fjqisba Posted April 18 Posted April 18 Hi, everybody! I am developing an ida plugin which can be used to analyze vmp3.5 x86. If you are interested in vmp, Then you can view the source code of the project to learn it. Suggestions and PRs are welcome. https://github.com/fjqisba/VmpHelper 4 1
Sean Park - Lovejoy Posted April 18 Posted April 18 (edited) 10 hours ago, fjqisba said: Hi, everybody! I am developing an ida plugin which can be used to analyze vmp3.5 x86. If you are interested in vmp, Then you can view the source code of the project to learn it. Suggestions and PRs are welcome. https://github.com/fjqisba/VmpHelper An error!!! And for another example. Why does it just show one graph and no branches? but your github page shows like this. Regards. sean. Edited April 18 by Sean Park - Lovejoy 1
fjqisba Posted April 19 Author Posted April 19 2 hours ago, Sean Park - Lovejoy said: An error!!! And for another example. Why does it just show one graph and no branches? but your github page shows like this. Regards. sean. Well, this is because it has not been fully developed yet. you can try sending samples to me so I can fix it. 1
jackyjask Posted April 19 Posted April 19 What are the preconditions to start de-virting 3.5.0 x86? I'm hitting only this: sample https://workupload.com/file/bDGty7XBnfW sometimes it is crashing, eg: BTW, what IDA versions do you support? 1
Sean Park - Lovejoy Posted April 19 Posted April 19 5 hours ago, fjqisba said: Well, this is because it has not been fully developed yet. you can try sending samples to me so I can fix it. Win32GUI.vmp.zip Regards. sean. 1
fjqisba Posted April 19 Author Posted April 19 24 minutes ago, Sean Park - Lovejoy said: Win32GUI.vmp.zip 5.51 MB · 1 download Regards. sean. For current plugin, it seems too early to analyze vmp oep, because vmp does a lot of operations at the beginning. Maybe you should try writing a small function, use vmp encryption, and then use plugin to analyze the begin of vmp function. 1
Sean Park - Lovejoy Posted April 19 Posted April 19 42 minutes ago, fjqisba said: For current plugin, it seems too early to analyze vmp oep, because vmp does a lot of operations at the beginning. Maybe you should try writing a small function, use vmp encryption, and then use plugin to analyze the begin of vmp function. I virtualized below part and tested it. 004010C2 6A 01 push 01 004010C4 53 push ebx 004010C5 FF15 1C614000 call dword ptr [0040611C] → USER32.dll!EndDialog 004010CB EB 09 jmp 004010D6 ↓ It is cahnged to thses codes. 00A810C2 | E9 27BA1800 | JMP win32gui.vmp.C0CAEE | 00A810C7 <win32gui | 57 | PUSH EDI | edi:EntryPoint 00A810C8 | C3 | RET | 00A810C9 <win32gui | 56 | PUSH ESI | esi:EntryPoint 00A810CA | C3 | RET | 00A810CB <win32gui | EB 09 | JMP win32gui.vmp.A810D6 | And I used your plugin by clicking the menu "VMP -> Show Graph" at the address of 00A810C2. then It hung. the IDA version is 8.3.23.0608.. Regards. sean. 1
fjqisba Posted April 19 Author Posted April 19 17 minutes ago, Sean Park - Lovejoy said: I virtualized below part and tested it. 004010C2 6A 01 push 01 004010C4 53 push ebx 004010C5 FF15 1C614000 call dword ptr [0040611C] → USER32.dll!EndDialog 004010CB EB 09 jmp 004010D6 ↓ It is cahnged to thses codes. 00A810C2 | E9 27BA1800 | JMP win32gui.vmp.C0CAEE | 00A810C7 <win32gui | 57 | PUSH EDI | edi:EntryPoint 00A810C8 | C3 | RET | 00A810C9 <win32gui | 56 | PUSH ESI | esi:EntryPoint 00A810CA | C3 | RET | 00A810CB <win32gui | EB 09 | JMP win32gui.vmp.A810D6 | And I used your plugin by clicking the menu "VMP -> Show Graph" at the address of 00A810C2. then It hung. the IDA version is 8.3.23.0608.. Regards. sean. Well, the project is still a demo. I updated the plugin and provided a program for my own testing,you can try that. https://github.com/fjqisba/VmpHelper/releases 1
Sean Park - Lovejoy Posted April 19 Posted April 19 44 minutes ago, fjqisba said: Well, the project is still a demo. I updated the plugin and provided a program for my own testing,you can try that. https://github.com/fjqisba/VmpHelper/releases Now It works well but It takes some time to complete the job. Regards. sean. 1
jackyjask Posted April 20 Posted April 20 @fjqisba is GhidraVmp.dll obsoleted and now one has to use Revampire.dll instead? 1
Sean Park - Lovejoy Posted April 20 Posted April 20 1 hour ago, jackyjask said: @fjqisba is GhidraVmp.dll obsoleted and now one has to use Revampire.dll instead? @jackyjask maybe, we do not need it any more. @fjqisba how does this IDA plugin help to analyze the vmprotect virtual machine? I do not know how to use this. I will be really appreciated if you could explain about it. Many thanks in advance. Regards. sean. 1
fjqisba Posted April 25 Author Posted April 25 On 4/20/2024 at 8:58 PM, Sean Park - Lovejoy said: @jackyjask maybe, we do not need it any more. @fjqisba how does this IDA plugin help to analyze the vmprotect virtual machine? I do not know how to use this. I will be really appreciated if you could explain about it. Many thanks in advance. Regards. sean. Maybe it helps you locate key branches. The plugin is not finished yet,I think you can understand the principles and attack methods of vmp by looking at the source code 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now