CiN1 TeAm - Cracking Is Number 1  

Time and tide wait for no man

Go Back   CiN1 TeAm - Cracking Is Number 1 >
~~ Learning Cracking ~~
> Free Talk About Cracking > UnPackMe's

Nội qui diễn đàn - Forum Rules Must Read

Search kỹ trước khi post bài


Reply
 
Thread Tools Display Modes
Old 16-08-2012, 01:28 PM   #1
User Profile
deepsky

 
deepsky's Avatar
 
Join Date: Sun Nov 2010
Posts: 60

Cấp bậc: 6 [cin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1team]
Sức sống: 0 / 140
Hoạt động: 20 / 3301
Kinh nghiệm: 62%


Thanks: 72
Thanked 122 Times in 34 Posts
Icon5 209 CRECKME 0.vmp

By zenghw
Link:
Code:
http://www.unpack.cn/thread-75189-1-1.html
Bro nào có xem qua và thể viết lại để a e học hỏi, khả năng ḿnh không thể tiếp thu nó được, nên để trên này.: D:-C
Quote:
个人笔记,请带着怀疑的眼光看本文,如有错漏,大牛请指点!

一, VMP壳的基本流程。
1, 保存现场,并初始化VM自有堆栈。
2, 获取并解密OPCode,由OPCode从定位表(Dispatch Table)中获得需要执行的handle地址,解密该地址并跳转执行之(称为Dispatch过程)。
3, 根据需要重复执行2过程。
4, 退出VM,恢复现场。

二, 各个过程的代码分析。

1, 保存现场,并初始化VM自有堆栈。
1. 00518FAA > 60 pushad //PUSH EAX,ECX,EDX等8个寄存器入栈
2. 00518FAB 8D6424 20 lea esp, dword ptr [esp+20] //8个寄存器即8X4 = 0x20个BYTE,定位到之前的堆栈地址,所以这两句可看成是VM的花指令
3. 00518FAF 0F86 A8A90000 jbe 0052395D
4.
5. 0052395D 68 3E71F61E push 1EF6713E
6. 00523962 C70424 324BFB8B mov dword ptr [esp], 8BFB4B32 //常数1入栈
7. 00523969 9C pushfd
8. 0052396A C70424 AA46E7C9 mov dword ptr [esp], C9E746AA //常数2入栈
9. 00523971 9C pushfd
10. 00523972 60 pushad
11. 00523973 8D6424 24 lea esp, dword ptr [esp+24] //以上3句仍然是花指令
12. 00523977 E9 E5230900 jmp 005B5D61
13.
14. 005B4B07 9C pushfd
15. 005B4B08 50 push eax
16. 005B4B09 894424 04 mov dword ptr [esp+4], eax //EAX 入栈
17. 005B4B0D E8 BF020000 call 005B4DD1
18.
19. 005B4DD1 68 BA8D6824 push 24688DBA
20. 005B4DD6 60 pushad
21. 005B4DD7 9C pushfd
22. 005B4DD8 897C24 2C mov dword ptr [esp+2C], edi //EDI入栈
23. 005B4DDC ^ E9 87E6FFFF jmp 005B3468
24.
25. 005B3468 55 push ebp
26. 005B3469 68 AB5C4B3C push 3C4B5CAB
27. 005B346E 53 push ebx
28. 005B346F F3: prefix rep:
29. 005B3470 9C pushfd
30. 005B3471 8F4424 34 pop dword ptr [esp+34] ; //FD入栈
31. 005B3475 C60424 77 mov byte ptr [esp], 77
32. 005B3479 896C24 30 mov dword ptr [esp+30], ebp
33. 005B347D FF7424 08 push dword ptr [esp+8]
34. 005B3481 FF3424 push dword ptr [esp]
35. 005B3484 897424 34 mov dword ptr [esp+34], esi //ESI入栈
36. 005B3488 9C pushfd
37. 005B3489 0FBDF0 bsr esi, eax
38. 005B348C 895424 34 mov dword ptr [esp+34], edx //EDX入栈
39. 005B3490 84FE test dh, bh
40. 005B3492 895C24 30 mov dword ptr [esp+30], ebx //EBX入栈
41. 005B3496 66:D3E6 shl si, cl
42. 005B3499 66:81F9 5BD9 cmp cx, 0D95B
43. 005B349E 894C24 2C mov dword ptr [esp+2C], ecx ; //ECX入栈
复制代码
至此,常用寄存器和标记寄存器全部入栈完毕,但是还没完。
1. 005B4A3B 66:C1D6 04 rcl si, 4
2. 005B4A3F 11DE adc esi, ebx
3. 005B4A41 F8 clc
4. 005B4A42 60 pushad
5. 005B4A43 894C24 1C mov dword ptr [esp+1C], ecx ; //再保存ECX值
6. 005B4A47 46 inc esi
7. 005B4A48 FF35 844D5B00 push dword ptr [5B4D84] ; //保存内存[5B4D84]的值,此时为0
8. 005B4A4E 8F4424 18 pop dword ptr [esp+18]
9. 005B4A52 0FBAE4 16 bt esp, 16
10. 005B4A56 C74424 14 00000>mov dword ptr [esp+14], 0 ; //最后保存0到栈顶
复制代码
所有现场保存完毕,我们看下壳未运行时的堆栈:


