6 minutes ago, windowbase said:

@boot This driver has been blocked from loading.

what's wrong?

Regards.

sean.

This is normal, as I mentioned, you need to load the 32-bit driver on the 32-bit system. If loading on the 64-bit system, this prompt will appear.

11 minutes ago, boot said:

This is normal, as I mentioned, you need to load the 32-bit driver on the 32-bit system. If loading on the 64-bit system, this prompt will appear.

@boot Many thanks.

Regards.

sean.

Edited March 21, 20241 yr by windowbase
editing some words.

6 minutes ago, windowbase said:

 

Regards.

sean.

No. You can still debug x86 vmp, on 64-bit systems. 

All you need is:

1. Load the 64-bit driver provided by me

2. Copy .dp32 to the plugins folder of x32Dbg

2 minutes ago, boot said:

No. You can still debug x86 vmp, on 64-bit systems. 

All you need is:

1. Load the 64-bit driver provided by me

2. Copy .dp32 to the plugins folder of x32Dbg

 

19 minutes ago, boot said:

No. You can still debug x86 vmp, on 64-bit systems. 

All you need is:

1. Load the 64-bit driver provided by me

2. Copy .dp32 to the plugins folder of x32Dbg

@boot Did you modify source code of driver and plugin, then recompile them?

How many lines of code did you modify?

Regards.

sean.

Edited March 21, 20241 yr by windowbase
editing some words.

13 minutes ago, windowbase said:

@boot Did you modify source code of driver and plugin, then recompile them?

How many lines of code did you modify?

Regards.

sean.

Just simply modified some configurations and recompiled.

If you really need to load the 32-bit driver, you can go to this website to download the original .iso of the 32-bit system, and create a new virtual machine to install new .iso.

https://msdn.itellyou.cn/

After testing, this driver and plug-in can debug x86 vmp in WinXP (32-bit).

Note: 32-bit systems cannot load 64-bit drivers and cannot run 64-bit programs.

2 minutes ago, boot said:

Just simply modified some configurations and recompiled.

If you really need to load the 32-bit driver, you can go to this website to download the original .iso of the 32-bit system, and create a new virtual machine to install new .iso.

https://msdn.itellyou.cn/

After testing, this driver and plug-in can debug x86 vmp in WinXP (32-bit).

Note: 32-bit systems cannot load 64-bit drivers and cannot run 64-bit programs.

Many thanks.

Regards.

sean.

On 3/20/2024 at 10:38 PM, boot said:

I have recompiled and published the attachment. Please enable testing mode and follow my video. 

MyDrv_Plugin_x64_v_0.001.zip 57.84 kB · 4 downloads

 

 

@boot Why isn't it working in the same OS? View this.

https://youtu.be/0lFi6oaC6wA

Regards.

sean.

7 hours ago, windowbase said:

@boot Why isn't it working in the same OS? View this.

https://youtu.be/0lFi6oaC6wA

Regards.

sean.

It's really strange. Please try this, I'm not sure if it's suitable for your OS.

MyDrv_Plugin_v0.003.zip

5 hours ago, boot said:

It's really strange. Please try this, I'm not sure if it's suitable for your OS.

MyDrv_Plugin_v0.003.zip 312.95 kB · 7 downloads

@boot It is working in virtual machine windows 10 pro. but not in the real machine as you have seen.

And when I set breakpoints before application starts, does vmprotect detect them?

view this.

https://youtu.be/77fqhFBjw0M

Regards.

sean.

Edited March 23, 20241 yr by windowbase
editing words.

Yes, it is possible

if TLS callback present in TLS Image Directory

https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#tls-callback-functions 

21 minutes ago, jackyjask said:

Yes, it is possible

if TLS callback present in TLS Image Directory

https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#tls-callback-functions 

@jackyjask How to bypass the debugger detection?

Regards.

sean.

6 hours ago, boot said:

It's really strange. Please try this, I'm not sure if it's suitable for your OS.

MyDrv_Plugin_v0.003.zip 312.95 kB · 7 downloads

@boot Found the reason.

View this.

https://youtu.be/5iP-xgmMdo8

Regards.

sean.

This topic is interesting i worked before on two apps which very hard to run in the debugger, so I'll share them here for educational purposes to play with and enjoy

difficulty 5/10

Rogue.exe

difficulty 7/10

Safari.exe

Edited March 23, 20241 yr by RADIOX

Safari.exe is silently crashing (run without debugger), from crash dump:

Rogue.exe  is a regular Themida protted app?

Edited March 23, 20241 yr by jackyjask

12 minutes ago, jackyjask said:

Safari.exe is silently crashing (run without debugger), from crash dump:

Rogue.exe  is a regular Themida protted app?

Right. rogue.exe is themida protected application. bypassed.

but Safari.exe is silently terminated.

Regards.

sean.

Edited March 23, 20241 yr by windowbase
editing words.

@RADIOX what is so special about safari.exe, does it work in your case? does it have some pre-conditions?

1 hour ago, windowbase said:

Rogue.exe  is a regular Themida protted app?

is not a regular Themida app even if you use Titanhide the app will not run in the Debigger

 

10 minutes ago, jackyjask said:

what is so special about safari.exe

this app is very interesting :
to be sure you run this app correctly you should have an internet connection 

which interesting about this app, changes its name after each successful run :
 

1 hour ago, RADIOX said:

is not a regular Themida app even if you use Titanhide the app will not run in the Debigger

 

this app is very interesting :
to be sure you run this app correctly you should have an internet connection 

which interesting about this app, changes its name after each successful run :
 

@RADIOX Is there any way to run the application in the debugger?

Regards.

sean.

18 hours ago, RADIOX said:

is not a regular Themida app even if you use Titanhide the app will not run in the Debigger

 

this app is very interesting :
to be sure you run this app correctly you should have an internet connection 

which interesting about this app, changes its name after each successful run :
 

This is hard too. try it. it is a vmprotected sample.

IMPOSSIBLE.rar

Regards.

sean.

 

1 hour ago, windowbase said:

it is a vmprotected sample.

It's not. It's protected with a Chinese tool call TianYi T-VMProtect.

While TianYi T-VMProtect claims to be based on VMProtect, the protection methods have been changed (I intentionally don't use a word "improved", as Chinese tools often sacrifice compatibility to gain additional "protection").

 

18 minutes ago, kao said:

It's not. It's protected with a Chinese tool call TianYi T-VMProtect.

While TianYi T-VMProtect claims to be based on VMProtect, the protection methods have been changed (I intentionally don't use a word "improved", as Chinese tools often sacrifice compatibility to gain additional "protection").

 

Is it on the web? it doesn't seem to be any download link on the web.

Regards.

sean.

The first link in Google results: https://bbs.125.la/thread-14741515-1-1.html 

7 hours ago, windowbase said:

This is hard too. try it. it is a vmprotected sample.

17 minutes ago, X0rby said:

@X0rby Just showing off?

Regards.

sean.