boot Posted March 21 Share Posted March 21 6 minutes ago, windowbase said: @boot This driver has been blocked from loading. what's wrong? Regards. sean. This is normal, as I mentioned, you need to load the 32-bit driver on the 32-bit system. If loading on the 64-bit system, this prompt will appear. 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 21 Share Posted March 21 (edited) 11 minutes ago, boot said: This is normal, as I mentioned, you need to load the 32-bit driver on the 32-bit system. If loading on the 64-bit system, this prompt will appear. @boot Many thanks. Regards. sean. Edited March 21 by windowbase editing some words. Link to comment Share on other sites More sharing options...
boot Posted March 21 Share Posted March 21 6 minutes ago, windowbase said: Regards. sean. No. You can still debug x86 vmp, on 64-bit systems. All you need is: 1. Load the 64-bit driver provided by me 2. Copy .dp32 to the plugins folder of x32Dbg 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 21 Share Posted March 21 2 minutes ago, boot said: No. You can still debug x86 vmp, on 64-bit systems. All you need is: 1. Load the 64-bit driver provided by me 2. Copy .dp32 to the plugins folder of x32Dbg Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 21 Share Posted March 21 (edited) 19 minutes ago, boot said: No. You can still debug x86 vmp, on 64-bit systems. All you need is: 1. Load the 64-bit driver provided by me 2. Copy .dp32 to the plugins folder of x32Dbg @boot Did you modify source code of driver and plugin, then recompile them? How many lines of code did you modify? Regards. sean. Edited March 21 by windowbase editing some words. Link to comment Share on other sites More sharing options...
boot Posted March 21 Share Posted March 21 13 minutes ago, windowbase said: @boot Did you modify source code of driver and plugin, then recompile them? How many lines of code did you modify? Regards. sean. Just simply modified some configurations and recompiled. If you really need to load the 32-bit driver, you can go to this website to download the original .iso of the 32-bit system, and create a new virtual machine to install new .iso. https://msdn.itellyou.cn/ After testing, this driver and plug-in can debug x86 vmp in WinXP (32-bit). Note: 32-bit systems cannot load 64-bit drivers and cannot run 64-bit programs. 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 21 Share Posted March 21 2 minutes ago, boot said: Just simply modified some configurations and recompiled. If you really need to load the 32-bit driver, you can go to this website to download the original .iso of the 32-bit system, and create a new virtual machine to install new .iso. https://msdn.itellyou.cn/ After testing, this driver and plug-in can debug x86 vmp in WinXP (32-bit). Note: 32-bit systems cannot load 64-bit drivers and cannot run 64-bit programs. Many thanks. Regards. sean. 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 22 Share Posted March 22 On 3/20/2024 at 10:38 PM, boot said: I have recompiled and published the attachment. Please enable testing mode and follow my video. MyDrv_Plugin_x64_v_0.001.zip 57.84 kB · 4 downloads Video_2024-03-21_133313.mp4 5.52 MB · 0 downloads @boot Why isn't it working in the same OS? View this. https://youtu.be/0lFi6oaC6wA Regards. sean. Link to comment Share on other sites More sharing options...
boot Posted March 23 Share Posted March 23 7 hours ago, windowbase said: @boot Why isn't it working in the same OS? View this. https://youtu.be/0lFi6oaC6wA Regards. sean. It's really strange. Please try this, I'm not sure if it's suitable for your OS. MyDrv_Plugin_v0.003.zip 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 23 Share Posted March 23 (edited) 5 hours ago, boot said: It's really strange. Please try this, I'm not sure if it's suitable for your OS. MyDrv_Plugin_v0.003.zip 312.95 kB · 7 downloads @boot It is working in virtual machine windows 10 pro. but not in the real machine as you have seen. And when I set breakpoints before application starts, does vmprotect detect them? view this. https://youtu.be/77fqhFBjw0M Regards. sean. Edited March 23 by windowbase editing words. Link to comment Share on other sites More sharing options...
jackyjask Posted March 23 Share Posted March 23 Yes, it is possible if TLS callback present in TLS Image Directory https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#tls-callback-functions 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 23 Share Posted March 23 21 minutes ago, jackyjask said: Yes, it is possible if TLS callback present in TLS Image Directory https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#tls-callback-functions @jackyjask How to bypass the debugger detection? Regards. sean. Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 23 Share Posted March 23 6 hours ago, boot said: It's really strange. Please try this, I'm not sure if it's suitable for your OS. MyDrv_Plugin_v0.003.zip 312.95 kB · 7 downloads @boot Found the reason. View this. https://youtu.be/5iP-xgmMdo8 Regards. sean. 1 Link to comment Share on other sites More sharing options...