再看现场保存后的堆栈状况(注意,即使同个版本加密后的出入栈顺序也是随机的):
1. 0012FF90 00000000 // 最后入栈的0,重定位值
2. 0012FF94 00000000 // 内存[5B4D84]的值,用于antidump
3. 0012FF98 0012FFB0 // 再次入栈的ECX值,
4. ---------------0012FF98为何再PUSH一个ECX值目前还不清楚,可能是4对齐?----------------------
5. 0012FF9C 0012FFB0 //ECX
6. 0012FFA0 7FFDF000 //EBX
7. 0012FFA4 7C92E514 //EDX
8. 0012FFA8 0012B8A4 //ESI
9. 0012FFAC 0012FFF0 //EBP
10. 0012FFB0 00000246 //FD,EFLAGS,标记寄存器
11. 0012FFB4 0012B874 //EDI
12. 0012FFB8 00000000 //EAX
13. 0012FFBC C9E746AA //常量2
14. 0012FFC0 8BFB4B32 //常量1
复制代码
所有的现场保存完毕后,接下去是初始化VM自己需要用的堆栈代码。
1. 005B4A5E 66:19FE sbb si, di
2. //以下过程为初始化ESI值,使其指向Opcode位置
3. 005B4A61 8B7424 44 mov esi, dword ptr [esp+44]
4. 005B4A65 66:0FA3D9 bt cx, bx
5. 005B4A69 C64424 04 2C mov byte ptr [esp+4], 2C
6. 005B4A6E 68 8298B219 push 19B29882
7. 005B4A73 81F6 324ED39A xor esi, 9AD34E32 005B4A79 0FBAE5 09 bt ebp, 9
8. 005B4A7D 84F6 test dh, dh
9. 005B4A7F 81C6 001F0241 add esi, 41021F00
10. 005B4A85 F8 clc
11. 005B4A86 F9 stc
12. 005B4A87 C1C6 18 rol esi, 18
13. 005B4A8A 9C pushfd
14. 005B4A8B FF3424 push dword ptr [esp]
15. 005B4A8E 9C pushfd
16. 005B4A8F 8D6424 24 lea esp, dword ptr [esp+24] //VM栈底位置先赋给ESP
17. 005B4A93 E9 BF140000 jmp 005B5F57
18. ……
19.
20. 005B5F57 66:87DD xchg bp, bx
21. 005B5F5A F8 clc
22. 005B5F5B F5 cmc
23. 005B5F5C 0F91C7 setno bh
24. 005B5F5F 89E5 mov ebp, esp //最终EBP指向VM堆栈栈底,往上生长
25. 005B5F61 0FBEC9 movsx ecx, cl
26. 005B5F64 66:0FCF bswap di
27. 005B5F67 81D7 D4BABF71 adc edi, 71BFBAD4
28. 005B5F6D 81EC C0000000 sub esp, 0C0 //栈的总大小为0XC0 BYTE = 0X30 WORD
29. 005B5F73 0FBBF1 btc ecx, esi
30. 005B5F76 9C pushfd
31. 005B5F77 66:D1DF rcr di, 1
32. 005B5F7A 8D7C24 04 lea edi, dword ptr [esp+4] //EDI 指向VM栈顶,往下生长
复制代码
至此,VM自用堆栈初始化完毕。由EBP指向VM自用堆栈栈底(即保存现场后的地址0012F F90 ),EDI 指向VM自用堆栈栈栈顶(0012FF90 + 0XC0)。
ESI指向Opcode .

