Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[InlineMe] VMProtect IsValidImageCRC()

SunBeam
SunBeam
in CrackMe

Featured Replies

On 9/17/2022 at 3:30 AM, abbas said:

could you please explain how you found this?

you can find these asm code at its vm_hash handler.

  • 1 year later...
  • Replies 51
  • Views 51.2k
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Most Popular Posts

  • MistHill
    MistHill

    Well, this topic is very interesting indeed.AFAIK, VMProtect usually includes four types of code integrity checks in an application protected with all advanced options enabled.1. File Check As SunBeam

  • SunBeam
    SunBeam

    In Assassin's Creed: Unity, I want to hook this piece of code:     I want to place a JMP there to a code-cave of mine where I acquire value of RCX register as the pointer used for an internal

  • simple
    simple

    Your rules are pretty confusing when u say stuff like this in your challenge...     But it doesn't matter whether it's  virtualized x86, x64, arm, a process, a thread, a callback, or on a mcu that

On 4/2/2015 at 5:22 AM, SunBeam said:

[ Solutions so far: JohnWho, What ] (read whole thread)

Hello folks.

Decided I would post this here as well, as we're lacking some exercise on these kinds of targets.

Purpose: open up the test target, click OK on the message box.

TFO4QiP.jpg

Use any tool you want to alter a byte in application's active memory (e.g.: "MZ" string at ImageBase) and another message will appear.

jQubpLp.jpg

Goal: make the 'bad' message never pop-up, but not through patching the all-too-clear JUMP. Inline VMProtect's CRC check method so the CALL always returns 1. Again, not through MOV EAX,1|RETN :) (P.S.: imagine you don't know where this function is in a well-obfuscated target).

Link: https://www.mediafire.com/file/sngpjiclmdgu3m2/Lic_MessageBox_2.rar/file

Password: sunbeam

Kudos,
Sun

Lic_MessageBox_2.rar 62.42 kB · 18 downloads

When we modifies these underlined memory sections. the CRC check doesn't work.


00500000            00001000  User                 lic_messagebox.vmp.exe                                                                  IMG    -R---        ERWC-
00501000            00005000  User                  ".text"                                                                 Executable cod IMG    ER---        ERWC-
00506000            00003000  User                  ".rdata"                                                                Read-only init IMG    -R---        ERWC-
00509000            00002000  User                  ".data"                                                                 Initialized da IMG    -RW--        ERWC-
0050B000            00006000  User                  ".vmp0"                                                                                IMG    ER---        ERWC-
00511000            00003000  User                  ".vmp1"                                                                                IMG    ERWC-        ERWC-
00514000            00003000  User                  ".vmp1"                                                                                IMG    ERW--        ERWC-
00517000            00002000  User                  ".vmp1"                                                                                IMG    ERWC-        ERWC-
00519000            00001000  User                  ".vmp1"                                                                                IMG    ERW--        ERWC-
0051A000            00001000  User                  ".vmp1"                                                                                IMG    ERWC-        ERWC-
0051B000            00002000  User                  ".reloc", ".rsrc"                                                       Base relocatio IMG    -R---        ERWC-
 

Regards.

sean.

    • Like 1

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.