Jump to content
Tuts 4 You

VMProtect Heaven's Gate Anti-Debug Bypass to VectorHandler


Recommended Posts

Posted
10 hours ago, Noob boy said:

Would you like to fix the plugin for demo olydbg1

It will take some time to test your sample in Win7 x64, Win10 x64 and Win11 x64, because some OSs still lack data... Later, I will upload Olly v1.10/x32dbg plugins again.

Thanks to @Karan for updating the code. :)

  • Like 1
Posted
1 hour ago, boot said:

It will take some time to test your sample in Win7 x64, Win10 x64 and Win11 x64, because some OSs still lack data... Later, I will upload Olly v1.10/x32dbg plugins again.

Thanks to @Karan for updating the code. :)

@boot great ,i"ve waiting for🙂

Posted
10 hours ago, boot said:

upload Olly v1.10/x32dbg plugins again.

Thanks to @karan for updating the code. :)

Support for Win7 x64:
 - Confirmed support for Win7 x64 SP1
 - Maybe it also supports Win7 x64 SP0

[Olly v1.10 ScyllaHide] Win7 x64 SP1.zip

[x32Dbg ScyllaHide] Win7 x64 SP1.zip

Support for Win10 x64:
 - Confirmed support for Win10_x64-22H2-19045.3448
 - Maybe it also supports the latest Win10 x64 OSs

[Olly v1.10 ScyllaHide] Win10_x64.zip

[x32Dbg ScyllaHide] Win10_x64.zip

Support for Win11 x64:
 - Confirmed support for Win11_x64-22H2-22621.2215
 - Maybe it also supports the latest Win11 x64 OSs

[Olly v1.10 ScyllaHide] Win11_x64.zip

[x32Dbg ScyllaHide] Win11_x64.zip

  • Like 11
Posted
On 9/14/2023 at 1:49 AM, deepzero said:

What does VMP do if it encounters an OS for which it does not have syscall numbers?

 

As a result of the analysis, I couldn't find how to check the version.
However, if the "wine_get_version" api exists in the ntdll module, they calling a normal Nt series function.
I don't know if I can do this in Plugin. :(

Posted
16 minutes ago, karan said:

However, if the "wine_get_version" api exists in the ntdll module, they calling a normal Nt series function.

https://gist.github.com/ork/32da69687c94530931ed

maybe this is how vmp is checking if  assembly running under Wine system? (WIndows emulator under Linux)

 

Posted

Why are you trying to guess? Take the leaked VMProtect sources and check the file runtime\core.cc (lines 483-757), it's all there.

  • Like 2
  • Haha 3
Posted
13 hours ago, boot said:

Support for Win7 x64:
 - Confirmed support for Win7 x64 SP1
 - Maybe it also supports Win7 x64 SP0

[Olly v1.10 ScyllaHide] Win7 x64 SP1.zip 2.72 MB · 4 downloads

[x32Dbg ScyllaHide] Win7 x64 SP1.zip 2.51 MB · 4 downloads

Support for Win10 x64:
 - Confirmed support for Win10_x64-22H2-19045.3448
 - Maybe it also supports the latest Win10 x64 OSs

[Olly v1.10 ScyllaHide] Win10_x64.zip 2.05 MB · 4 downloads

[x32Dbg ScyllaHide] Win10_x64.zip 2.51 MB · 6 downloads

Support for Win11 x64:
 - Confirmed support for Win11_x64-22H2-22621.2215
 - Maybe it also supports the latest Win11 x64 OSs

[Olly v1.10 ScyllaHide] Win11_x64.zip 4.57 MB · 5 downloads

[x32Dbg ScyllaHide] Win11_x64.zip 5.5 MB · 1 download

@boot have a look at this sample:

sample can be found here: https://mega.nz/file/TmJQwCZT#NfHuDu5z-OtXvFeWzBx6nIdRFX_T2CIkFw41p6VlNxQ

Posted

I believe there are 2 antidebug checks. The regular one that works with old plugins and techniques, and the new one which checks the old methods including it's new method. 

I'm not sure, I am a windows 7 32x user, so I don't have much problems seeing that vmprotect is at it's weakest on older windows 😅

  • Like 1
  • 3 weeks later...
Posted

 

@boot sir thanks for your plugin is greate but it got failed when I try target on it. I sent target in pm check it out. 

Posted (edited)

Target

Done without scyllahide. it's commercial app.

Capture d’écran 2023-10-14 132657.png

Edited by TRISTAN Pro
Commercial app
  • 3 weeks later...
Posted
On 9/17/2023 at 9:11 PM, boot said:

Support for Win7 x64:
 - Confirmed support for Win7 x64 SP1
 - Maybe it also supports Win7 x64 SP0

[Olly v1.10 ScyllaHide] Win7 x64 SP1.zip 2.72 MB · 13 downloads

[x32Dbg ScyllaHide] Win7 x64 SP1.zip 2.51 MB · 17 downloads

Support for Win10 x64:
 - Confirmed support for Win10_x64-22H2-19045.3448
 - Maybe it also supports the latest Win10 x64 OSs

[Olly v1.10 ScyllaHide] Win10_x64.zip 2.05 MB · 12 downloads

[x32Dbg ScyllaHide] Win10_x64.zip 2.51 MB · 22 downloads

Support for Win11 x64:
 - Confirmed support for Win11_x64-22H2-22621.2215
 - Maybe it also supports the latest Win11 x64 OSs

[Olly v1.10 ScyllaHide] Win11_x64.zip 4.57 MB · 23 downloads

[x32Dbg ScyllaHide] Win11_x64.zip 5.5 MB · 16 downloads

Hello, can you build a version of Win10 19045.3636.

