Hello again, try to unpack this one, ep + payload virtualization

Hello ElCrabe,

1. Good work!

2. I can rebuild the full OEP routine and get the target run

3. I can not rebuild the VMed Opcodes!Just some calls.

4. Looks very hard your new UnpackMe so I see no light to come forward to rebuild the VM code for the calc routine.

5. You are using a lot memory.

All in all its not easy for me or I am too blind or something. Maybe you can give us some advice where to have a deeper look to get/see some more about the used commands.

greetz

Same here too...i think the only possible way to solve it is to execute the part of stub that creates the vm near oep. Dump all is kindly impossible imho. Interesting one.

Hehe you're not telling me this is harder than Themida right.

Anyways since you guys are already giving up this might be very interesting.

EDIT:

I like the hints, (virtual stack exceed etc. )

Edited January 3, 201114 yr by quosego

of course it is not harder than themida. For example it does not have any it protectoin. Anyway to dump whole parts of needed vm could be hard...test by yourself

@LCF-AT

1. Thx =)

2. Gonna add some critical code to the virtualized ep code (if ep virtualization option is enabled) soon

5. Yep, as u already know vmed code length is too big, rewrite&reduce needed. Almost all other vm params r user configurable

Advice #0:

Trash opcode handlers have no calls inside.

@quosego

A lot of debug info inside

EDIT:

Do u need more advices now ?

Edited January 6, 201114 yr by ElCrabe

Okay, if things r like they were 20 days ago im gonna publish protector demo, should i publish it in this topic or create new one (where?). Thx.

i think you should create a new thread in the packers/protectors area

and a tut would be cool ,)

also some source code wouldnt be bad;)

is there any obfuscation in VM handlers ? poly protection or some thing like this ?

Jump handler seems to be obfuscated with morphine , am i right ?

Gladiator

1) A bit obfuscated

2) No u r not =)