此时的寄存器和堆栈:

EBP指向的VMP自用堆栈栈底即为保存现场后的堆栈栈顶。VMP自用堆栈长度为0XC0.


2, 获取并解密OPCode,由OPCode从定位表(Dispatch Table)中获得需要执行的handle地址,解密该地址并跳转执行之(称为Dispatch过程)。
1. 005B5F97 8A06 mov al, byte ptr [esi] //获得加密的OPCode,可见只有一个BYTE
2. 005B5F99 66:0FC9 bswap cx
3. 005B5F9C F5 cmc
4. 005B5F9D C1E9 1D shr ecx, 1D
5. 005B5FA0 66:0FBDCE bsr cx, si
6. 005B5FA4 30D8 xor al, bl ; 解密操作码; 虚拟机:005B359D
7. 005B5FA6 ^ 0F89 68E6FFFF jns 005B4614
8.
9. //---------------------以下过程都为解密OPCode,只有一个BYTE,放在AL中。
10. 005B4614 66:0FA5D1 shld cx, dx, cl
11. 005B4618 F7C7 19B8759F test edi, 9F75B819
12. 005B461E 0F9FC1 setg cl
13. 005B4621 9C pushfd
14. 005B4622 F6D8 neg al
15. 005B4624 80D1 1B adc cl, 1B
16. 005B4627 C0C5 04 rol ch, 4
17. 005B462A 66:0FBEC9 movsx cx, cl
18. 005B462E 8D0C55 5F22E840 lea ecx, dword ptr [edx*2+40E8225F]
19. 005B4635 2C 4A sub al, 4A
20. 005B4637 66:0FB3C9 btr cx, cx
21. 005B463B F6D8 neg al
22. 005B463D F6D5 not ch
23. 005B463F 66:C1F9 06 sar cx, 6
24. 005B4643 0FC9 bswap ecx
25. 005B4645 30C3 xor bl, al
26. 005B4647 0FB6CA movzx ecx, dl
27. 005B464A C60424 A2 mov byte ptr [esp], 0A2
28. 005B464E 60 pushad
29. 005B464F 66:0FBEC8 movsx cx, al
30. 005B4653 0FB6C0 movzx eax, al
31. 005B4656 0F95C1 setne cl
32. 005B4659 E9 38150000 jmp 005B5B96
33.
34.
35. 005B5B96 66:0FBECB movsx cx, bl
36. 005B5B9A FEC9 dec cl
37. 005B5B9C 8B0C85 9D355B00 mov ecx, dword ptr [eax*4+ 5B359D] //重点,Dispatch Table首地址:5B359D,EAX的值即OPCode的值,由OPCode获得加密的HANDLE地 址。
38. 005B5BA3 60 pushad
39. 005B5BA4 46 inc esi
40. 005B5BA5 F6C2 41 test dl, 41
41. 005B5BA8 F9 stc
42. 005B5BA9 66:39D7 cmp di, dx
43. 005B5BAC 81E9 86BCD697 sub ecx, 97D6BC86 //解密HANDLE地址
44. 005B5BB2 F8 clc
45. 005B5BB3 66:85E6 test si, sp
46. 005B5BB6 F8 clc
47. 005B5BB7 F8 clc
48. 005B5BB8 81C1 00000000 add ecx, 0
49. 005B5BBE FF7424 0C push dword ptr [esp+C]
50. 005B5BC2 9C pushfd
51. 005B5BC3 894C24 48 mov dword ptr [esp+48], ecx
52. 005B5BC7 68 70B0095D push 5D09B070
53. 005B5BCC FF3424 push dword ptr [esp]
54. 005B5BCF 896424 0C mov dword ptr [esp+C], esp
55. 005B5BD3 FF7424 50 push dword ptr [esp+50]
56. 005B5BD7 C2 5400 retn 54 // 执行handle,这里称之为handle入口
复制代码
重点:可以看出Dispatch Table的首地址为:5B359D。 EAX值为OPCode的值,由上面的注释可知EAX其实仅为AL,尽有一个BYTE,因此范围为0---255,根据这个可以解析出所有加密的HANDLE地址。
关于VMP花指令的判断: 紧盯寄存器和花指令,可去除大部分花指令。


