Jump to content
Tuts 4 You

Help to identify virtual machine


ldr

Recommended Posts

Hi!


 


I have a PECompact protected target from 2010. I have succesfully unpacked the exe but it's sames that some codes are virtualized. I succesfully identifed the main VM handler routine, the VM Image base, the number of VM handlers, the address of hanlders, but I can not identify which code virtualizer is used. The big mistyc for me that the VM is located inside the main Code section and not in different section.


 


I tried to devirtualize it with VMSweeper and Oreans Unvirtualizer but without success. (It's seems it's that is not VMSweeper or Oreans Codevirtualizer is used)


 


I tried several packer detectors (die, exeinfo pe, peid, protection id), but none of than detects any protection inside the unpacked file.


 


Maybe someone can give me a hint which code virtualizer locate itself inside the main code section ?


 


Regards


   leader


Link to comment

The fact that the VM lies in the very same (first?) code section might hint that it has not been added after compilation. It might have been part of the original source code and thus custom. As evlncrn8 said, upload the binary or at least paste the VM's disassembly somewhere.


  • Like 1
Link to comment

I have a PECompact protected target from 2010.     ....      The big mistyc for me that the VM is located inside the main Code section and not in different section.

Careful there... Since your target was packed by pecompact after being virtualized, you can't really tell what was in which section before packing. ;) PECompact loves to stuff everything together in one large section, iirc.

 

EDIT: clarification.

Edited by kao
  • Like 3
Link to comment

Hi!


 


First of all, thx the answers...


 


Here are some snippet:


 


1. This is the first push/jmp section, where 0x433EEC is the address of the main VM Handler:



004852DF > \68 D8EE4400 PUSH d_SCY.0044EED8
004852E4 .^ E9 03ECFAFF JMP d_SCY.00433EEC
004852E9 > 68 2DB94500 PUSH d_SCY.0045B92D
004852EE .^ E9 F9EBFAFF JMP d_SCY.00433EEC
004852F3 > 68 60174600 PUSH d_SCY.00461760
004852F8 .^ E9 EFEBFAFF JMP d_SCY.00433EEC
004852FD > 68 BE8C4600 PUSH d_SCY.00468CBE
00485302 .^ E9 E5EBFAFF JMP d_SCY.00433EEC
00485307 > 68 64654700 PUSH d_SCY.00476564
0048530C .^ E9 DBEBFAFF JMP d_SCY.00433EEC
00485311 > 68 E9804700 PUSH d_SCY.004780E9
00485316 .^ E9 D1EBFAFF JMP d_SCY.00433EEC
0048531B > 68 F0964700 PUSH d_SCY.004796F0
00485320 .^ E9 C7EBFAFF JMP d_SCY.00433EEC
00485325 > 68 B7B44700 PUSH d_SCY.0047B4B7
0048532A .^ E9 BDEBFAFF JMP d_SCY.00433EEC
0048532F > 68 FEC44700 PUSH d_SCY.0047C4FE
00485334 .^ E9 B3EBFAFF JMP d_SCY.00433EEC
00485339 > 68 B9D74700 PUSH d_SCY.0047D7B9
0048533E .^ E9 A9EBFAFF JMP d_SCY.00433EEC

2. And here is the beginning main VM Handler:



00433EEC > /60 PUSHAD ; Main Handler
00433EED . |9C PUSHFD
00433EEE . |FC CLD
00433EEF . |E8 00000000 CALL d_SCY.00433EF4
00433EF4 $ |5F POP EDI
00433EF5 > . |81EF F43E4300 SUB EDI,d_SCY.00433EF4 ; 0x00433EF4 => 7. line of Main Handler
00433EFB . |8BC7 MOV EAX,EDI
00433EFD . |81C7 003C4300 ADD EDI,d_SCY.00433C00 ; Image Base of VM = > 0x433C00
00433F03 . |3B47 2C CMP EAX,DWORD PTR DS:[EDI+2C]
00433F06 . |75 02 JNZ SHORT d_SCY.00433F0A
00433F08 . |EB 36 JMP SHORT d_SCY.00433F40
00433F0A > |8947 2C MOV DWORD PTR DS:[EDI+2C],EAX
00433F0D . |B9 A8000000 MOV ECX,0A8 ; Number of Handlers => 0xA8
00433F12 . |EB 0D JMP SHORT d_SCY.00433F21
00433F14 > |EB 06 JMP SHORT d_SCY.00433F1C
00433F16 . |01448F 58 ADD DWORD PTR DS:[EDI+ECX*4+58],EAX
00433F1A . |EB 04 JMP SHORT d_SCY.00433F20
00433F1C > |01448F 48 ADD DWORD PTR DS:[EDI+ECX*4+48],EAX
00433F20 > |49 DEC ECX
00433F21 > |0BC9 OR ECX,ECX
00433F23 .^|75 EF JNZ SHORT d_SCY.00433F14
00433F25 . |837F 44 00 CMP DWORD PTR DS:[EDI+44],0
00433F29 . |74 15 JE SHORT d_SCY.00433F40
00433F2B . |8B77 44 MOV ESI,DWORD PTR DS:[EDI+44]
00433F2E . |03F0 ADD ESI,EAX
00433F30 . |EB 09 JMP SHORT d_SCY.00433F3B
00433F32 > |8B1E MOV EBX,DWORD PTR DS:[ESI]
00433F34 . |03D8 ADD EBX,EAX
00433F36 . |0103 ADD DWORD PTR DS:[EBX],EAX
00433F38 . |83C6 04 ADD ESI,4
00433F3B > |833E 00 CMP DWORD PTR DS:[ESI],0
00433F3E .^|75 F2 JNZ SHORT d_SCY.00433F32
00433F40 > |8B7424 24 MOV ESI,DWORD PTR SS:[ESP+24]
00433F44 . |8BDE MOV EBX,ESI
00433F46 . |03F0 ADD ESI,EAX
00433F48 . |B9 01000000 MOV ECX,1
00433F4D > |33C0 XOR EAX,EAX
00433F4F . |F0:0FB14F 30 LOCK CMPXCHG DWORD PTR DS:[EDI+30],ECX ; LOCK prefix
00433F54 .^|75 F7 JNZ SHORT d_SCY.00433F4D
00433F56 > |AC LODS BYTE PTR DS:[ESI] ; LODS
00433F57 . |52 PUSH EDX
00433F58 . |B2 32 MOV DL,32
00433F5A . |F6D2 NOT DL
00433F5C . |E9 141E0000 JMP d_SCY.00435D75
00433F61 > |89CD MOV EBP,ECX
00433F63 . |E9 33650100 JMP d_SCY.0044A49B
00433F68 > |892C24 MOV DWORD PTR SS:[ESP],EBP
00433F6B . |54 PUSH ESP
00433F6C . |5D POP EBP
00433F6D . |81C5 04000000 ADD EBP,4
00433F73 . |E9 AC260100 JMP d_SCY.00446624

