Jump to content
Tuts 4 You
iNoob

VMProtect vs Themida

Recommended Posts

iNoob

Hi,

I would like to protect a small Win32 file and deciding which protection software to use. Would anyone here be able to provide insight on the difficulty of unpacking the current version of Themida (with multiple of the virtual machines) and VMProtect? In general, which of the two is more difficult to unpack?

 

Thank you

Share this post


Link to post
Share on other sites
JohnWho

Both are good protections if used properly. Both protections can be unpacked rather easily, the difficult part is the virtualized code. So virtualizing vital functions and sub functions is very important.

  • Like 2

Share this post


Link to post
Share on other sites
BOSCH

Like said JohnWho, which he is one of the best Reverser on the world, every packer protector can unpacked. The most important thing in protection is the virtualizing code.

If you encrypt with virtualizing code some functions, i think it will be almost (because always there is a way, difficult maybie, but possible "uncrackable".

For me Obsidium is much more strong than Themida and Vmprotect. The reasons?

1)It have much more difficult crc protection (especially if someone need to add New section in a pe file), but also much more checks in the PE code.

2)It have very strong virtualizing code, and it's not accidental that except 2-3 old versions unpacking tutorials, there is not anything else for this protector! (unblacklist serial tutorials etc).

3)It is very difficult to trace inside VM code, because it have many anti-debbuging tricks! Almost everytime you will take avery good TerminateProcess.

4)It use valid serials to decrypt the code.

I know an app which is protected with Obsidium and the patches are very few and rarely.

All these are just my personal opinion.

So it depends how you will use a protector, to make your app strong.

  • Like 1

Share this post


Link to post
Share on other sites
Asentrix

Themida / Winlicense are trash tier
Vmprotect is better but still garbage

Plenty of much better protectors out there too.

Share this post


Link to post
Share on other sites
GautamGreat

VMProtect is so good in virtualization system. Personally I will recommend you to use VMP, It is unpackable but It will take lot of time to Devirtualize encrypted codes, so only a pro reverser can crack your program. 

  • Like 1

Share this post


Link to post
Share on other sites
VirtualPuppet
On 28/7/2017 at 0:11 AM, Asentrix said:

Themida / Winlicense are trash tier
Vmprotect is better but still garbage

Plenty of much better protectors out there too.

First you say Themida is trashtier, then you pick a far inferior packer and state that it is better..? People need to start realizing, that if you have no clue what you're talking about, you should either start your sentence with "I assume" or you shouldn't say anything at all. Silence is bliss.

 

On 31/7/2017 at 11:08 AM, GautamGreat said:

VMProtect is so good in virtualization system. Personally I will recommend you to use VMP, It is unpackable but It will take lot of time to Devirtualize encrypted codes, so only a pro reverser can crack your program. 

VMProtect is actually rather bad, as the virtual machine in VMProtect is really easy to crack.

 

If you have to choose between Themida and VMProtect, you should always pick Themida. Why? Because Themidas virtual machines are much more advanced and much harder to crack than VMProtect. Themida was initially known for their CISC VM which was (at the time) very strong. It has since been defeated (by Deathway) and is now considered weak (since it's actually rather simple once you start to understand it). VMProtect's virtual machine is almost an exact replica of the Themida CISC VM featuring stronger obfuscation, and as such it works in the exact same way, which makes it (almost) equally weak.

Since then, Themida developed the RISC machine (RISC64 and RISC128), which was against defeated by Deathway. They then proceeded to develop the FISH and TIGER machines, which features very new tricks such as complex combined handlers (FISH) doing multiple operations each instead of a handler for each operation like CISC had, and also internal (yet simple) cryptography. The TIGER VM is very similar to the FISH VM (since it is built on the same engine), but doesn't utilize the cryptographic internal registers, etc.

Themida also features hybrid virtual machines, such as SHARK, which is FISH virtualized by TIGER, or PUMA, which is TIGER virtualized by FISH.