3, 根据需要重复执行2过程。此过程代码与2类似,就不重复了。

4, 退出VM,恢复现场。
花指令部分忽略掉,可以看到出栈过程与入栈是对应相反的。
1. 0044B795 /mov esp, ebp ; 恢复ESP值。
2. 0044B79C |add esp, 4
3. 0044B7A1 |add esp, 4
4. 0044B7A7 |add esp, 4
5. 0044B7AC |pop ecx
6. 0044B7B0 |pop ebx
7. 0044B7B6 |pop edx
8. 0044B7BD |pop esi
9. 0044B7C0 |pop ebp
10. 0044B7C3 |popfd
11. 0044A3AC |pop edi
12. 0044A3B1 |pop eax
13. 0044A3B2 |add esp, -4
14. 0044A3B3 |add esp, -4
15. 0044A3B8 |push dword ptr [esp+8]
16. 0044A3BC retn 0C
复制代码
总结:
EBP:指向VM自用堆栈的栈底,往上寻址。可以把EBP看成VM中的ESP.
EDI:指向VM自用堆栈的栈顶,往下寻址。
由代码
1. and al, 3C
2. mov edx, dword ptr [eax+edi]
复制代码
可知:
EDI的寻址范围为0—0X3C。即0x10个DWORD。EDI所指向的地址可以看成是VM虚拟机的寄存 器,共16个。

ESI:指向加密的OPCode;可以看成是VM中的EIP
EAX:在 VM中用来解密OPCode,主要用到AL;
EBX:在VM中保存解密OPCode的key。
ECX:常规的循环计数器;(2.09 版本有时放置解密后的handle地址)
ESP:常规的堆栈栈顶指针。
EDX:主要放置读取Dispatch Table后得到的加密handle,以及解密后的handle数据;

重申一次,紧盯寄存器和数据流可以排除大部分花指令。


三, handle的识别。
了解了VMP的流程后,接下去便是分析各个handle的作用。Handle做为vmp最小单位的功能指令 ,所有VMP的程序都是由各个handle组成的,类似X86的单条指令(但是X86的一条指令被VM后, 会成为N条的handle构成)。


1. 005B5B9C 8B0C85 9D355B00 mov ecx, dword ptr [eax*4+ 5B359D]
复制代码
代码可知,handle的加密入口由5B359D 到0XFF *4+ 5B359D为止,共0XFF个handle。
可以自己写个解密代码循环解出该出口,再一个个分析。感谢各位大牛出了不少经典的插件,让我们省了人肉代码 的苦力活,如vmp分析插件,vmpsweeper,zeus,fkvmp等都有分析hand le的功能。

看下vExitVm的handle(去除了花指令),分析得还是很精确的:
1. mov esp, ebp
2. add esp, 4
3. add esp, 4
4. add esp, 4
5. pop ecx
6. pop ebx
7. pop edx
8. pop esi
9. pop ebp
10. popfd
11. pop edi
12. pop eax
13. add esp, -4
14. add esp, -4
15. push dword ptr [esp+8]
16. retn 0C
复制代码
先来个简单的handle, 看看VMP的堆栈机制,
vAdd (Dwrod)
1. mov eax, dword ptr [ebp]
2. add dword ptr [ebp+4], eax
3. pushfd
4. pop dword ptr [ebp]
复制代码
参数1来自[ebp],参数2来自[ebp+4],两个想加后放置[ebp+4],再把标志寄存器值放到[ebp]位置。


