Jump to content
Tuts 4 You
Sign in to follow this  
hposix

My Question How to VMProtect Application Crc values calcuated

Recommended Posts

hposix
Posted (edited)

My Question How to VMProtect Application Crc calcuated I Want embed hash into  my application but , if embed any crc hash to application final checksum changed 

how VMProtect like software  ex Themida calculating own hash 

I'm Deobfuscated VMProtect  and i get this

;VMProtect CRC
START:
mov edx,dword ptr ss:[ebp]
add ebp,0x4
LOOP:
xor eax,eax
mov ecx,eax
shl eax,0x7
shr ecx,0x19
or eax,ecx
xor al,byte ptr ds:[edx]
inc edx
dec dword ptr ss:[ebp]
jnz LOOP
mov dword ptr ss:[ebp],eax
END

But how crc values calculated and embeding into application i don't understand how it's work 

and i need i want to make my own protector for educational purposes only.  sorry for my bad english ;)

MapViewOfFile etc used but i don't understand how to crc value and embed into application  calculated

pls send me any source code of how this think work 

Edited by hposix (see edit history)

Share this post


Link to post
deepzero

Well, you got the deobfuscated crc routine correct. Out of interest, what did you use to deobfuscate it?

There are different types of crc checks in vmp, the two most common ones

1. vm-embedded ones. here the correct crc is hardcoded into the vm-opcodes.

2. table. here vmp stores a large array of sections to check crc for. it stores an array of {address, size, correct_crc, some other things} and just checks every entry.

Note that in both cases there are chained checks, so the table or the vm-opcodes are themselves crc protected by another crc check.

 

Try searching the forum, there were several discussions regarding vmp crc before iirc.

  • Like 1

Share this post


Link to post
hposix

i deobfuscated with vm sweeper plugin ida, I'm used old version (version 2) of vmprotect of get crc handler

Thank you for your comment but, i dont understand how to make own application and add crc hash add into application like vmprotect

Share this post


Link to post
atom0s

Unless the data is known at compile time, then generally things like this are done with post-processing on the binaries. You can mimic it by emitting blocks of data to be overwritten/scanned for after the app has been compiled, which is similar to what VMProtect and similar use for when you wish to virtualize a function. Here's an example, from Themida's SDK, you can see the patterns they emit for a C based app which will be used for post-processing when applying protections:

https://pastebin.com/uT8vmPGh

  • Like 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...