Jump to content
Tuts 4 You

Help to identify virtual machine

ldr

By ldr
in Malware Reverse Engineering

 Share

Recommended Posts

ldr

ldr

Posted
Posted

Hi!


 


I have a PECompact protected target from 2010. I have succesfully unpacked the exe but it's sames that some codes are virtualized. I succesfully identifed the main VM handler routine, the VM Image base, the number of VM handlers, the address of hanlders, but I can not identify which code virtualizer is used. The big mistyc for me that the VM is located inside the main Code section and not in different section.


 


I tried to devirtualize it with VMSweeper and Oreans Unvirtualizer but without success. (It's seems it's that is not VMSweeper or Oreans Codevirtualizer is used)


 


I tried several packer detectors (die, exeinfo pe, peid, protection id), but none of than detects any protection inside the unpacked file.


 


Maybe someone can give me a hint which code virtualizer locate itself inside the main code section ?


 


Regards


   leader


Link to comment
Share on other sites
metr0

metr0

Posted
Posted

The fact that the VM lies in the very same (first?) code section might hint that it has not been added after compilation. It might have been part of the original source code and thus custom. As evlncrn8 said, upload the binary or at least paste the VM's disassembly somewhere.


  • Like 1
Link to comment
Share on other sites
kao

kao

Posted
Posted (edited)

I have a PECompact protected target from 2010.     ....      The big mistyc for me that the VM is located inside the main Code section and not in different section.

Careful there... Since your target was packed by pecompact after being virtualized, you can't really tell what was in which section before packing. ;) PECompact loves to stuff everything together in one large section, iirc.

 

EDIT: clarification.

Edited by kao
  • Like 3
Link to comment
Share on other sites
ldr

ldr

Posted
  • Author
Posted

Hi!


 


First of all, thx the answers...


 


Here are some snippet:


 


1. This is the first push/jmp section, where 0x433EEC is the address of the main VM Handler:




004852DF   > \68 D8EE4400   PUSH d_SCY.0044EED8

004852E4   .^ E9 03ECFAFF   JMP d_SCY.00433EEC

004852E9   >  68 2DB94500   PUSH d_SCY.0045B92D

004852EE   .^ E9 F9EBFAFF   JMP d_SCY.00433EEC

004852F3   >  68 60174600   PUSH d_SCY.00461760

004852F8   .^ E9 EFEBFAFF   JMP d_SCY.00433EEC

004852FD   >  68 BE8C4600   PUSH d_SCY.00468CBE

00485302   .^ E9 E5EBFAFF   JMP d_SCY.00433EEC

00485307   >  68 64654700   PUSH d_SCY.00476564

0048530C   .^ E9 DBEBFAFF   JMP d_SCY.00433EEC

00485311   >  68 E9804700   PUSH d_SCY.004780E9

00485316   .^ E9 D1EBFAFF   JMP d_SCY.00433EEC

0048531B   >  68 F0964700   PUSH d_SCY.004796F0

00485320   .^ E9 C7EBFAFF   JMP d_SCY.00433EEC

00485325   >  68 B7B44700   PUSH d_SCY.0047B4B7

0048532A   .^ E9 BDEBFAFF   JMP d_SCY.00433EEC

0048532F   >  68 FEC44700   PUSH d_SCY.0047C4FE

00485334   .^ E9 B3EBFAFF   JMP d_SCY.00433EEC

00485339   >  68 B9D74700   PUSH d_SCY.0047D7B9

0048533E   .^ E9 A9EBFAFF   JMP d_SCY.00433EEC

2. And here is the beginning main VM Handler:




00433EEC   > /60            PUSHAD                                   ;  Main Handler

00433EED   . |9C            PUSHFD

00433EEE   . |FC            CLD

00433EEF   . |E8 00000000   CALL d_SCY.00433EF4

00433EF4   $ |5F            POP EDI

00433EF5 > . |81EF F43E4300 SUB EDI,d_SCY.00433EF4                   ;  0x00433EF4 => 7. line of Main Handler

00433EFB   . |8BC7          MOV EAX,EDI

00433EFD   . |81C7 003C4300 ADD EDI,d_SCY.00433C00                   ;  Image Base of VM = > 0x433C00

00433F03   . |3B47 2C       CMP EAX,DWORD PTR DS:[EDI+2C]

00433F06   . |75 02         JNZ SHORT d_SCY.00433F0A

00433F08   . |EB 36         JMP SHORT d_SCY.00433F40

00433F0A   > |8947 2C       MOV DWORD PTR DS:[EDI+2C],EAX

00433F0D   . |B9 A8000000   MOV ECX,0A8                              ;  Number of Handlers => 0xA8

00433F12   . |EB 0D         JMP SHORT d_SCY.00433F21

00433F14   > |EB 06         JMP SHORT d_SCY.00433F1C

00433F16   . |01448F 58     ADD DWORD PTR DS:[EDI+ECX*4+58],EAX

00433F1A   . |EB 04         JMP SHORT d_SCY.00433F20

00433F1C   > |01448F 48     ADD DWORD PTR DS:[EDI+ECX*4+48],EAX

00433F20   > |49            DEC ECX

00433F21   > |0BC9          OR ECX,ECX

00433F23   .^|75 EF         JNZ SHORT d_SCY.00433F14

00433F25   . |837F 44 00    CMP DWORD PTR DS:[EDI+44],0

00433F29   . |74 15         JE SHORT d_SCY.00433F40

00433F2B   . |8B77 44       MOV ESI,DWORD PTR DS:[EDI+44]