看下vmp的运算基础vNand (Dword):
1. mov eax, dword ptr [ebp]
2. mov edx, dword ptr [ebp+4]
3. not eax
4. not edx
5. and eax, edx
6. mov dword ptr [ebp+4], eax
7. pushfd
8. pop dword ptr [ebp]
复制代码
Nand的参数为两个,把Nand看成一个函数那么即是Nand(A,B), 在X86指令中,代码如下:
PUSH B
PUSH A
CALL Nand
对比X86指令,vNand类似CALL Nand里面的函数,其中vNand参数放在A放在[ebp],B放在[ebp+4]中,所以要知道这两个参数是什么,需要看前面的PUSH操作。另外,vNand把运算结果ea x放回[ebp+4],把运算后的标记放回[ebp]中,这就是堆栈机的特性,也就是前面说的存储和运算都再VMP自己构建的自由堆栈里面。


再看下破解时候常用到的vJmp handle:
1. mov esi, dword ptr [ebp] //[ebp] 指向jmp目的地址的OPCode
2. add ebp, 4
3. mov ebx, esi
4. add esi, dword ptr [ebp]
5. mov al, byte ptr [esi] //解密该OPCode
6. xor al, bl
7. neg al
8. sub al, 4A
9. neg al
10. xor bl, al
11. movzx eax, al
12. mov ecx, dword ptr [eax*4+44D090] //由OPCode获得jmp的加密地址
13. inc esi
14. sub ecx, 97D6BC86 //解密该加密地址
15. add ecx, 0
16. push ecx //push 和retn的组合,类似jmp ecx
17. retn 0
复制代码
说说vmp的vjmp,VMP中没有jz,jnz之类的,只有vjmp,在VMP中,jz,jnz的判断流 程:
1, 先获得标志寄存器值。
2, 对该值进行运算获得所需的位,如ZF。
3, 根据该位的值获得OPCode。
4, 解密OPCode。
5, 由OPCode从Dispatch Table中获得加密的handle。
6, 解密handle,jmp过去。
也就是说, ZF位0或1,OPCode的值就不一样,导致后面jmp的地址不一样。来看看直接jmp和jnz,jz的 伪代码区别(以下伪代码是vmp分析插件分析结果):
直接Jmp:
1.
2. vNand4
3. vPopReg4 vR14
4. vPushVEsp
5. vReadMemSs4
vPopReg4 vR0
6. vPushVEsp
7. vReadMemSs4
vNand4
8. vPopReg4 vR10
9. vPushImm4 89F309F5
10. vNand4
11. vPopReg4 vR10
12. vPushReg4 vR0
13. vPushImm4 760CF60A
14. vNand4
15. vPopReg4 vR14
16. vNand4
17. vPopReg4 vR10
18. vPopReg4 vR14
19. vPushReg4 vR3
20. vPushReg4 vR8
21. vPushReg4 vR15
22. vPushReg4 vR13
23. vPushReg4 vR11
24. vPushReg4 vR4
25. vPushReg4 vR6
26. vPushReg4 vR5
27. vPushReg4 vR11
28. vPushReg4 vR8
29. vPushReg4 vR3
30. vPushReg4 vR9
31. vPushImm4 704E8E8C
32. vAdd4
33. vPopReg4 vR2
34. vPushReg4 vR12
35. vPushReg4 vR14
36. vJmp_0044D090
复制代码
Jz或jnz:
1. vNand4
2. vPopReg4 vR14
3. vShr4
4. vPopReg4 vR14
5. vAdd4
6. vPopReg4 vR5
7. vReadMemSs4 //Read之前可以看到jz和jnz的两个地址,把要执行的Opcode读入
8. vPopReg4 vR5
9. vPopReg4 vR3
10. vPopReg4 vR3
11. vPushReg4 vR5
12. vPushVEsp
13. vReadMemSs4
vPopReg4 vR11
14. vPushReg4 vR11
15. vNand4
16. vPopReg4 vR14
17. vPushImm4 80100C8F
18. vNand4
19. vPopReg4 vR5
20. vPushImm4 7FEFF370
21. vPushReg4 vR11
22. vNand4
23. vPopReg4 vR14
24. vNand4
25. vPopReg4 vR3
26. vPopReg4 vR14
27. vPushReg4 vR4
28. vPushReg4 vR13
29. vPushReg4 vR6
30. vPushReg4 vR1
31. vPushReg4 vR0
32. vPushReg4 vR13
33. vPushReg4 vR7
34. vPushReg4 vR9
35. vPushReg4 vR12
36. vPushReg4 vR10
37. vPushReg4 vR1
38. vPushReg4 vR15
39. vPushImm4 704E8E8C
40. vAdd4
41. vPopReg4 vR3
42. vPushReg4 vR8
43. vPushReg4 vR14
44. vJmp_0044D090 //vJmp
复制代码