The newest machine(s) from Themida is the DOLPHIN machine, which is yet another layer of complexity upon the newer FISH/TIGER engine, while also supplying a hybrid VM called EAGLE, which is FISH virtualized by DOLPHIN (if memory serves right).

If you want to compare the complexity of the newer Themida VMs (e.g. EAGLE) vs. VMProtect's VM, you're probably looking at a complexity scale saying 15:1 or something like that.

TL;DR Don't listen to the guys above, as they are completely clueless on the topic. Pick Themida if you have to choose between the two of them.

Edited by Sprux (see edit history)
  • Like 5
  • Thanks 1

Share this post


Link to post
Share on other sites
Asentrix
10 hours ago, Sprux said:

First you say Themida is trashtier, then you pick a far inferior packer and state that it is better..? People need to start realizing, that if you have no clue what you're talking about, you should either start your sentence with "I assume" or you shouldn't say anything at all. Silence is bliss.

Themida is far , FAR worse than VMProtect
You have to devirtualize everything with  VMProtect , meanwhile you can dump themida / winlicense from memory (Their anti dump is a meme , actually does nothing) and all protection is gone.

I think you're either trolling or extremely retarded because you're clearly uninformed.
Also just to clarify , I didn't "pick" VMProtect , it's still shit as I stated , just less shit.

Edited by Asentrix (see edit history)

Share this post


Link to post
Share on other sites
VirtualPuppet
26 minutes ago, Asentrix said:

Themida is far , FAR worse than VMProtect
You have to devirtualize everything with  VMProtect , meanwhile you can dump themida / winlicense from memory (Their anti dump is a meme , actually does nothing) and all protection is gone.

I think you're either trolling or extremely retarded because you're clearly uninformed.
Also just to clarify , I didn't "pick" VMProtect , it's still shit as I stated , just less shit.

If you're talking about protection, as @JohnWho stated, everything can be unpacked, and easily even. The real dealbreaker is the virtualization.

As a person who has already defeated the VMProtect virtual machine and the Themida CISC virtual machine, and whom is currently in the process of defeating the Themida FISH and TIGER machines, I can tell you that they are almost uncomparable in complexity, as Themidas never virtual machines makes VMProtect (and the old Themida CISC machine) seem like childsplay.

Edited by Sprux (see edit history)
  • Thanks 2

Share this post


Link to post
Share on other sites
Asentrix
12 hours ago, Sprux said:

First you say Themida is trashtier, then you pick a far inferior packer and state that it is better..? People need to start realizing, that if you have no clue what you're talking about, you should either start your sentence with "I assume" or you shouldn't say anything at all. Silence is bliss.

Yes , themida is far , FAR worse than VMProtect
You have to devirtualize everything with  VMProtect , meanwhile you can dump themida / winlicense from memory (Their anti dump is a meme , actually does nothing) and all protection is gone.

I think you're either trolling or extremely retarded because you're clearly uninformed.
Also just to clarify , I didn't "pick" VMProtect , it's still shit as I stated , just less shit.

Well we are talking about protection , as OP requested "I would like to protect a small Win32 file and deciding which protection software to use" not virtualization.
Seems like my answer was pretty accurate as themida offers 0 protection in real situations / 
scenarios

If we're talking about the best virtualization, agile.net is by far the most secure :P
Anyways nothing is safe these days

Share this post


Link to post
Share on other sites
iNoob

Sorry, I am new to this. I want to protect my file from being reverse engineered, so it seems that virtualization is what I want.

 

@Sprux thank you very much for your detailed response

 

 

 

 

Share this post


Link to post
Share on other sites
VirtualPuppet
7 hours ago, Asentrix said:

Well we are talking about protection , as OP requested "I would like to protect a small Win32 file and deciding which protection software to use" not virtualization.
Seems like my answer was pretty accurate as themida offers 0 protection in real situations / 
scenarios

If we're talking about the best virtualization, agile.net is by far the most secure :P
Anyways nothing is safe these days

Once again, you bless us with your unfathomable stupidity.

