jackyjask Posted September 16, 2023 Posted September 16, 2023 Olly v1 Win7 plugin with latst fix from topicstarter [Olly v1.10 ScyllaHide] Win7 x64 SP1.zip 1
boot Posted September 17, 2023 Posted September 17, 2023 10 hours ago, Noob boy said: Would you like to fix the plugin for demo olydbg1 It will take some time to test your sample in Win7 x64, Win10 x64 and Win11 x64, because some OSs still lack data... Later, I will upload Olly v1.10/x32dbg plugins again. Thanks to @Karan for updating the code. 1
Oliver Posted September 17, 2023 Posted September 17, 2023 1 hour ago, boot said: It will take some time to test your sample in Win7 x64, Win10 x64 and Win11 x64, because some OSs still lack data... Later, I will upload Olly v1.10/x32dbg plugins again. Thanks to @Karan for updating the code. @boot great ,i"ve waiting for🙂
boot Posted September 17, 2023 Posted September 17, 2023 10 hours ago, boot said: upload Olly v1.10/x32dbg plugins again. Thanks to @karan for updating the code. Support for Win7 x64: - Confirmed support for Win7 x64 SP1 - Maybe it also supports Win7 x64 SP0 [Olly v1.10 ScyllaHide] Win7 x64 SP1.zip [x32Dbg ScyllaHide] Win7 x64 SP1.zip Support for Win10 x64: - Confirmed support for Win10_x64-22H2-19045.3448 - Maybe it also supports the latest Win10 x64 OSs [Olly v1.10 ScyllaHide] Win10_x64.zip [x32Dbg ScyllaHide] Win10_x64.zip Support for Win11 x64: - Confirmed support for Win11_x64-22H2-22621.2215 - Maybe it also supports the latest Win11 x64 OSs [Olly v1.10 ScyllaHide] Win11_x64.zip [x32Dbg ScyllaHide] Win11_x64.zip 11
karan Posted September 17, 2023 Author Posted September 17, 2023 On 9/14/2023 at 1:49 AM, deepzero said: What does VMP do if it encounters an OS for which it does not have syscall numbers? As a result of the analysis, I couldn't find how to check the version. However, if the "wine_get_version" api exists in the ntdll module, they calling a normal Nt series function. I don't know if I can do this in Plugin.
jackyjask Posted September 17, 2023 Posted September 17, 2023 16 minutes ago, karan said: However, if the "wine_get_version" api exists in the ntdll module, they calling a normal Nt series function. https://gist.github.com/ork/32da69687c94530931ed maybe this is how vmp is checking if assembly running under Wine system? (WIndows emulator under Linux)
kao Posted September 17, 2023 Posted September 17, 2023 Why are you trying to guess? Take the leaked VMProtect sources and check the file runtime\core.cc (lines 483-757), it's all there. 2 3
kuazi GA Posted September 17, 2023 Posted September 17, 2023 https://github.com/classic130/VMProtect-Source/blob/master/runtime/core.cc
Oliver Posted September 18, 2023 Posted September 18, 2023 13 hours ago, boot said: Support for Win7 x64: - Confirmed support for Win7 x64 SP1 - Maybe it also supports Win7 x64 SP0 [Olly v1.10 ScyllaHide] Win7 x64 SP1.zip 2.72 MB · 4 downloads [x32Dbg ScyllaHide] Win7 x64 SP1.zip 2.51 MB · 4 downloads Support for Win10 x64: - Confirmed support for Win10_x64-22H2-19045.3448 - Maybe it also supports the latest Win10 x64 OSs [Olly v1.10 ScyllaHide] Win10_x64.zip 2.05 MB · 4 downloads [x32Dbg ScyllaHide] Win10_x64.zip 2.51 MB · 6 downloads Support for Win11 x64: - Confirmed support for Win11_x64-22H2-22621.2215 - Maybe it also supports the latest Win11 x64 OSs [Olly v1.10 ScyllaHide] Win11_x64.zip 4.57 MB · 5 downloads [x32Dbg ScyllaHide] Win11_x64.zip 5.5 MB · 1 download @boot have a look at this sample: sample can be found here: https://mega.nz/file/TmJQwCZT#NfHuDu5z-OtXvFeWzBx6nIdRFX_T2CIkFw41p6VlNxQ bandicam 2023-09-18 07-28-30-229.mp4
stylog Posted September 20, 2023 Posted September 20, 2023 I believe there are 2 antidebug checks. The regular one that works with old plugins and techniques, and the new one which checks the old methods including it's new method. I'm not sure, I am a windows 7 32x user, so I don't have much problems seeing that vmprotect is at it's weakest on older windows 😅 1
monster Posted October 10, 2023 Posted October 10, 2023 @boot sir thanks for your plugin is greate but it got failed when I try target on it. I sent target in pm check it out.
