Olly v1  Win7 plugin with latst fix from topicstarter

[Olly v1.10 ScyllaHide] Win7 x64 SP1.zip

10 hours ago, Noob boy said:

Would you like to fix the plugin for demo olydbg1

It will take some time to test your sample in Win7 x64, Win10 x64 and Win11 x64, because some OSs still lack data... Later, I will upload Olly v1.10/x32dbg plugins again.

Thanks to @Karan for updating the code. 

1 hour ago, boot said:

It will take some time to test your sample in Win7 x64, Win10 x64 and Win11 x64, because some OSs still lack data... Later, I will upload Olly v1.10/x32dbg plugins again.

Thanks to @Karan for updating the code. 

@boot great ,i"ve waiting for🙂

10 hours ago, boot said:

upload Olly v1.10/x32dbg plugins again.

Thanks to @karan for updating the code. 

Support for Win7 x64:
 - Confirmed support for Win7 x64 SP1
 - Maybe it also supports Win7 x64 SP0

[Olly v1.10 ScyllaHide] Win7 x64 SP1.zip

[x32Dbg ScyllaHide] Win7 x64 SP1.zip

Support for Win10 x64:
 - Confirmed support for Win10_x64-22H2-19045.3448
 - Maybe it also supports the latest Win10 x64 OSs

[Olly v1.10 ScyllaHide] Win10_x64.zip

[x32Dbg ScyllaHide] Win10_x64.zip

Support for Win11 x64:
 - Confirmed support for Win11_x64-22H2-22621.2215
 - Maybe it also supports the latest Win11 x64 OSs

[Olly v1.10 ScyllaHide] Win11_x64.zip

[x32Dbg ScyllaHide] Win11_x64.zip

On 9/14/2023 at 1:49 AM, deepzero said:

What does VMP do if it encounters an OS for which it does not have syscall numbers?

 

As a result of the analysis, I couldn't find how to check the version.
However, if the "wine_get_version" api exists in the ntdll module, they calling a normal Nt series function.
I don't know if I can do this in Plugin.

16 minutes ago, karan said:

However, if the "wine_get_version" api exists in the ntdll module, they calling a normal Nt series function.

https://gist.github.com/ork/32da69687c94530931ed

maybe this is how vmp is checking if  assembly running under Wine system? (WIndows emulator under Linux)

 

Why are you trying to guess? Take the leaked VMProtect sources and check the file runtime\core.cc (lines 483-757), it's all there.

https://github.com/classic130/VMProtect-Source/blob/master/runtime/core.cc

13 hours ago, boot said:

Support for Win7 x64:
 - Confirmed support for Win7 x64 SP1
 - Maybe it also supports Win7 x64 SP0

[Olly v1.10 ScyllaHide] Win7 x64 SP1.zip 2.72 MB · 4 downloads

[x32Dbg ScyllaHide] Win7 x64 SP1.zip 2.51 MB · 4 downloads

Support for Win10 x64:
 - Confirmed support for Win10_x64-22H2-19045.3448
 - Maybe it also supports the latest Win10 x64 OSs

[Olly v1.10 ScyllaHide] Win10_x64.zip 2.05 MB · 4 downloads

[x32Dbg ScyllaHide] Win10_x64.zip 2.51 MB · 6 downloads

Support for Win11 x64:
 - Confirmed support for Win11_x64-22H2-22621.2215
 - Maybe it also supports the latest Win11 x64 OSs

[Olly v1.10 ScyllaHide] Win11_x64.zip 4.57 MB · 5 downloads

[x32Dbg ScyllaHide] Win11_x64.zip 5.5 MB · 1 download

@boot have a look at this sample:

sample can be found here: https://mega.nz/file/TmJQwCZT#NfHuDu5z-OtXvFeWzBx6nIdRFX_T2CIkFw41p6VlNxQ

I believe there are 2 antidebug checks. The regular one that works with old plugins and techniques, and the new one which checks the old methods including it's new method. 

I'm not sure, I am a windows 7 32x user, so I don't have much problems seeing that vmprotect is at it's weakest on older windows 😅

 

@boot sir thanks for your plugin is greate but it got failed when I try target on it. I sent target in pm check it out. 

Target

Done without scyllahide. it's commercial app.

Edited October 14, 20231 yr by TRISTAN Pro
Commercial app

On 9/17/2023 at 9:11 PM, boot said:

Support for Win7 x64:
 - Confirmed support for Win7 x64 SP1
 - Maybe it also supports Win7 x64 SP0

[Olly v1.10 ScyllaHide] Win7 x64 SP1.zip 2.72 MB · 13 downloads

[x32Dbg ScyllaHide] Win7 x64 SP1.zip 2.51 MB · 17 downloads

Support for Win10 x64:
 - Confirmed support for Win10_x64-22H2-19045.3448
 - Maybe it also supports the latest Win10 x64 OSs

[Olly v1.10 ScyllaHide] Win10_x64.zip 2.05 MB · 12 downloads

[x32Dbg ScyllaHide] Win10_x64.zip 2.51 MB · 22 downloads

Support for Win11 x64:
 - Confirmed support for Win11_x64-22H2-22621.2215
 - Maybe it also supports the latest Win11 x64 OSs

[Olly v1.10 ScyllaHide] Win11_x64.zip 4.57 MB · 23 downloads

[x32Dbg ScyllaHide] Win11_x64.zip 5.5 MB · 16 downloads

Hello, can you build a version of Win10 19045.3636.

