Jump to content
Tuts 4 You

[unpackme] VMProtect 2.06 unpackme

EvOlUtIoN

By EvOlUtIoN
in UnPackMe

 Share

Recommended Posts

LCF-AT

LCF-AT

Posted
Posted

Hi av999,

thank you for the new video so now I understand the way you did. :) Yes you are right so in my old unpacked file are used other loactions.

My LA+3C 00EC003C | 002B70AE-------------0046A78E      CPUID 00448C2E      MOV EAX,DWORD PTR DS:[EAX] // LA+3C-------------My Trace log-------------00446C27 Main     MOV EDX,DWORD PTR SS:[EBP]  ; EDX=002B70AE0046277E Main     SUB BL,AL                   ; EBX=097861FC00462780 Main     BSR CX,BP                   ; ECX=0000000F00462784 Main     RCL ECX,CL                  ; ECX=0007C00000462786 Main     SUB ESI,-1                  ; ESI=0046C73700462789 Main     CMP ECX,EDX......004469BC Main     SUB ESI,-4                 ; ESI=0046C73B & EDX=002B70AE.....004469C3 Main     JMP 004630E3               ; ESI=0046C73B & EDX=002B70AEHook at 004469C3 to LA+3C patch
All working so far. :) Only problem now it that I can't verify it without to use a other CPU but I can see the diffrent DWORD in your video and my system.Also I see in my case that the DWORD check of LA+3C does happen before the CRC checks so that I can restore the hook direct after patching new DWORD to LA loaction.
004469C3  JMP 004630E3to 004469C3  JMP 00EC0080 // my hook00EC0080  CMP ESI,46C73B00EC0086  JE SHORT 00EC008D00EC0088  JMP 004630E300EC008D  MOV DWORD PTR DS:[EC003C],EDX00EC0093  MOV BYTE PTR DS:[EC0087],000EC009A  MOV DWORD PTR DS:[4469C4],1C71B // unhook00EC00A4  JMP SHORT 00EC0088CRC checkings:00460EF1    XOR AL,BYTE PTR DS:[EDX]  no00462B00    XOR AL,BYTE PTR DS:[EDX]  004469C4 004469C6004640BF    XOR AL,BYTE PTR DS:[EDX]  004469C5 004469C7
Maybe just a random that CRC checking happen first after LA or? :)

Ok I have patched my unpacked file so far and it does also work but would be nice if you could check my file on your system whether all is working with my patches.Just wanna know it that all I made its ok or not.

So at the end I can just say again great work av999 and also thank you very much for the new infos about CPUID + videos. :) So this kind of dynamic patching of the CPUID is much better than to patch each single CPUID check.Thanks again av999.

greetz

VMProtector_2.06_unpackme_CPUID+CRC.rar

  • Replies 66
  • Created
  • Last Reply

Top Posters In This Topic

  • LCF-AT

    19

  • EvOlUtIoN

    9

  • av999

    8

  • vinnie

    6

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

LCF-AT
LCF-AT

***************************************** Unpacking of a VMProtect Boxed dll *****************************************Hi again,ok I have now created a little video tutorial for you and all others ho

LCF-AT
LCF-AT

@ Conquest So if you press the ok button on the main target then after the boxed dll will loaded into memory so now you can open the E or M map and you see boxed.dll as one section and there you see

LCF-AT
LCF-AT

Yes you are right! It checks the whole code.So at the moment I would say that there is no way to prevent this selfchecking.I created already some diffrent loops but also without success.Looks like a

av999

av999

Posted
Posted

not worked for me


first step to check cpuid-fix is set zero to [EC003C]

LCF-AT

LCF-AT

Posted
Posted

Hi,

not working for you?Can you check and see the reason?Ok so I think this should not to be the reason to set [00EC003C] | 00000000 to zero.So I see no check of this loaction before reaching the LA patch.

So I only use XP SP3 [unpack system] and XP SP0 as check system [but same CPU of course] and there its working on both.Hhmmm,strange now again.

greetz

Asian Dragon

Asian Dragon

Posted
Posted (edited)

:play_ball:


Edited by Asian Dragon
Asian Dragon

Asian Dragon

Posted
Posted

Hi, LCF-AT


CPUID and rtdsc patch file does not work on win 7?


Error.swf

av999

av999

Posted
Posted (edited)

http://rghost.ru/47995229  - that working for me except boxed.dll


may be your fix too far from the right place and changed ZF

Edited by av999
Asian Dragon

Asian Dragon

Posted
Posted (edited)

:schmoll:


Edited by Asian Dragon
LCF-AT

LCF-AT

Posted
Posted

@ av999

Ahhh ok so I think in this case it would be really better to hook the closer place direct where you get the hash in register and before the return too like you did it now with my file. :)

00446C26 Main     PUSHFD00446C27 Main     MOV EDX,DWORD PTR SS:[EBP]  ; EDX=002B70AE
Ok now its again more clear.Thanks again av999. :) One question about the VMP Debugger,so normaly I don't use it [have no english version].Do you have any descriptions of the Debugger features in english or other language which you maybe could let translate with any internet-translater etc?Is there maybe also a option to set any BPs on direct VA / RVA addresses of the target itself instead only to set BPs on the VMP VM?

@ Asian Dragon

Thanks also for the little video.So if you run the file and you see the box of the unpackme then just wait some seconds and try to move the window a little bit around so after a short while it will also reach the CPUID checks without to press the OK button.If you do this without to press OK and it crash then I also know that the reason was my CPUID patch = wrong / error / to late patched but if it keep working so far then it was successfully.Just try this to know that maybe the unpacked boxed dll was the problem [other loaded base etc].

So your CPUID patched file does crash for me after a little while.Maybe you tell next time the address where you did patch it to prevent manually searching in the file.

greetz

Asian Dragon

Asian Dragon

Posted
Posted

Thank you LCF-AT.


  • 2 months later...
besoeso

besoeso

Posted
Posted

hi LCF-AT,


 


I have follow the thread but can´t undestand how solve CRC+CPUID, the information is dispersed and complied follow it.


 


¿Can you do a full video how you solved CRC+CPUID unpackme target ?


 


A greeting.


  • 1 month later...
b30wulf

b30wulf

Posted
Posted

plz reupload second video cpuid fix


  • 8 months later...
guardgold

guardgold

Posted
Posted 
*****************************************  Unpacking of a VMProtect Boxed dll  *****************************************
Hi again,

ok I have now created a little video tutorial for you and all others how you can deal with that boxed dll of this unpackme from this topic.Just a exsample of course.Just follow my video and try it after by yourself.I added also the unpacked files [No CPUID - RDTSC etc fixed!] for testing and checking / analysing etc.Read the Short Tutorial.txt there you can get all infos what to do etc so I have made also a quick steplist + infos.So I hope you this video will answer your more than one year long trying. :)

greetz

 

Thank you!!!

  • 1 year later...
  • 1 year later...
JRS701

JRS701

Posted
Posted

Is there some have a copy for " some video about cpuid fix " by av999.??

Please share it... or reupload....

 

  • 3 weeks later...
mosadegh22

mosadegh22

Posted
Posted (edited)
On 12/11/2010 at 5:43 PM, EvOlUtIoN said:

yes, but that way you don't have to patch a lot of addresses?

anybody can unpack this file ?

it is protect by vmprotector 2

 

Edited by Teddy Rogers

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...