OEP

4. Unpack dll twice with diffrent ImageBases on the same way!

5. Create relocs

6. CPUID etc is used.

-----------------------

If you do all steps right then the dll works also with the packed file.Do you wanna have a video how to do it? :)

greetz

  • Like 3

Share this post


Link to post
Share on other sites
LCF-AT
*****************************************  Unpacking of a VMProtect Boxed dll  *****************************************
Hi again,

ok I have now created a little video tutorial for you and all others how you can deal with that boxed dll of this unpackme from this topic.Just a exsample of course.Just follow my video and try it after by yourself.I added also the unpacked files [No CPUID - RDTSC etc fixed!] for testing and checking / analysing etc.Read the Short Tutorial.txt there you can get all infos what to do etc so I have made also a quick steplist + infos.So I hope you this video will answer your more than one year long trying. :)

greetz

Unpacking of a VMProtect Boxed dll.rar

  • Like 4

Share this post


Link to post
Share on other sites
Lostin

Amazing work LCF-AT as always :)


Thanks for the video will surely look into it when i have the time :)


Share this post


Link to post
Share on other sites
vinnie

LOL!! OMG LCF-AT!!!! I lost interest in this/gave up on the boxed dll after 1 week and forgot about it until now. That was a year ago. Thanks.


Share this post


Link to post
Share on other sites
Conquest

may be the base address of the boxed dll is different in your pc from the one mentionned by LCF. but you can use size of memory block to find it

the address is same for me(xp sp3) but you wont find anythng similar to the unpacked dll. i tried to hex search bytes from the unpacked dll, but failed(cuz its packed)

 

@LCF-AT

Thank you so much for such a beautiful tutorial. definitely helped me a lot.You are always the one we can trust .

 

I have a question -

 

why did you zero-d  some addresses in the tls section around 12:10 min of the tutorial movie. Can you explain please, i have seen some other themida unpacked files as well where authors zero some import addresses(which can be left intact and the dump would still run.)

Edited by Conquest (see edit history)

Share this post


Link to post
Share on other sites
LCF-AT

@ Conquest

So you have to check whether your files used a TLS callback and check whether its needed to start the unpack process from this address.If you start from EP and if you get a debug detection message then you need to start from TLS + remove one short BP [you can setup your strongOD plugin for this 2 issues].So if you have a dll then my old unpack script "VMProtect API Turbo Tracer 1.2" does check it at line 494 & 496 so that you can run the script with dlls from EP.Set Olly to stop at system BP for exe files [did not add a TLS check in this script].If you need to stop at TLS with a dll then the script does work too.

Exe - Set Olly to stop at system BP

Dll - Works with TLS & EP

Note: If you have files like .ocx etc then rename this to .dll.

PS: Did you got the boxed dll unpacked now so far?

greetz

EDIT: TLS callback Pointer address and TLS callback address are not needed anymore [only by protector itself] thats the reason why I zero both.If you don't zero the callback address then the unpacked file will also stop first at this address and not at your EP.So you can fill both with zero after unpacking.

Edited by LCF-AT (see edit history)
  • Like 1

Share this post


Link to post
Share on other sites
Conquest

@ Conquest

PS: Did you got the boxed dll unpacked now so far?

greetz

 

Yes Master LCF-AT, i got it working for now. I will try to unpack some custom made dlls next. I will probably need help sometime later. Thank you so much for answering.

Edited by Conquest (see edit history)

Share this post


Link to post
Share on other sites
Dreamer

can someone upload LCF-AT  tut   Unpacking of a VMProtect Boxed    download start and  stop at  99%  and  again start itself  and bam  server time out


Share this post


Link to post
Share on other sites
Teddy Rogers

can someone upload LCF-AT  tut   Unpacking of a VMProtect Boxed    download start and  stop at  99%  and  again start itself  and bam  server time out

 

Working fine here, check your antivirus software...

 

Ted.

  • Like 1

Share this post


Link to post
Share on other sites
Dreamer

heh  you are right Teddy  its my antivirus  thx


Share this post


Link to post
Share on other sites
av999

because boxed.dll created after unpacking EXE


so another way of unpacked.exe

Edited by av999 (see edit history)

Share this post


Link to post
Share on other sites
LCF-AT

Hi av999,

your unpacked file with the boxed patch does not work.Intern boxed dll will not created [see LoadLibraryA API stop | ZwQueryAttributesFile return from VM = C0000034 (OBJECT NAME NOT FOUND)] and then it goes wrong forward so it will never reached the ZwMapViewOfSection API.Also your download-link is no more working.

Video about cpuid "cpuid-hash.fbr"

RecorderEdition BB FlashBack4_RUS  RecorderVersion 4.1.2.2592
Why do you send a fbr file and no playable video? :)

greetz

Share this post


Link to post
Share on other sites
av999

sorry


fixed


up


Share this post


Link to post
Share on other sites
LCF-AT

Hi av999,

good work so now its working with c:\temp path only. :)

Also I have seen your CPUID video where you use the VMP Debugger.So maybe you can explain it a little more if possible.

