jackyjask Posted September 14, 2023 Posted September 14, 2023 1 hour ago, Noob boy said: Windows 10 Enterprise x64 21H2 19044.2604 Need to find syscall table for your OS https://hfiref0x.github.io/NT10_syscalls.html - not present https://j00ru.vexillium.org/syscalls/nt/64/ - not present .... ?
boot Posted September 14, 2023 Posted September 14, 2023 (edited) It has been confirmed that the ScyllaHide plugin is feasible in Win7 x64 SP1, so the Olly v1.10 plugin for Win7 x64 SP1 has been compiled, which can bypass the Anti-Debug of VMP 3.8.1. Due to the lack of a lot of data, plugins that support other OSs are waiting for analysis... updated: https://forum.tuts4you.com/topic/44425-vmprotect-heavens-gate-anti-debug-bypass-to-vectorhandler/?do=findComment&comment=217057 Edited September 17, 2023 by boot 1
Noob boy Posted September 14, 2023 Posted September 14, 2023 4 hours ago, jackyjask said: Need to find syscall table for your OS https://hfiref0x.github.io/NT10_syscalls.html - not present https://j00ru.vexillium.org/syscalls/nt/64/ - not present .... ?
GautamGreat Posted September 14, 2023 Posted September 14, 2023 I'm able to bypass the Anti Debug, but I get this strange issue. According to VMP leaked source error 3 means INTERNAL_GPA_ERROR
Oliver Posted September 14, 2023 Posted September 14, 2023 (edited) @GautamGreat same issue with me in same module Edited September 14, 2023 by Oliver
jackyjask Posted September 14, 2023 Posted September 14, 2023 interesting case, possible to get TFMMTKModule.exe?
jackyjask Posted September 14, 2023 Posted September 14, 2023 @boot why do you need to keep 2 Olly v1 plugins wiht the same functinality? they definitely will fight for the same functionality and thus make debugger unstalble and ScyallHide as per my understanding it is enough to have just one - eg ScyallHider
boot Posted September 14, 2023 Posted September 14, 2023 2 hours ago, jackyjask said: they definitely will fight for the same functionality and thus make debugger unstalble... Yes, in StrongOD plugin, there are some options/check-boxes that do not need to be checked because they are already selected in ScyllaHide plugin, otherwise it will cause a crash. But there is one option that must be checked, which is the 'Skip Some Exceptions' option.
jackyjask Posted September 14, 2023 Posted September 14, 2023 (edited) But you already could use that feature "Skip Some Exceptions" in ScyllaHide plugin, look - and on your video that check is unchecked.. could you try it out? (remove StrongOD and use these checkboxes and see if you still able to run the target protected app) Edited September 14, 2023 by jackyjask
boot Posted September 15, 2023 Posted September 15, 2023 1 hour ago, jackyjask said: could you try it out? (remove StrongOD and use these checkboxes and see if you still able to run the target protected app) It's strange, this is my test video... https://workupload.com/file/bUFL5R78jwZ
krotty Posted September 15, 2023 Posted September 15, 2023 5 hours ago, jackyjask said: @boot why do you need to keep 2 Olly v1 plugins wiht the same functinality? they definitely will fight for the same functionality and thus make debugger unstalble and ScyallHide as per my understanding it is enough to have just one - eg ScyallHider Can I get this olly ?
Noob boy Posted September 15, 2023 Posted September 15, 2023 On 9/1/2023 at 3:41 PM, karan said: VMProtect started using Heaven's gate to make it difficult to bypass Usermode Anti-Debug. VMP uses ZwQueryInformationProcess (ProcessWow64Information) to check if the running process is wow64, and if the value is 0, it runs the sysenter opcode, judging that it is a 32bit operating system. An exception occurred when the wow64 process ran the "sysenter" opcode, and I installed VectorHandler to handle the exception. Exception Handler Functions: 1. check that the exception location that occurred is the "sysenter" opcode. 2. Check which Zw** APIs are called (checked in the eax register) 3. load all the arguments recorded in ContextRecord and call the Zw** function as proxy. (API with anti-debug bypass) 4. put the return value of the API into eax and resume the execution flow with the next instruction in the "sysenter" opcode. Through the above process, I was able to bypass the VMP Anti-Debug! bandicam 2023-08-30 23-52-29-912.mp4 5.8 MB · 0 downloads I implemented the function by modifying some of the Scyllahide plugin. VMProtect has a hardcoded syscall number for each OS version. i didn't yet implemented the version-specific syscall_number table. If you have a better idea, share please. https://github.com/x64dbg/ScyllaHide/compare/master...miketestz:ScyllaHide_VMPHeavensgateBypass:master Hi brother, can you upload a copy of the ScyllaHide source code you modified! for reference?
