Jump to content
Tuts 4 You

VMProtect Professional v 3.0.9 + Custom Protection

Mecanik

By Mecanik
in UnPackMe

 Share
Go to solution Solved by SmilingWolf,

Recommended Posts

Mecanik

Mecanik

Posted
Posted (edited)

Difficulty : ?? ( you tell me )
Language : C++
Platform : Windows
OS Version : Windows XP, 7, 8, 10
Packer / Protector : VMProtect Professional 3.0.9 + Custom AntiRE, AntiDebug via Kernel

Description :

The purpose of this challenge is to find out if unpacking is possible with my additional protection. There is a reward included also if someone can completely unpack it, and provide full tutorial on how to, for that you need to contact me.

The application has internal timers set to run some functions for checking the application integrity, one of them is VMProtectIsProtected(). I am not using ExitProcess(0); for quiting/terminating the application, instead I am using _asm.

If you find this too easy, please don`t laugh as I am a beginner in this ( not developing ), just tell me what am I doing wrong, because I make commercial stuff that I need to protect.

To ensure the authenticity of the application, I have digitally signed it :)

Screenshot :

81abfe5519394bb893b5ced20dced36a.png

Download: CanYouCrackIt .rar

Edited by Mr.Mecanik
  • Like 1
Link to comment
Share on other sites
0xNOP

0xNOP

Posted
Posted (edited)

This is a slightly unrelated question to the topic per-say, but where did you make this program? like what IDE? what UI Library, if C++, Qt? ATL? MFC? The overall layout and programming looks strikingly similar to this one.

35DqzqG.png

I ask this because I wanted to make front-end UIs like these :D 

on-topic: I'm on it, although seems I will just rather fail than to spend too much on this.

*Update*

I'm in already [1], thought it was gonna be harder :D - I will keep you posted if I ever get to decrypt the strings, now gotta deal with the VMs I'm not good enough with them though! :(

 

[1]: http://i.imgur.com/t761fVP.png

Edited by 0xNOP
  • Like 4
Link to comment
Share on other sites
Mecanik

Mecanik

Posted
  • Author
Posted (edited)

Nice job! Yes the UI looks like that because I develop a lot of programs similar to that, it`s made in VS 2013 using C++ ( at least my one ).

The one in your picture is a game emulator by a team that has vanished long time ago using stolen code from a company called WebZen, while the one I made is completely empty written from scratch and does only what`s posted.

Please provide info on how did you decrypt the strings ? :o

Edited by Mr.Mecanik
  • Like 1
Link to comment
Share on other sites
0xNOP

0xNOP

Posted
Posted
18 hours ago, Mr.Mecanik said:

Nice job! Yes the UI looks like that because I develop a lot of programs similar to that, it`s made in VS 2013 using C++ ( at least my one ).

The one in your picture is a game emulator by a team that has vanished long time ago using stolen code from a company called WebZen, while the one I made is completely empty written from scratch and does only what`s posted.

Please provide info on how did you decrypt the strings ? :o

I love these types of UI :D hehehe thanks for mentioning :D 

Also I didn't put to much effort on getting to the strings, everything is in plain text or at least that's how I see them, if there was supposed to be encrypted strings, then maybe there was a bug in the protection or you missed an option or something, I don't really know, now apart from that, strings are decrypted in memory, I'm myself a noob with VMProtect and all these high-end protectors, so I just tend to look for the objective the shortest way possible, I simply unhooked all Ring3 hooks, and left the executable with all the original calls intact, proceeded to inject and hide my debugger from VMProtect using ScyllaHide, apparently once I got inside, strings were decrypted.

 

Cheers!

Link to comment
Share on other sites
Mecanik

Mecanik

Posted
  • Author
Posted
6 hours ago, 0xNOP said:

I love these types of UI :D hehehe thanks for mentioning :D 

Also I didn't put to much effort on getting to the strings, everything is in plain text or at least that's how I see them, if there was supposed to be encrypted strings, then maybe there was a bug in the protection or you missed an option or something, I don't really know, now apart from that, strings are decrypted in memory, I'm myself a noob with VMProtect and all these high-end protectors, so I just tend to look for the objective the shortest way possible, I simply unhooked all Ring3 hooks, and left the executable with all the original calls intact, proceeded to inject and hide my debugger from VMProtect using ScyllaHide, apparently once I got inside, strings were decrypted.

 

Cheers!

Well if you want to create UI like this it`s not easy, and you won`t find any tutorial on it either, but I can make you an example project if you want ;)

Now about the strings, hmm maybe I missed something ?! :o But anyway, strings are strings, but can you "unpack" it fully ? Like change stuff in memory without breaking ?

Awaiting your feedback, cheers!

Link to comment
Share on other sites
  • 4 weeks later...
0xNOP

0xNOP

Posted
Posted
On 11/2/2016 at 2:43 AM, Mr.Mecanik said:

Well if you want to create UI like this it`s not easy, and you won`t find any tutorial on it either, but I can make you an example project if you want ;)

Now about the strings, hmm maybe I missed something ?! :o But anyway, strings are strings, but can you "unpack" it fully ? Like change stuff in memory without breaking ?

Awaiting your feedback, cheers!

