Xjun Posted August 8, 2016 Posted August 8, 2016 Difficulty : 6Language : C++Platform : WindowsOS Version : Windows 7Packer / Protector :VMProtect Ultimate 3.0.8 Description : Memory Protection -Yes Import protection -Yes Resource Protection -Yes Pack the output File -Yes Debugger - user-mode+Kernel-mode Virtualization Tools -Yes using VMProtect SDK. Screenshot : UnpackMe.7z 1
av999 Posted August 29, 2016 Posted August 29, 2016 (edited) not worked under Vmware founded: -popfd; rdtsc -popfd;cpuid -cpuid (eax=1) with 31bit detection in ecx what else? ps unp-crc-notfixed.zip Edited October 3, 2016 by av999 1
Techlord Posted August 29, 2016 Posted August 29, 2016 (edited) Wondering why no one was working on this thread Edited August 29, 2016 by Techlord 2
Aer73 Posted August 31, 2016 Posted August 31, 2016 @ Techlord. I agree with you. I'm working on a packed file with this version is being complicated. Is few info about. Many thanks. Kindly regards. 1
Xjun Posted March 16, 2017 Author Posted March 16, 2017 On 2016/8/30 at 3:20 AM, av999 said: not worked under Vmware founded: -popfd; rdtsc -popfd;cpuid -cpuid (eax=1) with 31bit detection in ecx what else? ps unp-crc-notfixed.zip thank you for your reply! VMProtect 3.x Chec detect VMware XP -> cpuid (eax=1) with 31bit detection in ecx -> ZwOpenSection "\device\physicalmemory" WIN7 -> cpuid (eax=1) with 31bit detection in ecx -> kernel32.EnumSystemFirmwareTables 2
SHADOW_UA Posted March 16, 2017 Posted March 16, 2017 2 hours ago, Xjun said: thank you for your reply! VMProtect 3.x Chec detect VMware XP -> cpuid (eax=1) with 31bit detection in ecx -> ZwOpenSection "\device\physicalmemory" WIN7 -> cpuid (eax=1) with 31bit detection in ecx -> kernel32.EnumSystemFirmwareTables Correct. And while first one can be patched with cpuid.1.ecx parameter in VMX file, I can't see a way to permanently patch second one. 2
_BaZzi Posted March 24, 2017 Posted March 24, 2017 (edited) <00452816> db 90,90,90,90,90,90 ; vm detection <0058796E> jmp @HookedCPUID_CRC <00879550> @HookedCPUID_CRC: mov ebx, 00100800 jmp 00647698 <0047B689> jmp @HookedCPUID_VM <00879570> @HookedCPUID_VM: mov ebx, 00100800 sub ebp,0xC jmp 0047B68F <00498066> jmp @HookedCPUID_V <00879590> @HookedCPUID_V: mov ebx, 00100800 sub ebp,0xC jmp 0049806C <00545E14> jmp @HookedCPUID_U <008795B0> @HookedCPUID_U: mov ebx, 00100800 sub ebp,0xC jmp 00545E1A Patch these to make the buttons work. Besides, IsVirtualMachine will crash on xp. UnpackMe.unpacked.exe.zip Edited March 24, 2017 by _BaZzi typo 2
Techlord Posted March 24, 2017 Posted March 24, 2017 So now our guys have succeeded in unpacking VMP 3.0.8 also ! Great !
NewBHack Posted June 28, 2017 Posted June 28, 2017 Is there a way to bypass VMWARE detection by Vmprotect 3.x?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now