I have upgraded my system. Thank you again

The latest version of vmprotect can no longer bypass Anti-Debug through this method.

RIP.

On 11/8/2023 at 3:48 AM, karan said:

The latest version of vmprotect can no longer bypass Anti-Debug through this method.

RIP.

Post that file here for testing.

After studying it's the same as before 

I can bypass it as always may be need to learn coding and make plugin for bypass all vmp antidebugger😂🤣.

The plugin by boot still work on it.

😁

Edited November 9, 20231 yr by TRISTAN Pro
Same security nothing change.

 

On 11/8/2023 at 3:39 PM, TRISTAN Pro said:

Post that file here for testing.

@boot

Edited November 9, 20231 yr by karan
file reupload

On 11/8/2023 at 2:46 PM, karan said:

 

The attachments appear to have been deleted. x86 target(s) or x64 target(s)? If you can please re-upload and I will try these.

EDIT: Downloaded... Thanks karan

Edited November 9, 20231 yr by boot

@boot can you sent your scyallhide plugin code. 

dont forget to send pr to scyllahide

Hello everyone I was check some unpackme. Mostly are working on debugger but some are not working on debugger with this plugin also.i make all vmprotect version into a zip file for test your antidbg/vm (i spend 2 months to understand these all 😫).I also includes one impossible file check it out😁. 

 

Good for noob like me for vmp startup. 

https://mega.nz/file/Vq1ESbAQ#WGYZj4Ky8oP4-3yrLxDj8Gic7henaUaLdkZx3uKJVg8

PW:= tuts4you

 

Planing to add tutorial also launce soon😇. 

ALL VMP TEST.rar

--

Edited January 16, 20241 yr by X0rby
dont blame me then

Can anyone help, please. I did rebuild for me this repo https://github.com/miketestz/ScyllaHide_VMPHeavensgateBypass.git

But now luck. I've checked the syscalls is the same for my win10 2h22 19045.4170

No olly 1, no 2 and x32dbg doesn't handle vmp 3.6 T_T

On 5/22/2024 at 9:54 PM, tejinaji said:

Can anyone help, please. I did rebuild for me this repo https://github.com/miketestz/ScyllaHide_VMPHeavensgateBypass.git

But now luck. I've checked the syscalls is the same for my win10 2h22 19045.4170

No olly 1, no 2 and x32dbg doesn't handle vmp 3.6 T_T

You didn't give any idea of what target you have and there are some known issues as mentioned here so just the OS and 3 tools alone isn't enough 

The plugin has been updated, and for debugging 64-bit VMP APPs, no specific Windows version is required:

1. Only supports Win7 x64/64-bit systems and above. This version of the plugin only supports 64-bit debuggers for debugging 64-bit APPs
2. As there is no need to load some kernel drivers, the blue screen will not be triggered

ScyllaHide_2024_x64_v0.001.zip

ScyllaHide 64-bit x64:
3.8.1 ✔
3.8.4 ✔
3.8.5 ❓
3.8.7 ✔

VMP_3.8.1_x64_64-bit.vmp.exe

VMP_3.8.4_x64_64-bit.vmp.exe

VMP_3.8.7_x64_64-bit.vmp.exe

You need to disable the options of the SharpOD by @Xjun to use this plugin

 

 

10 minutes ago, boot said:

The plugin has been updated, and for debugging 64-bit VMP APPs, no specific Windows version is required:

1. Only supports Win7 x64/64-bit systems and above. This version of the plugin only supports 64-bit debuggers for debugging 64-bit APPs
2. As there is no need to load some kernel drivers, the blue screen will not be triggered

ScyllaHide_2024_x64_v0.001.zip 4.21 MB · 0 downloads

ScyllaHide 64-bit x64:
3.8.1 ✔
3.8.4 ✔
3.8.5 ❓
3.8.7 ✔

VMP_3.8.1_x64_64-bit.vmp.exe 1.37 MB · 0 downloads

VMP_3.8.4_x64_64-bit.vmp.exe 1.21 MB · 0 downloads

VMP_3.8.7_x64_64-bit.vmp.exe 1.07 MB · 0 downloads

@boot It works like magic. many thanks for your effort.

by the way, how did you modify the source code of the original ScyllaHide x64 plugin?

Regards.

sean.

Edited July 5, 20241 yr by The Binary Expert