TRISTAN Pro Posted October 14, 2023 Posted October 14, 2023 (edited) Target Done without scyllahide. it's commercial app. Edited October 14, 2023 by TRISTAN Pro Commercial app
Noob boy Posted November 2, 2023 Posted November 2, 2023 On 9/17/2023 at 9:11 PM, boot said: Support for Win7 x64: - Confirmed support for Win7 x64 SP1 - Maybe it also supports Win7 x64 SP0 [Olly v1.10 ScyllaHide] Win7 x64 SP1.zip 2.72 MB · 13 downloads [x32Dbg ScyllaHide] Win7 x64 SP1.zip 2.51 MB · 17 downloads Support for Win10 x64: - Confirmed support for Win10_x64-22H2-19045.3448 - Maybe it also supports the latest Win10 x64 OSs [Olly v1.10 ScyllaHide] Win10_x64.zip 2.05 MB · 12 downloads [x32Dbg ScyllaHide] Win10_x64.zip 2.51 MB · 22 downloads Support for Win11 x64: - Confirmed support for Win11_x64-22H2-22621.2215 - Maybe it also supports the latest Win11 x64 OSs [Olly v1.10 ScyllaHide] Win11_x64.zip 4.57 MB · 23 downloads [x32Dbg ScyllaHide] Win11_x64.zip 5.5 MB · 16 downloads Hello, can you build a version of Win10 19045.3636. I have upgraded my system. Thank you again
karan Posted November 8, 2023 Author Posted November 8, 2023 The latest version of vmprotect can no longer bypass Anti-Debug through this method. RIP. 1 1
TRISTAN Pro Posted November 8, 2023 Posted November 8, 2023 (edited) On 11/8/2023 at 3:48 AM, karan said: The latest version of vmprotect can no longer bypass Anti-Debug through this method. RIP. Post that file here for testing. After studying it's the same as before I can bypass it as always may be need to learn coding and make plugin for bypass all vmp antidebugger😂🤣. The plugin by boot still work on it. 😁 Edited November 9, 2023 by TRISTAN Pro Same security nothing change.
karan Posted November 8, 2023 Author Posted November 8, 2023 (edited) On 11/8/2023 at 3:39 PM, TRISTAN Pro said: Post that file here for testing. @boot Edited November 9, 2023 by karan file reupload 1
boot Posted November 8, 2023 Posted November 8, 2023 (edited) On 11/8/2023 at 2:46 PM, karan said: The attachments appear to have been deleted. x86 target(s) or x64 target(s)? If you can please re-upload and I will try these. EDIT: Downloaded... Thanks karan Edited November 9, 2023 by boot
Guruhardoi7 Posted November 29, 2023 Posted November 29, 2023 @boot can you sent your scyallhide plugin code. 1
Guruhardoi7 Posted December 6, 2023 Posted December 6, 2023 Hello everyone I was check some unpackme. Mostly are working on debugger but some are not working on debugger with this plugin also.i make all vmprotect version into a zip file for test your antidbg/vm (i spend 2 months to understand these all 😫).I also includes one impossible file check it out😁. Good for noob like me for vmp startup. https://mega.nz/file/Vq1ESbAQ#WGYZj4Ky8oP4-3yrLxDj8Gic7henaUaLdkZx3uKJVg8 PW:= tuts4you Planing to add tutorial also launce soon😇. ALL VMP TEST.rar 2
X0rby Posted January 10 Posted January 10 (edited) -- Edited January 16 by X0rby dont blame me then 1
tejinaji Posted May 22 Posted May 22 Can anyone help, please. I did rebuild for me this repo https://github.com/miketestz/ScyllaHide_VMPHeavensgateBypass.git But now luck. I've checked the syscalls is the same for my win10 2h22 19045.4170 No olly 1, no 2 and x32dbg doesn't handle vmp 3.6 T_T
Progman Posted May 29 Posted May 29 On 5/22/2024 at 9:54 PM, tejinaji said: Can anyone help, please. I did rebuild for me this repo https://github.com/miketestz/ScyllaHide_VMPHeavensgateBypass.git But now luck. I've checked the syscalls is the same for my win10 2h22 19045.4170 No olly 1, no 2 and x32dbg doesn't handle vmp 3.6 T_T You didn't give any idea of what target you have and there are some known issues as mentioned here so just the OS and 3 tools alone isn't enough 1
boot Posted July 5 Posted July 5 The plugin has been updated, and for debugging 64-bit VMP APPs, no specific Windows version is required: 1. Only supports Win7 x64/64-bit systems and above. This version of the plugin only supports 64-bit debuggers for debugging 64-bit APPs 2. As there is no need to load some kernel drivers, the blue screen will not be triggered ScyllaHide_2024_x64_v0.001.zip ScyllaHide 64-bit x64: 3.8.1 ✔ 3.8.4 ✔ 3.8.5 ❓ 3.8.7 ✔ VMP_3.8.1_x64_64-bit.vmp.exe VMP_3.8.4_x64_64-bit.vmp.exe VMP_3.8.7_x64_64-bit.vmp.exe 3 2
Sean the hard worker Posted July 5 Posted July 5 (edited) You need to disable the options of the SharpOD by @Xjun to use this plugin 10 minutes ago, boot said: The plugin has been updated, and for debugging 64-bit VMP APPs, no specific Windows version is required: 1. Only supports Win7 x64/64-bit systems and above. This version of the plugin only supports 64-bit debuggers for debugging 64-bit APPs 2. As there is no need to load some kernel drivers, the blue screen will not be triggered ScyllaHide_2024_x64_v0.001.zip 4.21 MB · 0 downloads ScyllaHide 64-bit x64: 3.8.1 ✔ 3.8.4 ✔ 3.8.5 ❓ 3.8.7 ✔ VMP_3.8.1_x64_64-bit.vmp.exe 1.37 MB · 0 downloads VMP_3.8.4_x64_64-bit.vmp.exe 1.21 MB · 0 downloads VMP_3.8.7_x64_64-bit.vmp.exe 1.07 MB · 0 downloads @boot It works like magic. many thanks for your effort. by the way, how did you modify the source code of the original ScyllaHide x64 plugin? Regards. sean. Edited July 5 by The Binary Expert 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now