3. The VM handler make a lots of jump and transformation on the key before jumping to the desired handler:



004418B1 > \0FB6C0 MOVZX EAX,AL
004418B4 . FF2487 JMP DWORD PTR DS:[EDI+EAX*4] ; jump to handler

4. As I said before it's very strange that the VM is not in different section, it's located in the main CODE section:



00400000 00001000 d_SCY PE header Imag R RWE
00401000 00085000 d_SCY .text code Imag R RWE
00486000 00002000 d_SCY .rsrc resources Imag R RWE
00488000 00001000 d_SCY .reloc data,relocat Imag R RWE
00489000 00002000 d_SCY .idata2 Imag R RWE
0048B000 00002000 d_SCY .SCY imports Imag R RWE

OEP: 0x40D653


VM Handler: 0x433EEC


VM Image Base: 0x433C00


Code Section Start: 0x401000


Code Section End: 0x485FFFF


 


I just tried to devirtualize the exe with Oreans Unvirtualzer and VMProtect using the followings parameter:


Code Start: 0x401000


Code Size: 0x23C00


VM Start: 0x433C00


VM Size: 0x61400


 


Bot plugins found lot's of VM References but none of them can identify VM entry or signature.


 


Thx your help


 


Regards


  leader


Link to comment

I am not very good at thisbut looks like themida to me . the other type i am aware of is vmp but doesnt seem like vmp to me specially this pattern doesnt exist in vmp (the vm block change in vmp occurs by its handlers pointing to next block)

1. This is the first push/jmp section, where 0x433EEC is the address of the main VM Handler:

004852DF   > \68 D8EE4400   PUSH d_SCY.0044EED8004852E4   .^ E9 03ECFAFF   JMP d_SCY.00433EEC004852E9   >  68 2DB94500   PUSH d_SCY.0045B92D004852EE   .^ E9 F9EBFAFF   JMP d_SCY.00433EEC004852F3   >  68 60174600   PUSH d_SCY.00461760004852F8   .^ E9 EFEBFAFF   JMP d_SCY.00433EEC004852FD   >  68 BE8C4600   PUSH d_SCY.00468CBE00485302   .^ E9 E5EBFAFF   JMP d_SCY.00433EEC00485307   >  68 64654700   PUSH d_SCY.004765640048530C   .^ E9 DBEBFAFF   JMP d_SCY.00433EEC00485311   >  68 E9804700   PUSH d_SCY.004780E900485316   .^ E9 D1EBFAFF   JMP d_SCY.00433EEC0048531B   >  68 F0964700   PUSH d_SCY.004796F000485320   .^ E9 C7EBFAFF   JMP d_SCY.00433EEC00485325   >  68 B7B44700   PUSH d_SCY.0047B4B70048532A   .^ E9 BDEBFAFF   JMP d_SCY.00433EEC0048532F   >  68 FEC44700   PUSH d_SCY.0047C4FE00485334   .^ E9 B3EBFAFF   JMP d_SCY.00433EEC00485339   >  68 B9D74700   PUSH d_SCY.0047D7B90048533E   .^ E9 A9EBFAFF   JMP d_SCY.00433EEC

also "lods" isnt used by vmp afaik . only so far i have seem themida using it

Edited by Conquest
  • Like 1
Link to comment
  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...