Jump to content
Tuts 4 You

VirtualGuard v1.0

virtualguard

By virtualguard
in UnPackMe (.NET)

 Share
Go to solution Solved by Mr-Toms,

Recommended Posts

virtualguard

virtualguard

Posted
Posted
VirtualGuard v1.0

View File

VirtualGuard v1.0

This file is protected by the first version of VirtualGuard. VirtualGuard is an obfuscator I develop that I am trying to receive some stress testing on :)

I hope this VM makes people think at least a little bit; It's fairly close to 1:1, however I do believe I do some interesting things with comparisons and branching. Haven't seen it anywhere else. Let the record state this is not a "mod" of any other vm, so if you are interested in seeing some new stuff this is for you.

This sample contains some fairly simple branch offset mutations, at first glance it may be a slight "wtf moment" (at least I hope), but as soon as you figure out how the comparison system works it should be fairly easy to figure out.

Anyways, enough of the kind-of hints. Would love any feedback on this. The crack-me element is fairly basic, just entering a password. Would definitely be a first step to solving though, so would like to see how people work on figuring that out.

Good luck!

 

New Year - New Mind

New Year - New Mind

Posted
Posted

It's difficult to me.

7343.png.41cad8886e9cd4032ea6159dbdf75cc9.png

 

Regards.

sean.

  • Like 1
virtualguard

virtualguard

Posted
  • Author
Posted

I would watch out with using de4dot - make sure you preserve the resources (where the bytecode is stored atm), or you will have not much to work with.

  • Thanks 1
  • Solution
Mr-Toms

Mr-Toms

Posted
  • Solution
Posted (edited)

My Devirtualized file 

its not that good about the result because i have some problem while restoring locals

 

you need to see the branch pattern and how they calculate the position, its just need some time to analyze it

VirtualGuard.Tests-virt_NoVG.exe

Edited by Mr-Toms
  • Like 1
New Year - New Mind

New Year - New Mind

Posted
Posted

@Mr-Toms How did you devirtualize it? Can you publish a tutorial for us?

Thanks in advance.

Regards.

sean.

  • Like 1
Mr-Toms

Mr-Toms

Posted
Posted
1 hour ago, windowbase said:

@Mr-Toms How did you devirtualize it? Can you publish a tutorial for us?

Thanks in advance.

Regards.

sean.

its a longtime journey, you can see my old message in this forum about asking the same thing , but nobody give instant solution

the only thing you need to do is learn from the basic, i've started it by looking at open source devirtualizer

  • Like 1
New Year - New Mind

New Year - New Mind

Posted
Posted

Can you link the open source devirtualizer that you started?

Regards.

sean.

  • Like 1
virtualguard

virtualguard

Posted
  • Author
Posted

Awesome job. Creating a new sample shortly. Should be a bit harder to devirtualize; I've added the functionality for multiple vms to be injected, equally distributing the virtualized methods between them. Should add some difficult not in an re sense, but in the way that it'll force you to write something that automatically identifies dynamic values, ie, handler ids and decryption keys. I guess depending on how many vms there are you could just manually input the values, but oh well. Nothing is unbreakable, however I'll try my best to make it a real pain in the butt :).

jackyjask

jackyjask

Posted
Posted

Could you do nested VM(s)?

a VM that is executing another VM that is....

virtualguard

virtualguard

Posted
  • Author
Posted

I'll consider it, but nested vms imo are just performance hell. If it was just virtualguard layered on virtualguard, the issue would be that it would be a massive performance cost, for really only the benefit of obfuscating the dynamic constant values. A person already has all the code of the publicly exposed vm that's layered, making it so one would just need to locate the constants within the virtualized vm.

 

I published a new sample which is in the process of being verified as I'm writing this. Should be a good bit more challenging than this one. :)

  • 1 year later...
CodeExplorer

CodeExplorer

Posted
Posted

None of tools works for this target.

This interface is base for all opcodes:
    public interface vg5b7bb988
    {
        // Token: 0x060000A7 RID: 167
        void imethod_0(vg68a2659d b081fb2, out vg49cb4bef a0b87a7);

        // Token: 0x060000A8 RID: 168
        byte imethod_1();
    }
 

  • Like 2
Coco420

Coco420

Posted
Posted
3 hours ago, CodeExplorer said:

None of tools works for this target.

This interface is base for all opcodes:
    public interface vg5b7bb988
    {
        // Token: 0x060000A7 RID: 167
        void imethod_0(vg68a2659d b081fb2, out vg49cb4bef a0b87a7);

        // Token: 0x060000A8 RID: 168
        byte imethod_1();
    }
 

https://github.com/mitoiscool/VirtualGuard here is the source for the protector 

  • Like 1
CodeExplorer

CodeExplorer

Posted
Posted (edited)
2 hours ago, Coco420 said:

https://github.com/mitoiscool/VirtualGuard here is the source for the protector 

Not exactly the same version. I've tried to protect MegaDumper with it: the resulted assembly doesn't work.
It is also interesting that in debug build there is no runtime types renaming as of opposite of release builds.
 

Edited by CodeExplorer
  • Like 3
Coco420

Coco420

Posted
Posted
1 hour ago, CodeExplorer said:

Not exactly the same version. I've tried to protect MegaDumper with it: the resulted assembly doesn't work.
It is also interesting that in debug build there is no runtime types renaming as of opposite of release builds.
 

oka is also a wierd protector https://virtualguard.io/#_   no  contact only discord link that dont work  and you can not login to try for free 

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...