Jump to content
Tuts 4 You

[InlineMe] VMProtect IsValidImageCRC()

SunBeam

By SunBeam
in CrackMe

 Share
Go to solution Solved by MistHill,

Recommended Posts

White

White

Posted
Posted
On 9/17/2022 at 3:30 AM, abbas said:

could you please explain how you found this?

you can find these asm code at its vm_hash handler.

  • 1 year later...
  • Replies 51
  • Created
  • Last Reply

Top Posters In This Topic

  • SunBeam

    16

  • JohnWho

    11

  • Conquest

    5

  • av999

    4

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

MistHill
MistHill

Well, this topic is very interesting indeed.AFAIK, VMProtect usually includes four types of code integrity checks in an application protected with all advanced options enabled.1. File Check As SunBeam

SunBeam
SunBeam

[ Solutions so far: JohnWho, What ] (read whole thread) Hello folks. Decided I would post this here as well, as we're lacking some exercise on these kinds of targets. Purpose: open up t

SunBeam
SunBeam

In Assassin's Creed: Unity, I want to hook this piece of code:     I want to place a JMP there to a code-cave of mine where I acquire value of RCX register as the pointer used for an internal

Sean the hard worker

Sean the hard worker

Posted
Posted
On 4/2/2015 at 5:22 AM, SunBeam said:

[ Solutions so far: JohnWho, What ] (read whole thread)

Hello folks.

Decided I would post this here as well, as we're lacking some exercise on these kinds of targets.

Purpose: open up the test target, click OK on the message box.

TFO4QiP.jpg

Use any tool you want to alter a byte in application's active memory (e.g.: "MZ" string at ImageBase) and another message will appear.

jQubpLp.jpg

Goal: make the 'bad' message never pop-up, but not through patching the all-too-clear JUMP. Inline VMProtect's CRC check method so the CALL always returns 1. Again, not through MOV EAX,1|RETN :) (P.S.: imagine you don't know where this function is in a well-obfuscated target).

Link: https://www.mediafire.com/file/sngpjiclmdgu3m2/Lic_MessageBox_2.rar/file

Password: sunbeam

Kudos,
Sun

Lic_MessageBox_2.rar 62.42 kB · 18 downloads

When we modifies these underlined memory sections. the CRC check doesn't work.


00500000            00001000  User                 lic_messagebox.vmp.exe                                                                  IMG    -R---        ERWC-
00501000            00005000  User                  ".text"                                                                 Executable cod IMG    ER---        ERWC-
00506000            00003000  User                  ".rdata"                                                                Read-only init IMG    -R---        ERWC-
00509000            00002000  User                  ".data"                                                                 Initialized da IMG    -RW--        ERWC-
0050B000            00006000  User                  ".vmp0"                                                                                IMG    ER---        ERWC-
00511000            00003000  User                  ".vmp1"                                                                                IMG    ERWC-        ERWC-
00514000            00003000  User                  ".vmp1"                                                                                IMG    ERW--        ERWC-
00517000            00002000  User                  ".vmp1"                                                                                IMG    ERWC-        ERWC-
00519000            00001000  User                  ".vmp1"                                                                                IMG    ERW--        ERWC-
0051A000            00001000  User                  ".vmp1"                                                                                IMG    ERWC-        ERWC-
0051B000            00002000  User                  ".reloc", ".rsrc"                                                       Base relocatio IMG    -R---        ERWC-
 

Regards.

sean.

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...