ldr Posted January 6, 2015 Posted January 6, 2015 Hi! I have a PECompact protected target from 2010. I have succesfully unpacked the exe but it's sames that some codes are virtualized. I succesfully identifed the main VM handler routine, the VM Image base, the number of VM handlers, the address of hanlders, but I can not identify which code virtualizer is used. The big mistyc for me that the VM is located inside the main Code section and not in different section. I tried to devirtualize it with VMSweeper and Oreans Unvirtualizer but without success. (It's seems it's that is not VMSweeper or Oreans Codevirtualizer is used) I tried several packer detectors (die, exeinfo pe, peid, protection id), but none of than detects any protection inside the unpacked file. Maybe someone can give me a hint which code virtualizer locate itself inside the main code section ? Regards leader
metr0 Posted January 6, 2015 Posted January 6, 2015 The fact that the VM lies in the very same (first?) code section might hint that it has not been added after compilation. It might have been part of the original source code and thus custom. As evlncrn8 said, upload the binary or at least paste the VM's disassembly somewhere. 1
kao Posted January 6, 2015 Posted January 6, 2015 (edited) I have a PECompact protected target from 2010. .... The big mistyc for me that the VM is located inside the main Code section and not in different section. Careful there... Since your target was packed by pecompact after being virtualized, you can't really tell what was in which section before packing. PECompact loves to stuff everything together in one large section, iirc. EDIT: clarification. Edited January 6, 2015 by kao 3
ldr Posted January 10, 2015 Author Posted January 10, 2015 Hi! First of all, thx the answers... Here are some snippet: 1. This is the first push/jmp section, where 0x433EEC is the address of the main VM Handler: 004852DF > \68 D8EE4400 PUSH d_SCY.0044EED8 004852E4 .^ E9 03ECFAFF JMP d_SCY.00433EEC 004852E9 > 68 2DB94500 PUSH d_SCY.0045B92D 004852EE .^ E9 F9EBFAFF JMP d_SCY.00433EEC 004852F3 > 68 60174600 PUSH d_SCY.00461760 004852F8 .^ E9 EFEBFAFF JMP d_SCY.00433EEC 004852FD > 68 BE8C4600 PUSH d_SCY.00468CBE 00485302 .^ E9 E5EBFAFF JMP d_SCY.00433EEC 00485307 > 68 64654700 PUSH d_SCY.00476564 0048530C .^ E9 DBEBFAFF JMP d_SCY.00433EEC 00485311 > 68 E9804700 PUSH d_SCY.004780E9 00485316 .^ E9 D1EBFAFF JMP d_SCY.00433EEC 0048531B > 68 F0964700 PUSH d_SCY.004796F0 00485320 .^ E9 C7EBFAFF JMP d_SCY.00433EEC 00485325 > 68 B7B44700 PUSH d_SCY.0047B4B7 0048532A .^ E9 BDEBFAFF JMP d_SCY.00433EEC 0048532F > 68 FEC44700 PUSH d_SCY.0047C4FE 00485334 .^ E9 B3EBFAFF JMP d_SCY.00433EEC 00485339 > 68 B9D74700 PUSH d_SCY.0047D7B9 0048533E .^ E9 A9EBFAFF JMP d_SCY.00433EEC2. And here is the beginning main VM Handler: 00433EEC > /60 PUSHAD ; Main Handler 00433EED . |9C PUSHFD 00433EEE . |FC CLD 00433EEF . |E8 00000000 CALL d_SCY.00433EF4 00433EF4 $ |5F POP EDI 00433EF5 > . |81EF F43E4300 SUB EDI,d_SCY.00433EF4 ; 0x00433EF4 => 7. line of Main Handler 00433EFB . |8BC7 MOV EAX,EDI 00433EFD . |81C7 003C4300 ADD EDI,d_SCY.00433C00 ; Image Base of VM = > 0x433C00 00433F03 . |3B47 2C CMP EAX,DWORD PTR DS:[EDI+2C] 00433F06 . |75 02 JNZ SHORT d_SCY.00433F0A 00433F08 . |EB 36 JMP SHORT d_SCY.00433F40 00433F0A > |8947 2C MOV DWORD PTR DS:[EDI+2C],EAX 00433F0D . |B9 A8000000 MOV ECX,0A8 ; Number of Handlers => 0xA8 00433F12 . |EB 0D JMP SHORT d_SCY.00433F21 00433F14 > |EB 06 JMP SHORT d_SCY.00433F1C 00433F16 . |01448F 58 ADD DWORD PTR DS:[EDI+ECX*4+58],EAX 00433F1A . |EB 04 JMP SHORT d_SCY.00433F20 00433F1C > |01448F 48 ADD DWORD PTR DS:[EDI+ECX*4+48],EAX 00433F20 > |49 DEC ECX 00433F21 > |0BC9 OR ECX,ECX 00433F23 .