hposix Posted January 7, 2020 Share Posted January 7, 2020 (edited) My Question How to VMProtect Application Crc calcuated I Want embed hash into my application but , if embed any crc hash to application final checksum changed how VMProtect like software ex Themida calculating own hash I'm Deobfuscated VMProtect and i get this ;VMProtect CRC START: mov edx,dword ptr ss:[ebp] add ebp,0x4 LOOP: xor eax,eax mov ecx,eax shl eax,0x7 shr ecx,0x19 or eax,ecx xor al,byte ptr ds:[edx] inc edx dec dword ptr ss:[ebp] jnz LOOP mov dword ptr ss:[ebp],eax END But how crc values calculated and embeding into application i don't understand how it's work and i need i want to make my own protector for educational purposes only. sorry for my bad english MapViewOfFile etc used but i don't understand how to crc value and embed into application calculated pls send me any source code of how this think work Edited January 7, 2020 by hposix Link to comment
deepzero Posted January 7, 2020 Share Posted January 7, 2020 Well, you got the deobfuscated crc routine correct. Out of interest, what did you use to deobfuscate it? There are different types of crc checks in vmp, the two most common ones 1. vm-embedded ones. here the correct crc is hardcoded into the vm-opcodes. 2. table. here vmp stores a large array of sections to check crc for. it stores an array of {address, size, correct_crc, some other things} and just checks every entry. Note that in both cases there are chained checks, so the table or the vm-opcodes are themselves crc protected by another crc check. Try searching the forum, there were several discussions regarding vmp crc before iirc. 1 Link to comment
hposix Posted January 7, 2020 Author Share Posted January 7, 2020 i deobfuscated with vm sweeper plugin ida, I'm used old version (version 2) of vmprotect of get crc handler Thank you for your comment but, i dont understand how to make own application and add crc hash add into application like vmprotect Link to comment
deepzero Posted January 7, 2020 Share Posted January 7, 2020 You will have to be more specific. Look here for more details on vmp crc: https://forum.tuts4you.com/topic/36653-devirtualizeme-vmprotect-2135 https://forum.tuts4you.com/topic/36991-inlineme-vmprotect-isvalidimagecrc 1 Link to comment
hposix Posted January 7, 2020 Author Share Posted January 7, 2020 2 minutes ago, deepzero said: You will have to be more specific. Look here for more details on vmp crc: https://forum.tuts4you.com/topic/36653-devirtualizeme-vmprotect-2135 https://forum.tuts4you.com/topic/36991-inlineme-vmprotect-isvalidimagecrc Thank you 😘 Link to comment
atom0s Posted January 9, 2020 Share Posted January 9, 2020 Unless the data is known at compile time, then generally things like this are done with post-processing on the binaries. You can mimic it by emitting blocks of data to be overwritten/scanned for after the app has been compiled, which is similar to what VMProtect and similar use for when you wish to virtualize a function. Here's an example, from Themida's SDK, you can see the patterns they emit for a C based app which will be used for post-processing when applying protections: https://pastebin.com/uT8vmPGh 1 Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now