r0ket Posted December 20, 2010 Share Posted December 20, 2010 Hello again, try to unpack this one, ep + payload virtualization Link to comment Share on other sites More sharing options...
LCF-AT Posted January 3, 2011 Share Posted January 3, 2011 Hello ElCrabe, 1. Good work! 2. I can rebuild the full OEP routine and get the target run 3. I can not rebuild the VMed Opcodes!Just some calls. 4. Looks very hard your new UnpackMe so I see no light to come forward to rebuild the VM code for the calc routine. 5. You are using a lot memory. All in all its not easy for me or I am too blind or something. Maybe you can give us some advice where to have a deeper look to get/see some more about the used commands. greetz Link to comment Share on other sites More sharing options...
EvOlUtIoN Posted January 3, 2011 Share Posted January 3, 2011 Same here too...i think the only possible way to solve it is to execute the part of stub that creates the vm near oep. Dump all is kindly impossible imho. Interesting one. Link to comment Share on other sites More sharing options...
quosego Posted January 3, 2011 Share Posted January 3, 2011 (edited) Hehe you're not telling me this is harder than Themida right. Anyways since you guys are already giving up this might be very interesting. EDIT: I like the hints, (virtual stack exceed etc. ) Edited January 3, 2011 by quosego Link to comment Share on other sites More sharing options...
EvOlUtIoN Posted January 4, 2011 Share Posted January 4, 2011 of course it is not harder than themida. For example it does not have any it protectoin. Anyway to dump whole parts of needed vm could be hard...test by yourself Link to comment Share on other sites More sharing options...
r0ket Posted January 4, 2011 Author Share Posted January 4, 2011 (edited) @LCF-AT 1. Thx =) 2. Gonna add some critical code to the virtualized ep code (if ep virtualization option is enabled) soon 5. Yep, as u already know vmed code length is too big, rewrite&reduce needed. Almost all other vm params r user configurable Advice #0: Trash opcode handlers have no calls inside. @quosego A lot of debug info inside EDIT: Do u need more advices now ? Edited January 6, 2011 by ElCrabe Link to comment Share on other sites More sharing options...
r0ket Posted January 24, 2011 Author Share Posted January 24, 2011 Okay, if things r like they were 20 days ago im gonna publish protector demo, should i publish it in this topic or create new one (where?). Thx. Link to comment Share on other sites More sharing options...
xsp!d3r Posted January 24, 2011 Share Posted January 24, 2011 i think you should create a new thread in the packers/protectors area Link to comment Share on other sites More sharing options...
sirp Posted January 25, 2011 Share Posted January 25, 2011 and a tut would be cool ,) Link to comment Share on other sites More sharing options...
NeO Posted January 26, 2011 Share Posted January 26, 2011 also some source code wouldnt be bad;) Link to comment Share on other sites More sharing options...
Gladiator Posted February 15, 2011 Share Posted February 15, 2011 is there any obfuscation in VM handlers ? poly protection or some thing like this ? Link to comment Share on other sites More sharing options...
Gladiator Posted February 15, 2011 Share Posted February 15, 2011 Jump handler seems to be obfuscated with morphine , am i right ? Link to comment Share on other sites More sharing options...
r0ket Posted February 16, 2011 Author Share Posted February 16, 2011 Gladiator1) A bit obfuscated2) No u r not =) 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now