^|75 EF JNZ SHORT d_SCY.00433F14 00433F25 . |837F 44 00 CMP DWORD PTR DS:[EDI+44],0 00433F29 . |74 15 JE SHORT d_SCY.00433F40 00433F2B . |8B77 44 MOV ESI,DWORD PTR DS:[EDI+44] 00433F2E . |03F0 ADD ESI,EAX 00433F30 . |EB 09 JMP SHORT d_SCY.00433F3B 00433F32 > |8B1E MOV EBX,DWORD PTR DS:[ESI] 00433F34 . |03D8 ADD EBX,EAX 00433F36 . |0103 ADD DWORD PTR DS:[EBX],EAX 00433F38 . |83C6 04 ADD ESI,4 00433F3B > |833E 00 CMP DWORD PTR DS:[ESI],0 00433F3E .^|75 F2 JNZ SHORT d_SCY.00433F32 00433F40 > |8B7424 24 MOV ESI,DWORD PTR SS:[ESP+24] 00433F44 . |8BDE MOV EBX,ESI 00433F46 . |03F0 ADD ESI,EAX 00433F48 . |B9 01000000 MOV ECX,1 00433F4D > |33C0 XOR EAX,EAX 00433F4F . |F0:0FB14F 30 LOCK CMPXCHG DWORD PTR DS:[EDI+30],ECX ; LOCK prefix 00433F54 .^|75 F7 JNZ SHORT d_SCY.00433F4D 00433F56 > |AC LODS BYTE PTR DS:[ESI] ; LODS 00433F57 . |52 PUSH EDX 00433F58 . |B2 32 MOV DL,32 00433F5A . |F6D2 NOT DL 00433F5C . |E9 141E0000 JMP d_SCY.00435D75 00433F61 > |89CD MOV EBP,ECX 00433F63 . |E9 33650100 JMP d_SCY.0044A49B 00433F68 > |892C24 MOV DWORD PTR SS:[ESP],EBP 00433F6B . |54 PUSH ESP 00433F6C . |5D POP EBP 00433F6D . |81C5 04000000 ADD EBP,4 00433F73 . |E9 AC260100 JMP d_SCY.004466243. The VM handler make a lots of jump and transformation on the key before jumping to the desired handler: 004418B1 > \0FB6C0 MOVZX EAX,AL 004418B4 . FF2487 JMP DWORD PTR DS:[EDI+EAX*4] ; jump to handler4. As I said before it's very strange that the VM is not in different section, it's located in the main CODE section: 00400000 00001000 d_SCY PE header Imag R RWE 00401000 00085000 d_SCY .text code Imag R RWE 00486000 00002000 d_SCY .rsrc resources Imag R RWE 00488000 00001000 d_SCY .reloc data,relocat Imag R RWE 00489000 00002000 d_SCY .idata2 Imag R RWE 0048B000 00002000 d_SCY .SCY imports Imag R RWEOEP: 0x40D653VM Handler: 0x433EECVM Image Base: 0x433C00Code Section Start: 0x401000Code Section End: 0x485FFFF I just tried to devirtualize the exe with Oreans Unvirtualzer and VMProtect using the followings parameter:Code Start: 0x401000Code Size: 0x23C00VM Start: 0x433C00VM Size: 0x61400 Bot plugins found lot's of VM References but none of them can identify VM entry or signature. Thx your help Regards leader
Conquest Posted January 11, 2015 Posted January 11, 2015 (edited) I am not very good at thisbut looks like themida to me . the other type i am aware of is vmp but doesnt seem like vmp to me specially this pattern doesnt exist in vmp (the vm block change in vmp occurs by its handlers pointing to next block)1. This is the first push/jmp section, where 0x433EEC is the address of the main VM Handler:004852DF > \68 D8EE4400 PUSH d_SCY.0044EED8004852E4 .^ E9 03ECFAFF JMP d_SCY.00433EEC004852E9 > 68 2DB94500 PUSH d_SCY.0045B92D004852EE .^ E9 F9EBFAFF JMP d_SCY.00433EEC004852F3 > 68 60174600 PUSH d_SCY.00461760004852F8 .^ E9 EFEBFAFF JMP d_SCY.00433EEC004852FD > 68 BE8C4600 PUSH d_SCY.00468CBE00485302 .^ E9 E5EBFAFF JMP d_SCY.00433EEC00485307 > 68 64654700 PUSH d_SCY.004765640048530C .^ E9 DBEBFAFF JMP d_SCY.00433EEC00485311 > 68 E9804700 PUSH d_SCY.004780E900485316 .^ E9 D1EBFAFF JMP d_SCY.00433EEC0048531B > 68 F0964700 PUSH d_SCY.004796F000485320 .^ E9 C7EBFAFF JMP d_SCY.00433EEC00485325 > 68 B7B44700 PUSH d_SCY.0047B4B70048532A .^ E9 BDEBFAFF JMP d_SCY.00433EEC0048532F > 68 FEC44700 PUSH d_SCY.0047C4FE00485334 .^ E9 B3EBFAFF JMP d_SCY.00433EEC00485339 > 68 B9D74700 PUSH d_SCY.0047D7B90048533E .^ E9 A9EBFAFF JMP d_SCY.00433EECalso "lods" isnt used by vmp afaik . only so far i have seem themida using it Edited January 11, 2015 by Conquest 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now