First you claim virtualization is not "protection"..? If he OP wants protection, and asks which protection software to go with, it includes all features of the protection software, such as virtualization. Themida offers exceptional protection in real situations, when you don't want people to understand certain functions.

Next you pick a .NET virtualizer and tell us that, if we're to deduce the best virtualization protection software (while the choice stands between VMProtect and Themida) we should pick Agile.NET??? In case that point flew over your head, here's another stupid point to this: 

  • He's asking for a packer for a native Win32 file.
  • You suggest using a non-native .NET packer.
Edited by Sprux (see edit history)
  • Thanks 1

Share this post


Link to post
Share on other sites
Asentrix
12 minutes ago, Sprux said:

Once again, you bless us with your unfathomable stupidity.

First you claim virtualization is not "protection"..? If he OP wants protection, and asks which protection software to go with, it includes all features of the protection software, such as virtualization. Themida offers exceptional protection in real situations, when you don't want people to understand certain functions.

Next you pick a .NET virtualizer and tell us that, if we're to deduce the best virtualization protection software (while the choice stands between VMProtect and Themida) we should pick Agile.NET??? In case that point flew over your head, here's another stupid point to this: 

  • He's asking for a packer for a native Win32 file.
  • You suggest using a non-native .NET packer.

1. Don't put words in my mouth. Never claimed virtualization isn't protection.
2. OP didn't ask for a native packer , stop assuming because it makes you look extremely uninformed and stupid.
3. Themida offers NO PROTECTION , it's literally useless in every situation , it's completely worthless , even the developer admits it.

Using themida is begging to have your shit cracked / leaked.
It ISN'T protection at all.
Anyone that claims themida is adequate protection either works for oreans or has no idea what the fµck they're talking about.
Clearly you're the latter.

Oh yeah don't come in here being a direspectful fµck head either.
OP is looking for constructive feedback , not some edgy 14 year olds opinion on freeware

Edited by Asentrix (see edit history)

Share this post


Link to post
Share on other sites
Asentrix
2 hours ago, iNoob said:

Sorry, I am new to this. I want to protect my file from being reverse engineered, so it seems that virtualization is what I want.
@Sprux thank you very much for your detailed response

Do not listen to that idiot.
If you do , your program will be cracked 100%

Use VMProtect , even battleeye is protected with VMProtect lmao
http://vmpsoft.com/

Unlike themida , dumping a VMProtect executable won't make the protection obsolete.
Themida is NOT an obfuscator , here's literally the developer of themida saying it himself

4sPrc3X.png

Share this post


Link to post
Share on other sites
VirtualPuppet
26 minutes ago, Asentrix said:

1. Don't put words in my mouth. Never claimed virtualization isn't protection.
2. OP didn't ask for a native packer , stop assuming because it makes you look extremely uninformed and stupid.
3. Themida offers NO PROTECTION , it's literally useless in every situation , it's completely worthless , even the developer admits it.

Using themida is begging to have your shit cracked / leaked.
It ISN'T protection at all.
Anyone that claims themida is adequate protection either works for oreans or has no idea what the fµck they're talking about.
Clearly you're the latter.

Oh yeah don't come in here being a direspectful fµck head either.
OP is looking for constructive feedback , not some edgy 14 year olds opinion on freeware

 

17 minutes ago, Asentrix said:

Do not listen to that idiot.
If you do , your program will be cracked 100%

Use VMProtect , even battleeye is protected with VMProtect lmao
http://vmpsoft.com/

Unlike themida , dumping a VMProtect executable won't make the protection obsolete.
Themida is NOT an obfuscator , here's literally the developer of themida saying it himself

4sPrc3X.png

You make me cry a little everytime I see your replies. I will before-hand declare that this is my last response to your impeccable rant of stupidity, but I feel the need to put out these points.

