Jump to content
Tuts 4 You

[unpackme] VMProtect 2.06 unpackme


EvOlUtIoN

Recommended Posts

Hi av999,

thank you for the new video so now I understand the way you did. :) Yes you are right so in my old unpacked file are used other loactions.

My LA+3C 00EC003C | 002B70AE-------------0046A78E      CPUID 00448C2E      MOV EAX,DWORD PTR DS:[EAX] // LA+3C-------------My Trace log-------------00446C27 Main     MOV EDX,DWORD PTR SS:[EBP]  ; EDX=002B70AE0046277E Main     SUB BL,AL                   ; EBX=097861FC00462780 Main     BSR CX,BP                   ; ECX=0000000F00462784 Main     RCL ECX,CL                  ; ECX=0007C00000462786 Main     SUB ESI,-1                  ; ESI=0046C73700462789 Main     CMP ECX,EDX......004469BC Main     SUB ESI,-4                 ; ESI=0046C73B & EDX=002B70AE.....004469C3 Main     JMP 004630E3               ; ESI=0046C73B & EDX=002B70AEHook at 004469C3 to LA+3C patch
All working so far. :) Only problem now it that I can't verify it without to use a other CPU but I can see the diffrent DWORD in your video and my system.Also I see in my case that the DWORD check of LA+3C does happen before the CRC checks so that I can restore the hook direct after patching new DWORD to LA loaction.
004469C3  JMP 004630E3to 004469C3  JMP 00EC0080 // my hook00EC0080  CMP ESI,46C73B00EC0086  JE SHORT 00EC008D00EC0088  JMP 004630E300EC008D  MOV DWORD PTR DS:[EC003C],EDX00EC0093  MOV BYTE PTR DS:[EC0087],000EC009A  MOV DWORD PTR DS:[4469C4],1C71B // unhook00EC00A4  JMP SHORT 00EC0088CRC checkings:00460EF1    XOR AL,BYTE PTR DS:[EDX]  no00462B00    XOR AL,BYTE PTR DS:[EDX]  004469C4 004469C6004640BF    XOR AL,BYTE PTR DS:[EDX]  004469C5 004469C7
Maybe just a random that CRC checking happen first after LA or? :)

Ok I have patched my unpacked file so far and it does also work but would be nice if you could check my file on your system whether all is working with my patches.Just wanna know it that all I made its ok or not.

So at the end I can just say again great work av999 and also thank you very much for the new infos about CPUID + videos. :) So this kind of dynamic patching of the CPUID is much better than to patch each single CPUID check.Thanks again av999.

greetz

VMProtector_2.06_unpackme_CPUID+CRC.rar

Link to comment
Share on other sites

Hi,

not working for you?Can you check and see the reason?Ok so I think this should not to be the reason to set [00EC003C] | 00000000 to zero.So I see no check of this loaction before reaching the LA patch.

So I only use XP SP3 [unpack system] and XP SP0 as check system [but same CPU of course] and there its working on both.Hhmmm,strange now again.

greetz

Link to comment
Share on other sites

@ av999

Ahhh ok so I think in this case it would be really better to hook the closer place direct where you get the hash in register and before the return too like you did it now with my file. :)

00446C26 Main     PUSHFD00446C27 Main     MOV EDX,DWORD PTR SS:[EBP]  ; EDX=002B70AE
Ok now its again more clear.Thanks again av999. :) One question about the VMP Debugger,so normaly I don't use it [have no english version].Do you have any descriptions of the Debugger features in english or other language which you maybe could let translate with any internet-translater etc?Is there maybe also a option to set any BPs on direct VA / RVA addresses of the target itself instead only to set BPs on the VMP VM?

@ Asian Dragon

Thanks also for the little video.So if you run the file and you see the box of the unpackme then just wait some seconds and try to move the window a little bit around so after a short while it will also reach the CPUID checks without to press the OK button.If you do this without to press OK and it crash then I also know that the reason was my CPUID patch = wrong / error / to late patched but if it keep working so far then it was successfully.Just try this to know that maybe the unpacked boxed dll was the problem [other loaded base etc].

So your CPUID patched file does crash for me after a little while.Maybe you tell next time the address where you did patch it to prevent manually searching in the file.

greetz

Link to comment
Share on other sites

  • 2 months later...

hi LCF-AT,


 


I have follow the thread but can´t undestand how solve CRC+CPUID, the information is dispersed and complied follow it.


 


¿Can you do a full video how you solved CRC+CPUID unpackme target ?


 


A greeting.


Link to comment
Share on other sites

  • 1 month later...
  • 8 months later...
*****************************************  Unpacking of a VMProtect Boxed dll  *****************************************
Hi again,

ok I have now created a little video tutorial for you and all others how you can deal with that boxed dll of this unpackme from this topic.Just a exsample of course.Just follow my video and try it after by yourself.I added also the unpacked files [No CPUID - RDTSC etc fixed!] for testing and checking / analysing etc.Read the Short Tutorial.txt there you can get all infos what to do etc so I have made also a quick steplist + infos.So I hope you this video will answer your more than one year long trying. :)

greetz

 

Thank you!!!

Link to comment
Share on other sites

  • 1 year later...
  • 1 year later...

Is there some have a copy for " some video about cpuid fix " by av999.??

Please share it... or reupload....

 

Link to comment
Share on other sites

  • 3 weeks later...
On 12/11/2010 at 5:43 PM, EvOlUtIoN said:

yes, but that way you don't have to patch a lot of addresses?

anybody can unpack this file ?

it is protect by vmprotector 2

 

Edited by Teddy Rogers
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...