个人总结:从vJmp往前看起,碰到vReadMemSs4,如果vReadMemSs4是孤立存在的,也 就是说vReadMemSs4之前没有vPushVEsp,那么就是jz或jnz,否则就是j mp.

断点断在vReadMemSs4,此时vEsp堆栈中的两个值就是jz和jnz的两个加密地址 。
如:
1. vESP 0012F594 0012F598
2. 0012F598 76CC1B8A // JZ值
3. 0012F59C 76CB6C04 // JNZ值
复制代码
四, VMP SDK的简单破解。
本帖隐藏的内容
1, 获得SDK中所经过的函数。
经过VM后的代码要是有Call Fuc 或 Call Api,那么必须先退出虚拟机,调用Fuc或Api,然后才再重新进入虚拟机。
因此,通过对vExitVm下断点,可获得经过的Fuc或Api,从而获得大概的程序流程。

2, 对vjmp的记录和更改。
对vjmp下断点,记录vjmp的目标地址,如果有一组正确的key,对比两个不同的流程可以获得比较直观 的判断。当然了,此方法只对比较简单的判断有效。
附件是分析文件,为2.09版本加密,对于2.11版本,分析思路也是一样的。
209 CRECKME 0.vmp.rar (805.03 KB, 下载次数: 5)

写着写着,感觉越来越多的东西需要去刨根问底,先自己整理整理吧,未完待续!
回复可见只是看看有多少人关注这个话题,呵呵,劳烦了。。
关于VMP的还原,不知道大牛都是什么思路??
Link Crackme vm v2.09: [Only registered and activated users can see links. ]













Chữ kư cá nhân của deepsky Don't try so hard, the best things come when you least expect them to.

  Reply With Quote
Old 26-04-2013, 10:58 PM   #2
User Profile
Asian Dragon

 
Asian Dragon's Avatar
 
Join Date: Sat Oct 2009
Posts: 173

Cấp bậc: 12 [cin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1team]
Sức sống: 0 / 280
Hoạt động: 57 / 7479
Kinh nghiệm: 21%


Thanks: 240
Thanked 524 Times in 132 Posts
Default

hi, deepsky
[Only registered and activated users can see links. ]

Ok Here is Unpacked File....
[Only registered and activated users can see links. ]
  Reply With Quote
Old 01-08-2013, 07:41 PM   #3
User Profile
givses

 
givses's Avatar
 
Join Date: Sun Dec 2012
Location: Romania
Posts: 245

Cấp bậc: 14 [cin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1team]
Sức sống: 0 / 340
Hoạt động: 81 / 5986
Kinh nghiệm: 63%

Địa chỉ: Romania
Sở thích: http://www.reversing.ro/donate.php
Nghề nghiệp: Economist

Thanks: 45
Thanked 552 Times in 150 Posts
Default

Here is a unpacking video made by me:
Quote:
[Only registered and activated users can see links. ]













Chữ kư cá nhân của givses Best regards,
giv

  Reply With Quote
The Following User Says Thank You to givses For This Useful Post:
Old 02-08-2013, 12:32 AM   #4
User Profile
Asian Dragon

 
Asian Dragon's Avatar
 
Join Date: Sat Oct 2009
Posts: 173

Cấp bậc: 12 [cin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1team]
Sức sống: 0 / 280
Hoạt động: 57 / 7479
Kinh nghiệm: 21%


