r0ket Posted December 20, 2010 Posted December 20, 2010 Hello again, try to unpack this one, ep + payload virtualization
LCF-AT Posted January 3, 2011 Posted January 3, 2011 Hello ElCrabe, 1. Good work! 2. I can rebuild the full OEP routine and get the target run 3. I can not rebuild the VMed Opcodes!Just some calls. 4. Looks very hard your new UnpackMe so I see no light to come forward to rebuild the VM code for the calc routine. 5. You are using a lot memory. All in all its not easy for me or I am too blind or something. Maybe you can give us some advice where to have a deeper look to get/see some more about the used commands. greetz
EvOlUtIoN Posted January 3, 2011 Posted January 3, 2011 Same here too...i think the only possible way to solve it is to execute the part of stub that creates the vm near oep. Dump all is kindly impossible imho. Interesting one.
quosego Posted January 3, 2011 Posted January 3, 2011 (edited) Hehe you're not telling me this is harder than Themida right. Anyways since you guys are already giving up this might be very interesting. EDIT: I like the hints, (virtual stack exceed etc. ) Edited January 3, 2011 by quosego
EvOlUtIoN Posted January 4, 2011 Posted January 4, 2011 of course it is not harder than themida. For example it does not have any it protectoin. Anyway to dump whole parts of needed vm could be hard...test by yourself
r0ket Posted January 4, 2011 Author Posted January 4, 2011 (edited) @LCF-AT 1. Thx =) 2. Gonna add some critical code to the virtualized ep code (if ep virtualization option is enabled) soon 5. Yep, as u already know vmed code length is too big, rewrite&reduce needed. Almost all other vm params r user configurable Advice #0: Trash opcode handlers have no calls inside. @quosego A lot of debug info inside EDIT: Do u need more advices now ? Edited January 6, 2011 by ElCrabe
r0ket Posted January 24, 2011 Author Posted January 24, 2011 Okay, if things r like they were 20 days ago im gonna publish protector demo, should i publish it in this topic or create new one (where?). Thx.
xsp!d3r Posted January 24, 2011 Posted January 24, 2011 i think you should create a new thread in the packers/protectors area
Gladiator Posted February 15, 2011 Posted February 15, 2011 is there any obfuscation in VM handlers ? poly protection or some thing like this ?
Gladiator Posted February 15, 2011 Posted February 15, 2011 Jump handler seems to be obfuscated with morphine , am i right ?
r0ket Posted February 16, 2011 Author Posted February 16, 2011 Gladiator1) A bit obfuscated2) No u r not =) 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now