[unpackme] VProtect_1[1].9.2.0

[cozofdeath]

I'm checking it out today and can't figure out why it keeps clearing the stack (esp = 0) and then pushing a value onto it killing Olly. Clearly I'm doing something wrong because this isn't valid in Olly or Windows but I can't figure it out. I'm on a win7 computer. Running it outside the debugger works fine. But inside it fails every time at the same spot early in the code. It happens at 102fe75 (XCHG EAX, ESP) right after changing the hardware registers. Any info on this?

[LCF-AT]

@ cozofdeath

Disable Protect DRx in Phant0m [or other plugins patching DRx]

Enable Skip some Exceptions in StrongOD

With this head setting you can run VProtect in Olly.Use only soft BPs.If you want to break on APIs then use the ret for stopping.VProtect also has selfcode checks so if you set soft BPs in the code [mostly in VM] and if it checks then it gets wrong values.You know the opcode where the BP is set will read now as CC byte = crash later.If you want to analyze some VM code inside the you should better hook the KiUserExceptionDispatcher API and keep a eye on the stack results.There you can also catch some bad AV = VP has found | detecd you.

PS: Unpack script is still in progress but I am close for completion the first public version.

greetz

[cozofdeath]

Thanks for the reply. I still can't get it to work with any setting. It errors quick with this exception: 0xC0000235. No matter what anti-debug setting I have it on. I always have an extremely hard time trying to get around the anti-debugs on this computer. But I appreciate you listing the anti-debug settings. I'll give it a go on the old faithful XP computer.

Good luck on the script!

Edited October 2, 2011 by cozofdeath

[LCF-AT]

C0000235 (HANDLE NOT CLOSABLE)

--------------------------------------

StrongOD:

--------------------------------------

Enable HidePEB

Enable KernelMode

Enable !*Kill BadPE Bug (optinal)

Enable Skip some Exceptions

Normal

--------------------------------------

Phant0m:

--------------------------------------

Enable Protect DRx

--------------------------------------

Olly Custom Exceptions: 00000000-FFFFFFFF

--------------------------------------

Do not forget to rename the drivernames in the Olly ini file.The other options in Strong & Phant0m you have to DISABLE.Now you should run your VProtect targets in Olly without problems.You can also check if you have still running a old driver in background.Use IceSword | SSDT table have a look and if you see some \temp\....sys which is not from strongOD then restore it.You can also find in some cases a old Phant0m driver which is no more used.If yes then restore it too.

Now check this and try again.

PS: So test also some diffrent VProtect unpackmes and see whether you get the same bad result or not.If you also use more Olly's with StrongOD & Phant0m then use also the same driver names in the other Olly ini files.Also use no more the Phant0m plugin with loading a driver so in many cases Phant0m has problems to unload the driver itself.

greetz

[cozofdeath]

Thanks LCF-AT for the quick and informative response. I will try everything mentioned.

[thisistest]

vprotect 2.1.0.0

vprotectdemo 2.1.0.0.rar