Thanks: 240
Thanked 524 Times in 132 Posts
Default

Quote:
Originally Posted by givses View Post
Here is a unpacking video made by me:
ok, just upload your file on this Unpacked
I tried your Unpacked file can be run on other operating systems are not?
  Reply With Quote
Old 02-08-2013, 03:37 PM   #5
User Profile
givses

 
givses's Avatar
 
Join Date: Sun Dec 2012
Location: Romania
Posts: 245

Cấp bậc: 14 [cin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1team]
Sức sống: 0 / 340
Hoạt động: 81 / 5986
Kinh nghiệm: 63%

Địa chỉ: Romania
Sở thích: http://www.reversing.ro/donate.php
Nghề nghiệp: Economist

Thanks: 45
Thanked 552 Times in 150 Posts
Default

I do not have time to fix the CPUID and RTDSC.

Here is the log and you can fix the file to run on your OS.

Quote:
// CPUID and RDTSC BP script
//----------------------------------


pause
bp 428CFE // 1 Possible CPUID VA
bp 428D11 // 2 Possible CPUID VA
bp 449EA1 // 3 Possible CPUID VA
bp 44B92E // 4 Possible CPUID VA
bp 453591 // 5 Possible CPUID VA
bp 4565D1 // 6 Possible CPUID VA
bp 4565E4 // 7 Possible CPUID VA
bp 488B43 // 8 Possible CPUID VA
bp 4BA3B2 // 9 Possible CPUID VA
bp 4F5CF4 // A Possible CPUID VA
bp 513E76 // B Possible CPUID VA
bp 51B488 // C Possible CPUID VA
bp 51DC31 // D Possible CPUID VA
bp 52302C // E Possible CPUID VA
bp 5646DC // F Possible CPUID VA
bp 5B5747 // 10 Possible CPUID VA
bp 5B5A70 // 11 Possible CPUID VA
bp 449D46 // 1 Possible RDTSC VA
bp 44B79A // 2 Possible RDTSC VA
bp 44EE44 // 3 Possible RDTSC VA
bp 44EE4E // 4 Possible RDTSC VA
bp 44F535 // 5 Possible RDTSC VA
bp 452FDC // 6 Possible RDTSC VA
bp 452FF2 // 7 Possible RDTSC VA
bp 452FF6 // 8 Possible RDTSC VA
bp 46C0DC // 9 Possible RDTSC VA
bp 46E61A // A Possible RDTSC VA
bp 47A0AA // B Possible RDTSC VA
bp 47A0BC // C Possible RDTSC VA
bp 47B5E9 // D Possible RDTSC VA
bp 497522 // E Possible RDTSC VA
bp 49A526 // F Possible RDTSC VA
bp 49A52D // 10 Possible RDTSC VA
bp 49D84C // 11 Possible RDTSC VA
bp 4A0D46 // 12 Possible RDTSC VA
bp 4AB9D3 // 13 Possible RDTSC VA
bp 4ACAEB // 14 Possible RDTSC VA
bp 4BA477 // 15 Possible RDTSC VA
bp 4C3E4A // 16 Possible RDTSC VA
bp 4C7A0A // 17 Possible RDTSC VA
bp 4D1040 // 18 Possible RDTSC VA
bp 4D5F6F // 19 Possible RDTSC VA
bp 4D6628 // 1A Possible RDTSC VA
bp 4D69E1 // 1B Possible RDTSC VA
bp 4DD3A8 // 1C Possible RDTSC VA
bp 4EB1CA // 1D Possible RDTSC VA
bp 563279 // 1E Possible RDTSC VA
bp 5AF69C // 1F Possible RDTSC VA
bp 5B3A9F // 20 Possible RDTSC VA
bp 5B603D // 21 Possible RDTSC VA
ret // Finished


////////////////////
CPUID Exsample:
----------------------------------
CPUID ; Command of VMP code!Access first and read and note the return values!