00446C37   CALL 0062A640                             0045E36B   CALL 0062A640                             0046369C   CALL 0062A640                             00464C83   CALL 0062A640                             00464FA3   CALL 0062A640                             00468F5F   CALL 0062A640                             00627863   CALL 0062A640 0062A640     9C                 PUSHFD0062A641     837D 00 05         CMP DWORD PTR SS:[EBP],50062A645     75 3B              JNZ SHORT 0062A6820062A647     817D 04 00104000   CMP DWORD PTR SS:[EBP+4],4010000062A64E     7E 32              JLE SHORT 0062A6820062A650     817D 04 80C26200   CMP DWORD PTR SS:[EBP+4],62C2800062A657     7F 29              JG SHORT 0062A6820062A659     817D 0C 00104000   CMP DWORD PTR SS:[EBP+C],4010000062A660     7E 20              JLE SHORT 0062A6820062A662     817D 0C 80C26200   CMP DWORD PTR SS:[EBP+C],62C2800062A669     7E 09              JLE SHORT 0062A6740062A66B     817D 0C 00000010   CMP DWORD PTR SS:[EBP+C],100000000062A672     7E 0E              JLE SHORT 0062A6820062A674     8B45 04            MOV EAX,DWORD PTR SS:[EBP+4]0062A677     83C0 05            ADD EAX,50062A67A     8B00               MOV EAX,DWORD PTR DS:[EAX]0062A67C     F7D0               NOT EAX0062A67E     40                 INC EAX0062A67F     8945 08            MOV DWORD PTR SS:[EBP+8],EAX0062A682     8B45 00            MOV EAX,DWORD PTR SS:[EBP]0062A685     9D                 POPFD0062A686     C3                 RETN----------------Local AD Hook 00466867-------------------------------0062A687     81FE F0F45000      CMP ESI,50F4F00062A68D     74 05              JE SHORT 0062A6940062A68F   ^ E9 D8C1E3FF        JMP 0046686C0062A694     8915 3CB66200      MOV DWORD PTR DS:[62B63C],EDX ; edx = check DWORD0062A69A     C605 8EA66200 00   MOV BYTE PTR DS:[62A68E],00062A6A1   ^ EB EC              JMP SHORT 0062A68F
So what is now the CPUID fix?In your video I see you fill after CPUID the 4 registers to 00 and then it writes a DWORD in my case [0017472C | 0277CFC5].Don't understand the first patch block of your code + call hooks.

greetz

Share this post


Link to post
Share on other sites
av999

1st block - crc fix - no more about it


2block - is cpuid fix


video only demonstrate how cpuid may be fixed and shows what mem-dword deals with cpuid-hash


in my exe i did that:


 -set breakpoints on all appropriate commands CPUID  and mem bp on Local ADblock


-run and founded latest CPUID befory mem break on Local AD


-restart and trace from latest CPUID to mem bp 


in run trace log you will found place where some REG32=[mem dword from Locall Ad block] and esi as


indicator


so in that place we have: esi,reg32

Share this post


Link to post
Share on other sites
LCF-AT

Hi av999,

not clear so far.

00629186    0FA2                    CPUID0012F688   006293F1  /CALL to LocalAlloc0012F68C   00000000  |Flags = LMEM_FIXED0012F690   00000068  \Size = 68 (104.)EAX 001A4020 <--ECX 7C809A90 kernel32.7C809A90EDX 001A0608EBX 25CB31A3ESP 0012F688EBP 0012F78CESI 00626945 VMProtec.00626945EDI 0012F694EIP 7C809A90 kernel32.7C809A90006293F1  MOVZX CX,ALmem bp access at 001A0000 | 00005000Start run trace00629054  MOV DWORD PTR ES:[EAX],EDX EAX 001A4020ECX 006275AA VMProtec.006275AAEDX FF68A82DEBX 2A864552ESP 0012F668EBP 0012F798ESI 0061BC91 VMProtec.0061BC91EDI 0012F694EIP 00629054 VMProtec.00629054--------------0062991D  MOV DWORD PTR DS:[EAX],EDXEAX 001A405C // 001A4020 + 3CECX 00629FA5 VMProtec.00629FA5EDX 0001B0CE  <-- LA DWORDEBX 2B791BE3ESP 0012F684EBP 0012F798ESI 0054940E VMProtec.0054940EEDI 0012F694
So the last CPUID before calling LocalAlloc was on 00629186 then stop at LocalAlloc ret = Block address 001A4020.Then I stop at 00629054 where it filled the local DWORDs start 001A4020 till 68 bytes and 001A4020 + 3C = 001A405C | 00000002 <-- get filled on command above.So now the next stop at 001A405C is at 0062991D where it filled DWORD 0001B0CE [in my case] = end and check value later.

The question now are:

----------------------------------

- where did you start the run trace to get the address of 50F4F0

- did you redirect LocalAlloc/ret eax to 0062B600 and if yes = 0062B600 no original file address = not there. :)

- how did you find possible check location at 00466867 for checking 50F4F0

- so is then in edx always the actual check DWORD of each xy CPU which you then just let fill into check location (my case in your file = 0062B63C | FFA9BAAE)

Would be nice if you can post some more addresses or exsample video [in Olly] :) of this UnpackMe about the CPUID first if possible. :) So I see your patch does work so first CPUID is checking at "0046A78E" on unpacked file and if I change it in your file the file starts ok.Coolio! :)

greetz

Share this post


Link to post
Share on other sites
av999

we have unpacked.exe and so needed trace from cpuid to break on LocalADblock only in unpacked.exe!


why 00629186 ???


nearest (to break on LocalADblock  )  command CPUID may be have different address for one unpacked to other


45f0b6 - my unpack


 


46a78e - other unpack


 


ps


my LA=62b600


 


video


http://www.sendspace.com/file/mbfveq


Edited by av999 (see edit history)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...