  • Yes, you did just say a few posts back, that "OP asked for protection, not virtualization", thus claiming that virtualization is not protection.
  • Yes, OP asked for a native packer, as he asked for a packer for his Win32 file. Win32 is a native format, unlike .NET which is a non-native format. If you claim otherwise, I'll die of laughter.
  • Nope, Themida is not useless. It might be easily unpacked (since LCF-AT made a superior script), but there's a big difference between unpacking and devirtualizing. If you have succesfully unpacked a file, no matter how you did it, the file is still protected (as an unpacked software) as long as the virtualization is not broken (which is a whole different league to unpacking). The virtualized code sections will not be made readable by any public tools, and there are very few people world-wide who has even got the capability of making such tools. So nope, I'm not unknowledgeable. Actually, I'd go as far as to claim that on the contrary, I am moderately knowledgable and you are simply extremely uninformed.
  • Yes, OP was looking for constructive feedback, which is why I striked down on you, as you were supplying false information.
  • Oh my god.. I don't even know what to say to this... Themida not an obfuscator? If you had the time to properly read that image, you'd immediately notice the big fat .NET in front of the obfuscator. They're saying it's not a .NET Obfuscator, which means it doesn't obfuscate the IR for .NET. It is however, a compressor, an obfuscator and a virtual machine software for native formats.
Edited by Sprux (see edit history)
  • Like 1
  • Thanks 2

Share this post


Link to post
Share on other sites
Downpour

Well guessing from the first post of the topic creator, he wants to use virtualization as protection (otherwise he wouldn't think about VMProtect or?).

I didn't invest time in reversing Themida protected targets yet, neither code virtualized targets (but soon). Just from reading how Themida is using virtual machines as protections, with hybrid virtualizations like SHARK or EAGLE I would say that it's a better choice to go for Themida than VMProtect.

Currently I'm working on VMProtect a lot in my free time, and what I can say that the VMs have a pretty straightforward pattern when it comes to the handlers. For me the biggest problem was actually the mutation of the assembly, but with compiler optimization techniques you can clean up the code pretty good and continue your analysis on the demutated code (which is one half the devirtualization process). The other half is pretty much identifying how the handlers work, analyzing them and translating them back but even this is dynamically possible with coding and I would think it's less effort than reversing the different themida vms.

And if this isn't the case I would want to see a proof for that..

Edited by Castor (see edit history)
  • Like 1
  • Thanks 1

Share this post


Link to post
Share on other sites
VirtualPuppet
1 hour ago, Castor said:

Well guessing from the first post of the topic creator, he wants to use virtualization as protection (otherwise he wouldn't think about VMProtect or?).

I didn't invest time in reversing Themida protected targets yet, neither code virtualized targets (but soon). Just from reading how Themida is using virtual machines as protections, with hybrid virtualizations like SHARK or EAGLE I would say that it's a better choice to go for Themida than VMProtect.

Currently I'm working on VMProtect a lot in my free time, and what I can say that the VMs have a pretty straightforward pattern when it comes to the handlers. For me the biggest problem was actually the mutation of the assembly, but with compiler optimization techniques you can clean up the code pretty good and continue your analysis on the demutated code (which is one half the devirtualization process). The other half is pretty much identifying how the handlers work, analyzing them and translating them back but even this is dynamically possible with coding and I would think it's less effort than reversing the different themida vms.

And if this isn't the case I would want to see a proof for that..

This is very precise and on-point.

Themida's newer VMs furthermore utilizes combined handlers, so that one handler can be responsible for multiple operations, while also being mutable across processes, meaning that one handler can be responsible for e.g. imul and shl in one process, while another handles shl in another packed executable. This makes defeating it much more challenging than the old CISC VM and VMProtect.