I have upgraded my system. Thank you again

Posted

The latest version of vmprotect can no longer bypass Anti-Debug through this method.

RIP.

  • Like 1
  • Sad 1
Posted (edited)
On 11/8/2023 at 3:48 AM, karan said:

The latest version of vmprotect can no longer bypass Anti-Debug through this method.

RIP.

Post that file here for testing.

After studying it's the same as before 

I can bypass it as always may be need to learn coding and make plugin for bypass all vmp antidebugger😂🤣.

The plugin by boot still work on it.

😁

Edited by TRISTAN Pro
Same security nothing change.
Posted (edited)

 

On 11/8/2023 at 3:39 PM, TRISTAN Pro said:

Post that file here for testing.

@boot

Edited by karan
file reupload
  • Like 1
Posted (edited)
On 11/8/2023 at 2:46 PM, karan said:

 

The attachments appear to have been deleted. x86 target(s) or x64 target(s)? If you can please re-upload and I will try these.

EDIT: Downloaded... Thanks karan :)

Edited by boot
  • 3 weeks later...
Posted

@boot can you sent your scyallhide plugin code. 

  • Haha 1
Posted

dont forget to send pr to scyllahide :)

Posted

Hello everyone I was check some unpackme. Mostly are working on debugger but some are not working on debugger with this plugin also.i make all vmprotect version into a zip file for test your antidbg/vm (i spend 2 months to understand these all 😫).I also includes one impossible file check it out😁

 

Good for noob like me for vmp startup. 

https://mega.nz/file/Vq1ESbAQ#WGYZj4Ky8oP4-3yrLxDj8Gic7henaUaLdkZx3uKJVg8

PW:= tuts4you

 

Planing to add tutorial also launce soon😇

ALL VMP TEST.rar

  • Like 2
  • 1 month later...
Posted (edited)

--

Edited by X0rby
dont blame me then
  • Haha 1
  • 4 months later...
tejinaji
Posted

Can anyone help, please. I did rebuild for me this repo https://github.com/miketestz/ScyllaHide_VMPHeavensgateBypass.git

But now luck. I've checked the syscalls is the same for my win10 2h22 19045.4170

No olly 1, no 2 and x32dbg doesn't handle vmp 3.6 T_T

Progman
Posted
On 5/22/2024 at 9:54 PM, tejinaji said:

Can anyone help, please. I did rebuild for me this repo https://github.com/miketestz/ScyllaHide_VMPHeavensgateBypass.git

But now luck. I've checked the syscalls is the same for my win10 2h22 19045.4170

No olly 1, no 2 and x32dbg doesn't handle vmp 3.6 T_T

You didn't give any idea of what target you have and there are some known issues as mentioned here so just the OS and 3 tools alone isn't enough 

  • Like 1
  • 1 month later...
Posted

The plugin has been updated, and for debugging 64-bit VMP APPs, no specific Windows version is required:

1. Only supports Win7 x64/64-bit systems and above. This version of the plugin only supports 64-bit debuggers for debugging 64-bit APPs
2. As there is no need to load some kernel drivers, the blue screen will not be triggered

ScyllaHide_2024_x64_v0.001.zip

ScyllaHide 64-bit x64:
3.8.1 ✔
3.8.4 ✔
3.8.5 
3.8.7 ✔

VMP_3.8.1_x64_64-bit.vmp.exe

VMP_3.8.4_x64_64-bit.vmp.exe

VMP_3.8.7_x64_64-bit.vmp.exe

  • Like 3
  • Thanks 2
Sean the hard worker
Posted (edited)

You need to disable the options of the SharpOD by @Xjun to use this plugin

 

screenshot-146.png

 

10 minutes ago, boot said:

The plugin has been updated, and for debugging 64-bit VMP APPs, no specific Windows version is required:

1. Only supports Win7 x64/64-bit systems and above. This version of the plugin only supports 64-bit debuggers for debugging 64-bit APPs
2. As there is no need to load some kernel drivers, the blue screen will not be triggered

ScyllaHide_2024_x64_v0.001.zip 4.21 MB · 0 downloads

ScyllaHide 64-bit x64:
3.8.1 ✔
3.8.4 ✔
3.8.5 
3.8.7 ✔

VMP_3.8.1_x64_64-bit.vmp.exe 1.37 MB · 0 downloads

VMP_3.8.4_x64_64-bit.vmp.exe 1.21 MB · 0 downloads

VMP_3.8.7_x64_64-bit.vmp.exe 1.07 MB · 0 downloads

@boot It works like magic. many thanks for your effort.

by the way, how did you modify the source code of the original ScyllaHide x64 plugin?

Regards.

sean.

Edited by The Binary Expert
  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...