RADIOX Posted March 23 Share Posted March 23 (edited) This topic is interesting i worked before on two apps which very hard to run in the debugger, so I'll share them here for educational purposes to play with and enjoy difficulty 5/10 Rogue.exe difficulty 7/10 Safari.exe Edited March 23 by RADIOX 1 Link to comment Share on other sites More sharing options...
jackyjask Posted March 23 Share Posted March 23 (edited) Safari.exe is silently crashing (run without debugger), from crash dump: Rogue.exe is a regular Themida protted app? Edited March 23 by jackyjask 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 23 Share Posted March 23 (edited) 12 minutes ago, jackyjask said: Safari.exe is silently crashing (run without debugger), from crash dump: Rogue.exe is a regular Themida protted app? Right. rogue.exe is themida protected application. bypassed. but Safari.exe is silently terminated. Regards. sean. Edited March 23 by windowbase editing words. Link to comment Share on other sites More sharing options...
jackyjask Posted March 23 Share Posted March 23 @RADIOX what is so special about safari.exe, does it work in your case? does it have some pre-conditions? Link to comment Share on other sites More sharing options...
RADIOX Posted March 23 Share Posted March 23 1 hour ago, windowbase said: Rogue.exe is a regular Themida protted app? is not a regular Themida app even if you use Titanhide the app will not run in the Debigger 10 minutes ago, jackyjask said: what is so special about safari.exe this app is very interesting : to be sure you run this app correctly you should have an internet connection which interesting about this app, changes its name after each successful run : 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 23 Share Posted March 23 1 hour ago, RADIOX said: is not a regular Themida app even if you use Titanhide the app will not run in the Debigger this app is very interesting : to be sure you run this app correctly you should have an internet connection which interesting about this app, changes its name after each successful run : @RADIOX Is there any way to run the application in the debugger? Regards. sean. 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 24 Share Posted March 24 18 hours ago, RADIOX said: is not a regular Themida app even if you use Titanhide the app will not run in the Debigger this app is very interesting : to be sure you run this app correctly you should have an internet connection which interesting about this app, changes its name after each successful run : This is hard too. try it. it is a vmprotected sample. IMPOSSIBLE.rar Regards. sean. Link to comment Share on other sites More sharing options...
kao Posted March 24 Share Posted March 24 1 hour ago, windowbase said: it is a vmprotected sample. It's not. It's protected with a Chinese tool call TianYi T-VMProtect. While TianYi T-VMProtect claims to be based on VMProtect, the protection methods have been changed (I intentionally don't use a word "improved", as Chinese tools often sacrifice compatibility to gain additional "protection"). 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 24 Share Posted March 24 18 minutes ago, kao said: It's not. It's protected with a Chinese tool call TianYi T-VMProtect. While TianYi T-VMProtect claims to be based on VMProtect, the protection methods have been changed (I intentionally don't use a word "improved", as Chinese tools often sacrifice compatibility to gain additional "protection"). Is it on the web? it doesn't seem to be any download link on the web. Regards. sean. Link to comment Share on other sites More sharing options...
kao Posted March 24 Share Posted March 24 The first link in Google results: https://bbs.125.la/thread-14741515-1-1.html 1 Link to comment Share on other sites More sharing options...
X0rby Posted March 24 Share Posted March 24 7 hours ago, windowbase said: This is hard too. try it. it is a vmprotected sample. impossible.mp4 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 24 Share Posted March 24 17 minutes ago, X0rby said: impossible.mp4 @X0rby Just showing off? Regards. sean. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now