White Posted November 5, 2022 Posted November 5, 2022 On 9/17/2022 at 3:30 AM, abbas said: could you please explain how you found this? you can find these asm code at its vm_hash handler.
lovejoy226 Posted April 14, 2024 Posted April 14, 2024 On 4/2/2015 at 5:22 AM, SunBeam said: [ Solutions so far: JohnWho, What ] (read whole thread) Hello folks. Decided I would post this here as well, as we're lacking some exercise on these kinds of targets. Purpose: open up the test target, click OK on the message box. Use any tool you want to alter a byte in application's active memory (e.g.: "MZ" string at ImageBase) and another message will appear. Goal: make the 'bad' message never pop-up, but not through patching the all-too-clear JUMP. Inline VMProtect's CRC check method so the CALL always returns 1. Again, not through MOV EAX,1|RETN (P.S.: imagine you don't know where this function is in a well-obfuscated target). Link: https://www.mediafire.com/file/sngpjiclmdgu3m2/Lic_MessageBox_2.rar/file Password: sunbeam Kudos, Sun Lic_MessageBox_2.rar 62.42 kB · 18 downloads When we modifies these underlined memory sections. the CRC check doesn't work. 00500000 00001000 User lic_messagebox.vmp.exe IMG -R--- ERWC- 00501000 00005000 User ".text" Executable cod IMG ER--- ERWC- 00506000 00003000 User ".rdata" Read-only init IMG -R--- ERWC- 00509000 00002000 User ".data" Initialized da IMG -RW-- ERWC- 0050B000 00006000 User ".vmp0" IMG ER--- ERWC- 00511000 00003000 User ".vmp1" IMG ERWC- ERWC- 00514000 00003000 User ".vmp1" IMG ERW-- ERWC- 00517000 00002000 User ".vmp1" IMG ERWC- ERWC- 00519000 00001000 User ".vmp1" IMG ERW-- ERWC- 0051A000 00001000 User ".vmp1" IMG ERWC- ERWC- 0051B000 00002000 User ".reloc", ".rsrc" Base relocatio IMG -R--- ERWC- Regards. sean. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now