VMP COMMAND xy ; Original VMP command before hooking!
cmp R32, 01 ; In some cases VMP access the command with conditions!Mostly eax 1!
je short @PATCH ; If eax 01 then jump to our patch!
CPUID ; Fill CPUID if you hooked VMP before that command!
jmp Back to VMP ; Jump to VMP code again after Hook! >>>> A1 <<<<
@PATCH: ; Your Patch code label!
mov eax, xxxxxxxx ; Enter value of "eax" after the step over the VMP CPUID!
mov ecx, xxxxxxxx ; Enter value of "ecx" after the step over the VMP CPUID!
mov edx, xxxxxxxx ; Enter value of "edx" after the step over the VMP CPUID!
mov ebx, xxxxxxxx ; Enter value of "ebx" after the step over the VMP CPUID!
jmp Back to VMP ; Jump to VMP code again after Hook!You can also make a short jump to >>>> A1! <<<<





////////////////////
RDTSC Exsample:
----------------------------------
RDTSC ; Command of VMP code!Access first and read and note the return values!


VMP COMMAND xy ; Original VMP command before hooking!
RDTSC" ; Insert command if needed!
mov eax, xxxxxxxx ; Enter value of "eax" after the step over the VMP RDTSC!
mov edx, xxxxxxxx ; Enter value of "edx" after the step over the VMP RDTSC!
jmp Back to VMP ; Jump to VMP code again after Hook!



Just test your dumped file under VM with a other OS and check whether it's needed to patch CPUID & RDTSC!
Note that you will have problems with that if VMP used also CRC checks on that VMP addresses!
Just play a little with that till you got some success or till you failed!


So I hope that you have understand the exsamples above!


----------------------------------
LCF-AT
Here is the unpacked file. Fix-it.

Quote:
[Only registered and activated users can see links. ]













Chữ kư cá nhân của givses Best regards,
giv

  Reply With Quote
The Following 4 Users Say Thank You to givses For This Useful Post:
Old 08-08-2013, 10:13 PM   #6
User Profile
Asian Dragon

 
Asian Dragon's Avatar
 
Join Date: Sat Oct 2009
Posts: 173

Cấp bậc: 12 [cin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1team]
Sức sống: 0 / 280
Hoạt động: 57 / 7479
Kinh nghiệm: 21%


Thanks: 240
Thanked 524 Times in 132 Posts
Default

Quote:
Originally Posted by givses View Post
I do not have time to fix the CPUID and RTDSC.

Here is the log and you can fix the file to run on your OS.



Here is the unpacked file. Fix-it.
Update CPUID and RDTSC video fix on this, please
thank
  Reply With Quote
Old 22-11-2013, 07:47 PM   #7
User Profile
c0d3.n0.01

 
c0d3.n0.01's Avatar
 
Join Date: Mon Nov 2013
Posts: 7

Cấp bậc: 1 [cin1teamcin1teamcin1teamcin1teamcin1teamcin1team]
Sức sống: 0 / 15
Hoạt động: 2 / 224
Kinh nghiệm: 60%


Thanks: 12
Thanked 38 Times in 12 Posts
Default

File has expired and does not exist anymore on this server
update link plzr
  Reply With Quote
Old 23-11-2013, 03:12 PM   #8
User Profile
Asian Dragon

 
Asian Dragon's Avatar
 
Join Date: Sat Oct 2009
Posts: 173

Cấp bậc: 12 [cin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1team]
Sức sống: 0 / 280
Hoạt động: 57 / 7479
Kinh nghiệm: 21%


Thanks: 240
Thanked 524 Times in 132 Posts
Default

Quote:
Originally Posted by c0d3.n0.01 View Post
File has expired and does not exist anymore on this server
update link plzr
Video tools is here:
Quote:
[Only registered and activated users can see links. ]

Last edited by Mr.Teo; 24-11-2013 at 11:00 AM. Reason: Put link into quote tag
  Reply With Quote
The Following User Says Thank You to Asian Dragon For This Useful Post:
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +8. The time now is 06:46 PM.


Powered by vBulletin® Version 3.xx
Copyright ©2000 2018, Jelsoft Enterprises Ltd. Help
Licensed to: cin1team.biz