boot Posted September 16, 2023 Posted September 16, 2023 (edited) On 9/14/2023 at 4:11 PM, boot said: It has been confirmed that the ScyllaHide plugin is feasible in Win7 x64 SP1... plugins && videos download: I have built and tested two new versions of the Olly v1.10 plugins, Support for Win10 x64: - Confirmed support for Win10_ Version x64-22H2-19045.3448 - Maybe it also supports the latest Win10 x64 OSs Support for Win11 x64: - Confirmed support for Win11_ Version x64-22H2-22621.2215 - Maybe it also supports the latest Win11 x64 OSs updated: https://forum.tuts4you.com/topic/44425-vmprotect-heavens-gate-anti-debug-bypass-to-vectorhandler/?do=findComment&comment=217057 Edited September 17, 2023 by boot 3 2
jackyjask Posted September 16, 2023 Posted September 16, 2023 Thanks @boot very nice video format for readme while watching it I"ve got one more idea - how about you consider record some more vids about bunch of your plugins that you are keeping in your Olly / boot edition great debugger some I know but some not, would be nice for newbies to educate and learn in a super modern video like lesson(s) 1
Oliver Posted September 16, 2023 Posted September 16, 2023 (edited) 3 hours ago, boot said: plugins && videos download: [Olly v1.10 ScyllaHide] - Supports Win10_x64-22H2-19045.3448.rar 3.56 MB · 10 downloads [Olly v1.10 ScyllaHide] - Supports Win11_x64-22H2-22621.2215.rar 5.86 MB · 7 downloads I have built and tested two new versions of the Olly v1.10 plugins, Support for Win10 x64: - Confirmed support for Win10_ Version x64-22H2-19045.3448 - Maybe it also supports the latest Win10 x64 OSs Support for Win11 x64: - Confirmed support for Win11_ Version x64-22H2-22621.2215 - Maybe it also supports the latest Win11 x64 OSs @boot thanks , appreciate your hard work,waiting for you to build Scylla for x32dbg/x64dbg . Edited September 16, 2023 by Oliver
Oliver Posted September 16, 2023 Posted September 16, 2023 testing @boot's scylla hide plugins on Win10_Pro Version x64-22H2-19045.3324 testing.mp4
jackyjask Posted September 16, 2023 Posted September 16, 2023 @Oliver nice video master piece I've got a question to your Olly v1 plugin list as well how do you guys manage to have (I"ve counted) 5 (!!) anti-debug plugins at the same time? doesn't it confict with each other? what are your top 3 plugins used mostly in day to day work?
Noob boy Posted September 16, 2023 Posted September 16, 2023 Try this demoVMProtect SDK for E Demo.vmp.zip
Oliver Posted September 16, 2023 Posted September 16, 2023 @jackyjask i mostly use 4 plugins ,strogod,sharpod,phantom,scylla. i downloaded this olly v1 from somewhere and i got these all plugins inside ,i disabled all plugins except that 4 which i use mostly 🙂
jackyjask Posted September 16, 2023 Posted September 16, 2023 2 hours ago, Noob boy said: Try this demoVMProtect SDK for E Demo.vmp.zip what vmp version have you used? I does not run in my case... neither does not complain about found debugger? ! 10 minutes ago, Oliver said: @jackyjask i mostly use 4 plugins ,strogod,sharpod,phantom,scylla. i downloaded this olly v1 from somewhere and i got these all plugins inside ,i disabled all plugins except that 4 which i use mostly 🙂 when plugin is present in Ollydbg menu it means i t is already used! even if you disable the checkbox in features, the plugin a) was loaded by Olly - occupies memory segments b) it receives lots of events/callbacks from Olly - potential way may lead to error prone cases c) the aggressive SW has more means to detect deugger by scanning memory and looking for some debug strings d) you add more here
Oliver Posted September 16, 2023 Posted September 16, 2023 30 minutes ago, jackyjask said: what vmp version have you used? I does not run in my case... neither does not complain about found debugger? ! when plugin is present in Ollydbg menu it means i t is already used! even if you disable the checkbox in features, the plugin a) was loaded by Olly - occupies memory segments b) it receives lots of events/callbacks from Olly - potential way may lead to error prone cases c) the aggressive SW has more means to detect deugger by scanning memory and looking for some debug strings d) you add more here @jackyjask aah great ,thanks for good informations🥰
karan Posted September 16, 2023 Author Posted September 16, 2023 4 hours ago, Noob boy said: Try this demoVMProtect SDK for E Demo.vmp.zip A missing Nt function exists. It calls NtQuerySystemInformation (SystemFirmwareTableInformation) because of the HardwareLock function. Updated the git. https://github.com/miketestz/ScyllaHide_VMPHeavensgateBypass 3
jackyjask Posted September 16, 2023 Posted September 16, 2023 @karan great fix! last failed silent target successfully loaded!! 2 1
Oliver Posted September 16, 2023 Posted September 16, 2023 2 hours ago, karan said: A missing Nt function exists. It calls NtQuerySystemInformation (SystemFirmwareTableInformation) because of the HardwareLock function. Updated the git. https://github.com/miketestz/ScyllaHide_VMPHeavensgateBypass @karancan you share all Scylla hide plugins compiled? 1
Noob boy Posted September 16, 2023 Posted September 16, 2023 14 hours ago, boot said: plugins && videos download: [Olly v1.10 ScyllaHide] - Supports Win10_x64-22H2-19045.3448.rar 3.56 MB · 18 downloads [Olly v1.10 ScyllaHide] - Supports Win11_x64-22H2-22621.2215.rar 5.86 MB · 19 downloads I have built and tested two new versions of the Olly v1.10 plugins, Support for Win10 x64: - Confirmed support for Win10_ Version x64-22H2-19045.3448 - Maybe it also supports the latest Win10 x64 OSs Support for Win11 x64: - Confirmed support for Win11_ Version x64-22H2-22621.2215 - Maybe it also supports the latest Win11 x64 OSs 7 hours ago, Noob boy said: Try this demoVMProtect SDK for E Demo.vmp.zip Would you like to fix the plugin for demo olydbg1 @boot
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now