Jump to content
Tuts 4 You

[unpackme] Apollo protector


Matt

Recommended Posts

Hello everyone :cc_jockey: After some time I finally finished beta version of my vm based protector, so I'm publishing unpackme here.

Main idea behind the code was to have an ability for generating very dynamic vm, so in the attached zip you will find 2 protected executables which were built from the same target. Protected files are DEP, UAC, ALSR compatible and should launch in any NT Windows.

I'm greatly welcome to hear any suggestions and critics ^_^

PS: Imports redirection is disabled.

PSS: don't look for "opcode + pushfd" like in tmd and vmp, eflags calculation is manual written

PSSS: I think that few guys will find some of the code already familiar but let's keep this silent, I appreciate this.

unpackme_apollo.zip

Edited by Matt
  • Like 1
Link to comment
Share on other sites

PSS: don't look for "opcode + pushfd" like in tmd and vmp, eflags calculation is manual written

Way to go. I just thought Oreans would have been intelligent enough to already do this (assuming they did consider and dropped it due to performance issues). Or VMP devs could have been more creative, doing work on their own. ;)

Will have a look.

Link to comment
Share on other sites

thank you very much I just made small test (hehehe)

2nisdw7.png

to get this point there were 2 small windows

28o67p.png

(hehehe it was a pain in the neck one of this windows)

when run trace

and yes you are right after dumping PEid says that is packed with diferent packer ,compresor

once again thank you I will take more time tu testet when i have more free time

Link to comment
Share on other sites

You thought that it's not real? :D Btw this small windows are debug warning stuff which shows when internal thread sync is broken. Main part won't be present in the dump because it's in the dynamic memory (you should have noticed that while tracing).

Currently for me the main question is about making Apollo dev topic at this forums or should I go exetools ? :P

Link to comment
Share on other sites

why not both? :)

"that windows" is defeated by a somewhat decent hiding plugin iirc - or did i patch something? cant remember! :P

anyways, i``m in the middle of moving around, so computer-time is spare, but it`s got its own special folder on my vm desktop...maybe, in a week or two.. ;)

havnt seen any serious code obfu thus far, though.good.

btw, what are you thoughts on open-source?^^ *wink*

Link to comment
Share on other sites

(cheese) that was my idea that were something about anti debug checks

i did not investigate further because only have 5 minutes break (working hehe)

probably next months have more free time

mean time that is all my progress from the short test

thank you very much I wish I had more time

Link to comment
Share on other sites

No antidebug there at all. I thought about free/opensrc model some time ago and there is no chance that this could happen, not because I want this commercial but due to external factors like AV vendors, every single part of the code will be detected within a month due to malware protected with it, this puts at risk every developer who used the protector. Such project source and licensing stuff must be under control and I see no way for this but being commercail and/or being given for free to the trusted developers, if some version got leaked license uniq signatures in the protected files will be detected (or I can include them into the av blacklists but not all AV vendors have such thing as blacklists for developers).

Link to comment
Share on other sites

Themida is sure as hell easier to dump. My lineair dumper is killing this baby in so many ways. ;) Might as well just deviritualize first ask questions later.

And indeed if this had antidebug I'm not seeing it.

Also themida's protection threads were less annoying.

EDIT:

This seems okay..

[[[Instr]]]mov edx, 004454A8	|||		vm_eip[04D305BF] = 0000712C		|||		vm_reg_eax = 0012FA04, vm_reg_ecx = 004426D4, vm_reg_edx = 0012FA14, vm_reg_ebx = 00000000
[[[Instr]]]mov eax, [0044703C] ||| vm_eip[04D31B52] = 0000712C ||| vm_reg_eax = 0044703C, vm_reg_ecx = 7C810EA6, vm_reg_edx = 00000A0D, vm_reg_ebx = 00000000

(could be mov reg_32, reg/stack not looked into that yet..)

RISC you person. ;) Anyways 4 instructions done 600 to go.

EDIT:

More than one possible handler per instruction.

Edited by quosego
Link to comment
Share on other sites

CISC ain't popular thiz dayz :) Keep it up ! If you will analyze the handlers deeper you will see that it's more like RICKed RISC than a normal RISC.

I would realy like to hear some suggestions regarding the vm from you or any other reverser who looked inside, probably I'm missing something important here.

Link to comment
Share on other sites

Well go mental on obfuscation and this VM becomes fairly awesome and I won't be able to get decent code from this anytime soon. Also encrypt the VM bytecode, not actually checked if you do, but if you haven't it'll prevent static devirtualisation. Unless they can get the actual ciphers. Which I think deathway does in his themida devirtualizer.

Also write the VM_registers at weird places.. Not in a nice table.

But mostly obfu, I simply check for the NOT parts and certain variables to get which VM_registers are used or where the vars are stored. With obfu it would take a lot longer to find those.

Might have some more after I go beyond my basic analysis and dig somewhat deeper.

Also I really shouldn't be helping people to make my life harder. :)

Edited by quosego
  • Like 1
Link to comment
Share on other sites

go mental on obfuscation

It's more about obfuscating the offsets while accessing the _variable_memory_ than obfuscating everything else.

For now the only one unresolved question for me is about execution speed, currently it's like 5 times slower than vmp, but with additional obfu like you suggested it can be 10.

Also I really shouldn't be helping people to make my life harder. :)

Weight of the protector's world isn't only on your shoulders :D

Link to comment
Share on other sites

Hmmm yeah that might be a problem. Right now your variable_mem obfuscation doesn't bother me at all. It'd be a lot better if those handlers weren't that clear. Protector wise if you keep it this way i can guarantee you that within a month someone will make something that spits out readable code.. I already got 10 or so instructions it would not take that long to get the others. I mean compare it to that funky recursive byte array VM from securom and I got the general structure of this within seconds. You don't want that.

I mean you'll have the newbies stumped for months. But not all people are newbies.

If obfu is out of the question, the VM has to be less conformist.

Edited by quosego
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...