Edited by Sprux (see edit history)
  • Like 1

Share this post


Link to post
Share on other sites
Downpour

But since I don't have a lot of knowledge about Oreans Virtualizer I'm wondering how strongly the different VMs are from each other. Like is there strong polymorphism which makes it really difficult to automate the process of devirtualization? And lets consider you know how to devirtualize the basic VMs of Oreans: FISH, TIGER and DOLPHIN. Wouldn't that include you could easily devirtualize SHARK(=TIGER(FISH)), PUMA(=FISH(TIGER)) and EAGLE(=DOLPHIN(FISH))? Also those hybrid VMs seem to have a more serious impact on performance I believe? And my last question would be: I saw that there are not only those animal names for the VMs but also colors? (BLACK, WHITE, RED) is this some more in-depth stuff?

 

Edited by Castor (see edit history)

Share this post


Link to post
Share on other sites
VirtualPuppet
52 minutes ago, Castor said:

But since I don't have a lot of knowledge about Oreans Virtualizer I'm wondering how strongly the different VMs are from each other. Like is there strong polymorphism which makes it really difficult to automate the process of devirtualization? And lets consider you know how to devirtualize the basic VMs of Oreans: FISH, TIGER and DOLPHIN. Wouldn't that include you could easily devirtualize SHARK(=TIGER(FISH)), PUMA(=FISH(TIGER)) and EAGLE(=DOLPHIN(FISH))? Also those hybrid VMs seem to have a more serious impact on performance I believe? And my last question would be: I saw that there are not only those animal names for the VMs but also colors? (BLACK, WHITE, RED) is this some more in-depth stuff?

 

Yes, that is correct. Let's take FISH for example: The fact that it combines handlers makes room for huge polymorphism, as it can make different handler-combinations for the different files. Also, it has tons of "protection templates", which is basically annoying little "if" checks that it uses for internal cryptographic registers, such as:

"if (internal_register[x] & 1 == 0) internal_register[x] |= 0xgarbage"

This also means that you have to deduce the execution-path (branching), which makes the process much harder, and this is just one of many tricks you'll come across in this ocean of cancer.

FISH, TIGER and DOLPHIN are pretty similar. FISH is the most distinctive, as it has those operation-combination handlers, which makes for really big handlers. TIGER has everything split out into their own handlers, and DOLPHIN is basically TIGER with some extra garbage "cryptographic" handlers, that are mostly there to confuse you. It's a type of protection template, I guess one could say.

Yes, the hybrid VMs takes a really hard toll on performance. Imagine every instruction in the application must be interpreted by the "guest" VM (plus there's the extra anti-dump instructions parsed). Next imagine that for every instruction that is going to be executed to actually parse the code-flow for this, another VM (the "host" VM) is used to parse that (again, tons of anti-dump shit). It's very confusing and deeply nested. Performance basically dies.

You're correct however, that if you've succesfully broken both FISH, TIGER and DOLPHIN, you will be able to devirtualize the hybrid VMs, but that also ensures extra protection in the fact that if you choose e.g. EAGLE, a reverser MUST have reversed both FISH and EAGLE (EAGLE is very similar to TIGER, so probably the reverser has done TIGER too) and effectively defeated Themida before being able to read the code. Simply having done one of them (e.g. FISH) won't suffice.

The colors defines an increasing complexity-scale in the order WHITE, RED, BLACK. In other words, WHITE is the simplest in complexy and thus also the fastest in performance. BLACK is the heaviest in complexity, but also the slowest in performance. FISH BLACK can have handlers of over 100.000 x86 instructions.

 

  • Thanks 2

Share this post


Link to post
Share on other sites
Holy

In addition to what Sprux already perfectly described colors means the VM handlers will contain garbage.

For example in WHITE handlers are "clean" you can read them from top to bottom like a book, but in RED and BLACK they split the instructions between many jmp like:

jmp label0

label1:

instructions2

jmp label3

label0:

instructions1

jmp label1

label3:

...

Also they add fake conditional jumps and as far as I remember also mutation of the handler instructions.

