Matt Posted August 28, 2012 Posted August 28, 2012 (edited) Hello everyone After some time I finally finished beta version of my vm based protector, so I'm publishing unpackme here. Main idea behind the code was to have an ability for generating very dynamic vm, so in the attached zip you will find 2 protected executables which were built from the same target. Protected files are DEP, UAC, ALSR compatible and should launch in any NT Windows. I'm greatly welcome to hear any suggestions and critics PS: Imports redirection is disabled. PSS: don't look for "opcode + pushfd" like in tmd and vmp, eflags calculation is manual written PSSS: I think that few guys will find some of the code already familiar but let's keep this silent, I appreciate this. unpackme_apollo.zip Edited October 26, 2012 by Matt 1
metr0 Posted August 29, 2012 Posted August 29, 2012 PSS: don't look for "opcode + pushfd" like in tmd and vmp, eflags calculation is manual written Way to go. I just thought Oreans would have been intelligent enough to already do this (assuming they did consider and dropped it due to performance issues). Or VMP devs could have been more creative, doing work on their own. Will have a look.
delldell Posted August 30, 2012 Posted August 30, 2012 thank you very much I just made small test (hehehe) to get this point there were 2 small windows (hehehe it was a pain in the neck one of this windows) when run trace and yes you are right after dumping PEid says that is packed with diferent packer ,compresor once again thank you I will take more time tu testet when i have more free time
Matt Posted August 30, 2012 Author Posted August 30, 2012 You thought that it's not real? Btw this small windows are debug warning stuff which shows when internal thread sync is broken. Main part won't be present in the dump because it's in the dynamic memory (you should have noticed that while tracing). Currently for me the main question is about making Apollo dev topic at this forums or should I go exetools ?
deepzero Posted August 30, 2012 Posted August 30, 2012 why not both? "that windows" is defeated by a somewhat decent hiding plugin iirc - or did i patch something? cant remember! anyways, i``m in the middle of moving around, so computer-time is spare, but it`s got its own special folder on my vm desktop...maybe, in a week or two.. havnt seen any serious code obfu thus far, though.good. btw, what are you thoughts on open-source?^^ *wink*
mm10121991 Posted August 30, 2012 Posted August 30, 2012 yes, StrongOD is enough to run those unpackmes
delldell Posted August 30, 2012 Posted August 30, 2012 (cheese) that was my idea that were something about anti debug checksi did not investigate further because only have 5 minutes break (working hehe)probably next months have more free timemean time that is all my progress from the short testthank you very much I wish I had more time
Matt Posted August 30, 2012 Author Posted August 30, 2012 No antidebug there at all. I thought about free/opensrc model some time ago and there is no chance that this could happen, not because I want this commercial but due to external factors like AV vendors, every single part of the code will be detected within a month due to malware protected with it, this puts at risk every developer who used the protector. Such project source and licensing stuff must be under control and I see no way for this but being commercail and/or being given for free to the trusted developers, if some version got leaked license uniq signatures in the protected files will be detected (or I can include them into the av blacklists but not all AV vendors have such thing as blacklists for developers).
quosego Posted August 31, 2012 Posted August 31, 2012 (edited) Themida is sure as hell easier to dump. My lineair dumper is killing this baby in so many ways. Might as well just deviritualize first ask questions later. And indeed if this had antidebug I'm not seeing it. Also themida's protection threads were less annoying. EDIT: This seems okay.. [[[Instr]]]mov edx, 004454A8 ||| vm_eip[04D305BF] = 0000712C ||| vm_reg_eax = 0012FA04, vm_reg_ecx = 004426D4, vm_reg_edx = 0012FA14, vm_reg_ebx = 00000000[[[Instr]]]mov eax, [0044703C] ||| vm_eip[04D31B52] = 0000712C ||| vm_reg_eax = 0044703C, vm_reg_ecx = 7C810EA6, vm_reg_edx = 00000A0D, vm_reg_ebx = 00000000 (could be mov reg_32, reg/stack not looked into that yet..) RISC you person. Anyways 4 instructions done 600 to go. EDIT: More than one possible handler per instruction. Edited August 31, 2012 by quosego
Matt Posted August 31, 2012 Author Posted August 31, 2012 CISC ain't popular thiz dayz Keep it up ! If you will analyze the handlers deeper you will see that it's more like RICKed RISC than a normal RISC. I would realy like to hear some suggestions regarding the vm from you or any other reverser who looked inside, probably I'm missing something important here.
quosego Posted August 31, 2012 Posted August 31, 2012 (edited) Well go mental on obfuscation and this VM becomes fairly awesome and I won't be able to get decent code from this anytime soon. Also encrypt the VM bytecode, not actually checked if you do, but if you haven't it'll prevent static devirtualisation. Unless they can get the actual ciphers. Which I think deathway does in his themida devirtualizer. Also write the VM_registers at weird places.. Not in a nice table. But mostly obfu, I simply check for the NOT parts and certain variables to get which VM_registers are used or where the vars are stored. With obfu it would take a lot longer to find those. Might have some more after I go beyond my basic analysis and dig somewhat deeper. Also I really shouldn't be helping people to make my life harder. Edited August 31, 2012 by quosego 1
Matt Posted September 2, 2012 Author Posted September 2, 2012 go mental on obfuscation It's more about obfuscating the offsets while accessing the _variable_memory_ than obfuscating everything else. For now the only one unresolved question for me is about execution speed, currently it's like 5 times slower than vmp, but with additional obfu like you suggested it can be 10. Also I really shouldn't be helping people to make my life harder. Weight of the protector's world isn't only on your shoulders
quosego Posted September 2, 2012 Posted September 2, 2012 (edited) Hmmm yeah that might be a problem. Right now your variable_mem obfuscation doesn't bother me at all. It'd be a lot better if those handlers weren't that clear. Protector wise if you keep it this way i can guarantee you that within a month someone will make something that spits out readable code.. I already got 10 or so instructions it would not take that long to get the others. I mean compare it to that funky recursive byte array VM from securom and I got the general structure of this within seconds. You don't want that.I mean you'll have the newbies stumped for months. But not all people are newbies.If obfu is out of the question, the VM has to be less conformist. Edited September 2, 2012 by quosego
Matt Posted September 2, 2012 Author Posted September 2, 2012 got your idea, a lot of work to do for me thenIf obfu is out of the questionno it's not =)
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now