Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Hi av999,

thank you for the new video so now I understand the way you did. :) Yes you are right so in my old unpacked file are used other loactions.

My LA+3C 00EC003C | 002B70AE-------------0046A78E      CPUID 00448C2E      MOV EAX,DWORD PTR DS:[EAX] // LA+3C-------------My Trace log-------------00446C27 Main     MOV EDX,DWORD PTR SS:[EBP]  ; EDX=002B70AE0046277E Main     SUB BL,AL                   ; EBX=097861FC00462780 Main     BSR CX,BP                   ; ECX=0000000F00462784 Main     RCL ECX,CL                  ; ECX=0007C00000462786 Main     SUB ESI,-1                  ; ESI=0046C73700462789 Main     CMP ECX,EDX......004469BC Main     SUB ESI,-4                 ; ESI=0046C73B & EDX=002B70AE.....004469C3 Main     JMP 004630E3               ; ESI=0046C73B & EDX=002B70AEHook at 004469C3 to LA+3C patch
All working so far. :) Only problem now it that I can't verify it without to use a other CPU but I can see the diffrent DWORD in your video and my system.Also I see in my case that the DWORD check of LA+3C does happen before the CRC checks so that I can restore the hook direct after patching new DWORD to LA loaction.
004469C3  JMP 004630E3to 004469C3  JMP 00EC0080 // my hook00EC0080  CMP ESI,46C73B00EC0086  JE SHORT 00EC008D00EC0088  JMP 004630E300EC008D  MOV DWORD PTR DS:[EC003C],EDX00EC0093  MOV BYTE PTR DS:[EC0087],000EC009A  MOV DWORD PTR DS:[4469C4],1C71B // unhook00EC00A4  JMP SHORT 00EC0088CRC checkings:00460EF1    XOR AL,BYTE PTR DS:[EDX]  no00462B00    XOR AL,BYTE PTR DS:[EDX]  004469C4 004469C6004640BF    XOR AL,BYTE PTR DS:[EDX]  004469C5 004469C7
Maybe just a random that CRC checking happen first after LA or? :)

Ok I have patched my unpacked file so far and it does also work but would be nice if you could check my file on your system whether all is working with my patches.Just wanna know it that all I made its ok or not.

So at the end I can just say again great work av999 and also thank you very much for the new infos about CPUID + videos. :) So this kind of dynamic patching of the CPUID is much better than to patch each single CPUID check.Thanks again av999.

greetz

VMProtector_2.06_unpackme_CPUID+CRC.rar

  • Replies 66
  • Views 59.6k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • ***************************************** Unpacking of a VMProtect Boxed dll *****************************************Hi again,ok I have now created a little video tutorial for you and all others ho

  • @ Conquest So if you press the ok button on the main target then after the boxed dll will loaded into memory so now you can open the E or M map and you see boxed.dll as one section and there you see

  • Yes you are right! It checks the whole code.So at the moment I would say that there is no way to prevent this selfchecking.I created already some diffrent loops but also without success.Looks like a

not worked for me


first step to check cpuid-fix is set zero to [EC003C]

Hi,

not working for you?Can you check and see the reason?Ok so I think this should not to be the reason to set [00EC003C] | 00000000 to zero.So I see no check of this loaction before reaching the LA patch.

So I only use XP SP3 [unpack system] and XP SP0 as check system [but same CPU of course] and there its working on both.Hhmmm,strange now again.

greetz

:play_ball:


Edited by Asian Dragon

Hi, LCF-AT


CPUID and rtdsc patch file does not work on win 7?


Error.swf

http://rghost.ru/47995229  - that working for me except boxed.dll


may be your fix too far from the right place and changed ZF

Edited by av999

:schmoll:


Edited by Asian Dragon

@ av999

Ahhh ok so I think in this case it would be really better to hook the closer place direct where you get the hash in register and before the return too like you did it now with my file. :)

00446C26 Main     PUSHFD00446C27 Main     MOV EDX,DWORD PTR SS:[EBP]  ; EDX=002B70AE
Ok now its again more clear.Thanks again av999. :) One question about the VMP Debugger,so normaly I don't use it [have no english version].Do you have any descriptions of the Debugger features in english or other language which you maybe could let translate with any internet-translater etc?Is there maybe also a option to set any BPs on direct VA / RVA addresses of the target itself instead only to set BPs on the VMP VM?

@ Asian Dragon

Thanks also for the little video.So if you run the file and you see the box of the unpackme then just wait some seconds and try to move the window a little bit around so after a short while it will also reach the CPUID checks without to press the OK button.If you do this without to press OK and it crash then I also know that the reason was my CPUID patch = wrong / error / to late patched but if it keep working so far then it was successfully.Just try this to know that maybe the unpacked boxed dll was the problem [other loaded base etc].

So your CPUID patched file does crash for me after a little while.Maybe you tell next time the address where you did patch it to prevent manually searching in the file.

greetz

Thank you LCF-AT.


  • 2 months later...

hi LCF-AT,


 


I have follow the thread but can´t undestand how solve CRC+CPUID, the information is dispersed and complied follow it.


 


¿Can you do a full video how you solved CRC+CPUID unpackme target ?


 


A greeting.


  • 1 month later...

plz reupload second video cpuid fix


  • 8 months later...
*****************************************  Unpacking of a VMProtect Boxed dll  *****************************************
Hi again,

ok I have now created a little video tutorial for you and all others how you can deal with that boxed dll of this unpackme from this topic.Just a exsample of course.Just follow my video and try it after by yourself.I added also the unpacked files [No CPUID - RDTSC etc fixed!] for testing and checking / analysing etc.Read the Short Tutorial.txt there you can get all infos what to do etc so I have made also a quick steplist + infos.So I hope you this video will answer your more than one year long trying. :)

greetz

 

Thank you!!!

  • 1 year later...

some video about cpuid fix

 

and unpacked

 

http://www.sendspace.com/file/k1fzks

 

Files has been deletd . Please reupload ... 

 

Thanks in advances.

  • 1 year later...

Is there some have a copy for " some video about cpuid fix " by av999.??

Please share it... or reupload....

 

  • 3 weeks later...
On 12/11/2010 at 5:43 PM, EvOlUtIoN said:

yes, but that way you don't have to patch a lot of addresses?

anybody can unpack this file ?

it is protect by vmprotector 2

 

Edited by Teddy Rogers

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.