Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

VMProtect Heaven's Gate Anti-Debug Bypass to VectorHandler

karan
karan
in Reverse Engineering Articles

Featured Replies

  • Replies 107
  • Views 40.4k
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Most Popular Posts

  • boot
    boot

    I have already conducted testing before, and if you compile the 32-bit plugin according to the original source code provided here (https://bbs.kanxue.com/thread-282244.htm).  Original 32-bit (Imp

  • boot
    boot

    Support for Win7 x64:  - Confirmed support for Win7 x64 SP1  - Maybe it also supports Win7 x64 SP0 [Olly v1.10 ScyllaHide] Win7 x64 SP1.zip [x32Dbg ScyllaHide] Win7 x64 SP1.zip Supp

  • karan
    karan

    VMProtect started using Heaven's gate to make it difficult to bypass Usermode Anti-Debug. VMP uses ZwQueryInformationProcess (ProcessWow64Information) to check if the running process is wow64,

Posted Images

It has been confirmed that the ScyllaHide plugin is feasible in Win7 x64 SP1, so the Olly v1.10 plugin for Win7 x64 SP1 has been compiled, which can bypass the Anti-Debug of VMP 3.8.1. Due to the lack of a lot of data, plugins that support other OSs are waiting for analysis...

updated:

https://forum.tuts4you.com/topic/44425-vmprotect-heavens-gate-anti-debug-bypass-to-vectorhandler/?do=findComment&comment=217057

Edited by boot

    • Like 1

    I'm able to bypass the Anti Debug, but I get this strange issue. According to VMP leaked source error 3 means INTERNAL_GPA_ERROR 

     

    image.png.c02d6049fab68a73013771edcc30158f.png

    @GautamGreat same issue with me in same module

    Edited by Oliver

    interesting case, possible to get TFMMTKModule.exe?

     

    @boot  why do you need to keep 2 Olly v1 plugins wiht the same functinality? they definitely will fight for the same functionality and thus make debugger unstalble

    image.png.91d57c9b2ce40ceab449970021d00021.png

    and ScyallHide

    image.png.b2ab21bb8fb7b0331ad30ee543dbfa13.png

    as per my understanding it is enough to have just one - eg ScyallHider

    2 hours ago, jackyjask said:

    they definitely will fight for the same functionality and thus make debugger unstalble...

    Yes, in StrongOD plugin, there are some options/check-boxes that do not need to be checked because they are already selected in ScyllaHide plugin, otherwise it will cause a crash. But there is one option that must be checked, which is the 'Skip Some Exceptions' option.

    But you already could use that feature "Skip Some Exceptions" in ScyllaHide plugin, look - 

    image.png.22433d27659bd4e8649d3214a79cc13e.png

     

    and on your video that check is unchecked..

    could you try it out? (remove StrongOD and use these checkboxes and see if you still able to run the target protected app)

     

    Edited by jackyjask

    1 hour ago, jackyjask said:

    could you try it out? (remove StrongOD and use these checkboxes and see if you still able to run the target protected app)

    It's strange, this is my test video...

    https://workupload.com/file/bUFL5R78jwZ

    5 hours ago, jackyjask said:

    @boot  why do you need to keep 2 Olly v1 plugins wiht the same functinality? they definitely will fight for the same functionality and thus make debugger unstalble

    image.png.91d57c9b2ce40ceab449970021d00021.png

    and ScyallHide

    image.png.b2ab21bb8fb7b0331ad30ee543dbfa13.png

    as per my understanding it is enough to have just one - eg ScyallHider

    Can I get this olly ?

    On 9/1/2023 at 3:41 PM, karan said:

    VMProtect started using Heaven's gate to make it difficult to bypass Usermode Anti-Debug.


    VMP uses ZwQueryInformationProcess (ProcessWow64Information) to check if the running process is wow64, and if the value is 0, it runs the sysenter opcode, judging that it is a 32bit operating system.


    An exception occurred when the wow64 process ran the "sysenter" opcode, and I installed VectorHandler to handle the exception.


    Exception Handler Functions:


    1. check that the exception location that occurred is the "sysenter" opcode.


    2. Check which Zw** APIs are called (checked in the eax register)


    3. load all the arguments recorded in ContextRecord and call the Zw** function as proxy. (API with anti-debug bypass)


    4. put the return value of the API into eax and resume the execution flow with the next instruction in the "sysenter" opcode.


    Through the above process, I was able to bypass the VMP Anti-Debug!

     

    I implemented the function by modifying some of the Scyllahide plugin.

    VMProtect has a hardcoded syscall number for each OS version.
    i didn't yet implemented the version-specific syscall_number table.

     

    If you have a better idea, share please.

     

    https://github.com/x64dbg/ScyllaHide/compare/master...miketestz:ScyllaHide_VMPHeavensgateBypass:master

     

    Hi brother, can you upload a copy of the ScyllaHide source code you modified! for reference?