00433F2E   . |03F0          ADD ESI,EAX

00433F30   . |EB 09         JMP SHORT d_SCY.00433F3B

00433F32   > |8B1E          MOV EBX,DWORD PTR DS:[ESI]

00433F34   . |03D8          ADD EBX,EAX

00433F36   . |0103          ADD DWORD PTR DS:[EBX],EAX

00433F38   . |83C6 04       ADD ESI,4

00433F3B   > |833E 00       CMP DWORD PTR DS:[ESI],0

00433F3E   .^|75 F2         JNZ SHORT d_SCY.00433F32

00433F40   > |8B7424 24     MOV ESI,DWORD PTR SS:[ESP+24]

00433F44   . |8BDE          MOV EBX,ESI

00433F46   . |03F0          ADD ESI,EAX

00433F48   . |B9 01000000   MOV ECX,1

00433F4D   > |33C0          XOR EAX,EAX

00433F4F   . |F0:0FB14F 30  LOCK CMPXCHG DWORD PTR DS:[EDI+30],ECX   ;  LOCK prefix

00433F54   .^|75 F7         JNZ SHORT d_SCY.00433F4D

00433F56   > |AC            LODS BYTE PTR DS:[ESI]                   ;  LODS

00433F57   . |52            PUSH EDX

00433F58   . |B2 32         MOV DL,32

00433F5A   . |F6D2          NOT DL

00433F5C   . |E9 141E0000   JMP d_SCY.00435D75

00433F61   > |89CD          MOV EBP,ECX

00433F63   . |E9 33650100   JMP d_SCY.0044A49B

00433F68   > |892C24        MOV DWORD PTR SS:[ESP],EBP

00433F6B   . |54            PUSH ESP

00433F6C   . |5D            POP EBP

00433F6D   . |81C5 04000000 ADD EBP,4

00433F73   . |E9 AC260100   JMP d_SCY.00446624

3. The VM handler make a lots of jump and transformation on the key before jumping to the desired handler:




004418B1   > \0FB6C0        MOVZX EAX,AL

004418B4   .  FF2487        JMP DWORD PTR DS:[EDI+EAX*4]             ;  jump to handler

4. As I said before it's very strange that the VM is not in different section, it's located in the main CODE section:




00400000   00001000   d_SCY                 PE header     Imag   R         RWE

00401000   00085000   d_SCY      .text      code          Imag   R         RWE

00486000   00002000   d_SCY      .rsrc      resources     Imag   R         RWE

00488000   00001000   d_SCY      .reloc     data,relocat  Imag   R         RWE

00489000   00002000   d_SCY      .idata2                  Imag   R         RWE

0048B000   00002000   d_SCY      .SCY       imports       Imag   R         RWE

OEP: 0x40D653


VM Handler: 0x433EEC


VM Image Base: 0x433C00


Code Section Start: 0x401000


Code Section End: 0x485FFFF


 


I just tried to devirtualize the exe with Oreans Unvirtualzer and VMProtect using the followings parameter:


Code Start: 0x401000


Code Size: 0x23C00


VM Start: 0x433C00


VM Size: 0x61400


 


Bot plugins found lot's of VM References but none of them can identify VM entry or signature.


 


Thx your help


 


Regards


  leader


Link to comment
Share on other sites
Conquest

Conquest

Posted
Posted (edited)

I am not very good at thisbut looks like themida to me . the other type i am aware of is vmp but doesnt seem like vmp to me specially this pattern doesnt exist in vmp (the vm block change in vmp occurs by its handlers pointing to next block)

1. This is the first push/jmp section, where 0x433EEC is the address of the main VM Handler:

004852DF   > \68 D8EE4400   PUSH d_SCY.0044EED8004852E4   .^ E9 03ECFAFF   JMP d_SCY.00433EEC004852E9   >  68 2DB94500   PUSH d_SCY.0045B92D004852EE   .^ E9 F9EBFAFF   JMP d_SCY.00433EEC004852F3   >  68 60174600   PUSH d_SCY.00461760004852F8   .^ E9 EFEBFAFF   JMP d_SCY.00433EEC004852FD   >  68 BE8C4600   PUSH d_SCY.00468CBE00485302   .^ E9 E5EBFAFF   JMP d_SCY.00433EEC00485307   >  68 64654700   PUSH d_SCY.004765640048530C   .^ E9 DBEBFAFF   JMP d_SCY.00433EEC00485311   >  68 E9804700   PUSH d_SCY.004780E900485316   .^ E9 D1EBFAFF   JMP d_SCY.00433EEC0048531B   >  68 F0964700   PUSH d_SCY.004796F000485320   .^ E9 C7EBFAFF   JMP d_SCY.00433EEC00485325   >  68 B7B44700   PUSH d_SCY.0047B4B70048532A   .^ E9 BDEBFAFF   JMP d_SCY.00433EEC0048532F   >  68 FEC44700   PUSH d_SCY.0047C4FE00485334   .^ E9 B3EBFAFF   JMP d_SCY.00433EEC00485339   >  68 B9D74700   PUSH d_SCY.0047D7B90048533E   .^ E9 A9EBFAFF   JMP d_SCY.00433EEC

also "lods" isnt used by vmp afaik . only so far i have seem themida using it

Edited by Conquest
  • Like 1
Link to comment
Share on other sites
  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...