 

  • Thanks 1

Share this post


Link to post
Share on other sites
Downpour

Rearranging a block from unconditional branches is no problem, as long as you know the destination (e.g it's an immediate value instead of a register, except you could calculate it because the register gets set to a constant value). But even garbage code shouldn't be a problem with compiler optimization. Conditional jumps shouldn't be a huge problem if you have an anchor point somewhere to hold on to calculate if the jump is ever going to be taken or not. And if those conditional jumps are only decoration and won't actually ever be taken you can simply remove them. This is just what I suppose could work to clean that part up. Tbh I can't wait finishing VMP to start looking into Oreans CV.

Edited by Castor (see edit history)

Share this post


Link to post
Share on other sites
VirtualPuppet
57 minutes ago, Castor said:

Rearranging a block from unconditional branches is no problem, as long as you know the destination (e.g it's an immediate value instead of a register, except you could calculate it because the register gets set to a constant value). But even garbage code shouldn't be a problem with compiler optimization. Conditional jumps shouldn't be a huge problem if you have an anchor point somewhere to hold on to calculate if the jump is ever going to be taken or not. And if those conditional jumps are only decoration and won't actually ever be taken you can simply remove them. This is just what I suppose could work to clean that part up. Tbh I can't wait finishing VMP to start looking into Oreans CV.

You have to consider that FISH Black for instance, can have handlers of up to like 100.000 instructions. Since branch-prediction is very error-prone, you can imagine the problems you could have tracing through 100.000 instructions while having to guess branches correctly. Also, the branches aren't deduced by neither a register or immediate values. They use internal state registers which has internal cryptographic behaviour across different handlers to carry encoded data to be decoded by the exact pattern in the given handler. Here's an example:

004235DA	MOV CL,BYTE PTR [EBP+0xa2]
004235E1	ADD CL,0x94
004235E4	CMP CL,0x1
004235E7	JNZ 0xec (004236D9)

You must know what is in [EBP+a2], where EBP refers to the VM Context, in order to deduce what branch the handler will choose. However, when you're emulating the VM behaviour to devirtualize, the registers won't be set, so you have to keep track of all the context operations and emulate performance of them on a local structure of your own, to keep track of the cryptographic datas.

Edited by Sprux (see edit history)
  • Like 2

Share this post


Link to post
Share on other sites
user1

Vmprotect is way better in few words. to make hard you may protect your C++ exe with your custom code that will make even harder. I don't say any RE guru can't do it, just 99,9% sure NO.

Share this post


Link to post
Share on other sites
Downpour
1 hour ago, user1 said:

Vmprotect is way better in few words. to make hard you may protect your C++ exe with your custom code that will make even harder. I don't say any RE guru can't do it, just 99,9% sure NO.

I don't really get your argument here. Well you could obviously add custom made protection, but if you pay for a good protector you shouldn't have to because it's the job of the protector to do so.

Share this post


Link to post
Share on other sites
koolk
On 7/20/2017 at 0:14 AM, BOSCH said:

For me Obsidium is much more strong than Themida and Vmprotect. The reasons?.

2)It have very strong virtualizing code, and it's not accidental that except 2-3 old versions unpacking tutorials, there is not anything else for this protector! (unblacklist serial tutorials etc).

Bullshit. I took a look on their VM (the sample that HellSpider uploaded). It is very simple VM with very simple "obfuscation" (or you can say almost no existing obfuscation). Totally out of league of Themida/VMProtect . (I worked on that a little bit more than one weekend and I think that I need one more weekend to finish devirtualizing his sample, but not so interested in it right now)

The only reason that there are no tools/tutorials for it is because it is not as common as Themida/VMProtect.

The same is probably true for all the other uncommon "much better" protectors.

 

And about Themida/VMProtect, as someone who wrote a script that automatically devirtualize Themida. As I said in the past, I still think that their VM is better than VMProtect. All the reasons were already listed in this thread.

Edited by koolk (see edit history)
  • Like 1
  • Thanks 1

Share this post


Link to post
Share on other sites
omarb1989

for me, VMProtect is real challenge! and it' needs much more effort and skills. Themida is not wise choice cuz I can unpack it myself using only one script! =D 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×