Fully, fully, I cannot unpack it, I just can get to debug the program without the anti-debugger catching me :D that's all I know, but for unpacking purposes I now nothing, don't even know how to get to the OEP D:

Link to comment
Share on other sites
  • 4 weeks later...
Mecanik

Mecanik

Posted
  • Author
Posted
On 12/2/2016 at 3:46 PM, 0xNOP said:

Fully, fully, I cannot unpack it, I just can get to debug the program without the anti-debugger catching me :D that's all I know, but for unpacking purposes I now nothing, don't even know how to get to the OEP D:

I understand, then I will focus on optimizing the protection so I can catch your debugger :D 

Here are the points that I am interested in:

  • Can you view the strings ? - fail, for some reason you can
  • Can you alter the program without making it crash ? - success !?
  • Can you partially/fully unpack and remove the protection within the program ? - success !?

Happy Holidays!

Link to comment
Share on other sites
  • 2 months later...
codemechanic

codemechanic

Posted
Posted (edited)

Mr.Mecanik,

I've looked at your program for a bit. I noticed all the current scripts on tuts4you fail on it. I've also noticed the CRC check within this VMProtect version is a bit different than the others.

The API Main Handler is at the following address: 

005E0AC6 - CALL EAX -- Calls API
kernel32.LocalAlloc
kernel32.GetCurrentProcess
kernel32.IsDebuggerPresent
kernel32.CheckRemoteDebuggerPresent
ntdll.ZwQueryInformationProcess
kernel32.GetCurrentThread
ntdll.ZwSetInformationThread
ntdll.ZwQuerySystemInformation * 2
kernel32.LocalAlloc
ntdll.ZwQuerySystemInformation
kernel32.LocalFree
kernel32.GetModuleFileNameW
ADVAPI32.OpenSCManagerW
ADVAPI32.EnumServicesStatusExW
kernel32.GetLastError
kernel32.LocalAlloc
ADVAPI32.EnumServicesStatusExW
USER32.MessageBoxW

As you can see the program calls OpenSCManagerW, along with EnumServicesStatusExW which does the following:

SC_MANAGER_ENUMERATE_SERVICE (0x0004)

Required to call the EnumServicesStatus or EnumServicesStatusEx function to list the services that are in the database.

SERVICE_WIN32
0x00000030

Services of type SERVICE_WIN32_OWN_PROCESS and SERVICE_WIN32_SHARE_PROCESS.

SERVICE_ACTIVE
0x00000001

Enumerates services that are in the following states: SERVICE_START_PENDING, SERVICE_STOP_PENDING, SERVICE_RUNNING, SERVICE_CONTINUE_PENDING, SERVICE_PAUSE_PENDING, and SERVICE_PAUSED


I'm working on the CRC now.

That's about how far I've gone with it.

Maybe, someone can give out a hint or two on the CRC check within this version?

Edited by codemechanic
grammar change
  • Like 2
Link to comment
Share on other sites
  • 1 month later...
Mecanik

Mecanik

Posted
  • Author
Posted

Sorry for the delay in answering, I have been very busy lately. It is nice to see that someone has interest in this :)

Well regarding your question, as I said above I'm using some custom stuff to enhance vmprotect because the logic inside is still the same :(

The latest version released by vmprotect seems a lot more better, and I am quite happy on the improvements, but something still lacks ....

I will post another challenge soon with hat version too, and I am also looking for skilled people like you to work for my company, if you are interested please let me know :)

Link to comment
Share on other sites
  • 3 weeks later...
  • Solution
SmilingWolf

SmilingWolf

Posted
  • Solution
Posted (edited)

I'm not much of a writer, so... do you have any questions?

Bits and pieces:
- resource protection is not difficult to beat, but it's hella annoying
- I have patched away some of the checks with some simple mov al, xx etc.
- VMP's sections have been removed, but not ALL the code has been recovered because I was running short on time, only the portions executed when the program is working normally. If it crashes it's probably because it's detecting something on your PC
- yep, strings are in clear. I think there is something you have to enable in VMP's interface (adding them to the protected objects or something?) for it to work

It has been tested locally by restarting the PC. Win7 x64, all seems fine. Please report back if you have some spare time to check if it works for you too.
Because of a quirk in the unpacking process (more specifically, the IAT fixing) it will only work on Win7 (and upward? And maybe Vista?) because WinXP lacks a couple of the DLLs needed. It can be fixed, buuuut... time.

CanYouCrackIt.MUPed.final.7z

Edited by SmilingWolf
  • Like 2
Link to comment
Share on other sites
  • 2 months later...
Mecanik

Mecanik

Posted
  • Author
Posted
On 5/25/2017 at 0:20 AM, SmilingWolf said:

I'm not much of a writer, so... do you have any questions?

Bits and pieces:
- resource protection is not difficult to beat, but it's hella annoying
- I have patched away some of the checks with some simple mov al, xx etc.
- VMP's sections have been removed, but not ALL the code has been recovered because I was running short on time, only the portions executed when the program is working normally. If it crashes it's probably because it's detecting something on your PC
- yep, strings are in clear. I think there is something you have to enable in VMP's interface (adding them to the protected objects or something?) for it to work

It has been tested locally by restarting the PC. Win7 x64, all seems fine. Please report back if you have some spare time to check if it works for you too.
Because of a quirk in the unpacking process (more specifically, the IAT fixing) it will only work on Win7 (and upward? And maybe Vista?) because WinXP lacks a couple of the DLLs needed. It can be fixed, buuuut... time.

CanYouCrackIt.MUPed.final.7z

Really sorry for my delayed response, I was really caught up with work and life. I am surprised you managed to unpack it, I will investigate shortly.

Good job!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...