    On 9/14/2023 at 4:11 PM, boot said:

    It has been confirmed that the ScyllaHide plugin is feasible in Win7 x64 SP1...

    plugins && videos download:

     

     

    I have built and tested two new versions of the Olly v1.10 plugins,

    Support for Win10 x64:
     - Confirmed support for Win10_ Version x64-22H2-19045.3448
     - Maybe it also supports the latest Win10 x64 OSs

    Support for Win11 x64:
     - Confirmed support for Win11_ Version x64-22H2-22621.2215
     - Maybe it also supports the latest Win11 x64 OSs

    updated:

    https://forum.tuts4you.com/topic/44425-vmprotect-heavens-gate-anti-debug-bypass-to-vectorhandler/?do=findComment&comment=217057

    Edited by boot

    • Like 3
    • Thanks 2

    Thanks @boot  very nice video format for readme :)  while watching it I"ve got one more idea - how about you consider record some more vids about bunch of your plugins that you are keeping in your Olly / boot edition great debugger

    some I know but some not, would be nice for newbies to educate and learn in a super modern video like lesson(s) :)

    image.png.fc906647e1ce5b47a4673628392a4eff.png

    • Like 1
    3 hours ago, boot said:

    plugins && videos download:

    [Olly v1.10 ScyllaHide] - Supports Win10_x64-22H2-19045.3448.rar 3.56 MB · 10 downloads

    [Olly v1.10 ScyllaHide] - Supports Win11_x64-22H2-22621.2215.rar 5.86 MB · 7 downloads

    I have built and tested two new versions of the Olly v1.10 plugins,

    Support for Win10 x64:
     - Confirmed support for Win10_ Version x64-22H2-19045.3448
     - Maybe it also supports the latest Win10 x64 OSs

    Support for Win11 x64:
     - Confirmed support for Win11_ Version x64-22H2-22621.2215
     - Maybe it also supports the latest Win11 x64 OSs

    @boot thanks , appreciate your hard work,waiting for you to build Scylla for x32dbg/x64dbg .

    Edited by Oliver

    testing @boot's scylla hide plugins on Win10_Pro Version x64-22H2-19045.3324

    @Oliver nice video master piece :)

    I've got a question to your Olly v1 plugin list as well

    how do you guys manage to have (I"ve counted) 5 (!!) anti-debug plugins at the same time? :)   doesn't it confict with each other?   what are your top 3 plugins used mostly in day to day work?

    image.png.1c16f1998541db04a824bc97bf0e6191.png

    @jackyjask i mostly use 4 plugins ,strogod,sharpod,phantom,scylla. i downloaded this olly v1 from somewhere and i got these all plugins inside ,i disabled all plugins except that 4 which i use mostly 🙂

    2 hours ago, Noob boy said:

    Try this demoVMProtect SDK for E Demo.vmp.zip

    what vmp version have you used? I does not run in my case... neither does not complain about found debugger? ! 

    10 minutes ago, Oliver said:

    @jackyjask i mostly use 4 plugins ,strogod,sharpod,phantom,scylla. i downloaded this olly v1 from somewhere and i got these all plugins inside ,i disabled all plugins except that 4 which i use mostly 🙂

    when plugin is present in Ollydbg menu it means i t is already used!  even if you disable the checkbox in features, the plugin

    a) was loaded by Olly - occupies memory segments

    b) it receives lots of events/callbacks from Olly - potential way may lead to error prone cases

    c) the aggressive SW has more means to detect deugger by scanning memory and looking for some debug strings

    d)  you add more here :)

     

    30 minutes ago, jackyjask said:

    what vmp version have you used? I does not run in my case... neither does not complain about found debugger? ! 

    when plugin is present in Ollydbg menu it means i t is already used!  even if you disable the checkbox in features, the plugin

    a) was loaded by Olly - occupies memory segments

    b) it receives lots of events/callbacks from Olly - potential way may lead to error prone cases

    c) the aggressive SW has more means to detect deugger by scanning memory and looking for some debug strings

    d)  you add more here :)

     

    @jackyjask aah great ,thanks for good informations🥰

    @karan   great fix!  last failed silent target successfully loaded!!

    image.png.a739f090a8e7a16858b38ab7ec8b15dc.png

    • Like 2
    • Thanks 1
    2 hours ago, karan said:

    A missing Nt function exists.

    It calls NtQuerySystemInformation (SystemFirmwareTableInformation) because of the HardwareLock function.

     

    Updated the git.

     

    https://github.com/miketestz/ScyllaHide_VMPHeavensgateBypass

    @karancan you share all Scylla hide plugins compiled?

    • Sad 1
    14 hours ago, boot said:

    plugins && videos download:

    [Olly v1.10 ScyllaHide] - Supports Win10_x64-22H2-19045.3448.rar 3.56 MB · 18 downloads

    [Olly v1.10 ScyllaHide] - Supports Win11_x64-22H2-22621.2215.rar 5.86 MB · 19 downloads

    I have built and tested two new versions of the Olly v1.10 plugins,

    Support for Win10 x64:
     - Confirmed support for Win10_ Version x64-22H2-19045.3448
     - Maybe it also supports the latest Win10 x64 OSs

    Support for Win11 x64:
     - Confirmed support for Win11_ Version x64-22H2-22621.2215
     - Maybe it also supports the latest Win11 x64 OSs

     

    7 hours ago, Noob boy said:

    Try this demoVMProtect SDK for E Demo.vmp.zip

    Would you like to fix the plugin for demo olydbg1

    @boot

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.