Jump to content

Analysis Vmp'Vm Handle simple blasting

  • Please log in to reply
3 replies to this topic

#1 Sound


    Advanced Member

  • Members
  • PipPipPip
  • 91 posts

Posted 10 June 2013 - 03:09 PM

Sorry for my poor English :(
---------------------------- [Introduction] ------------------
[Article title] analysis Vmp'Vm Handle simple blasting
[Authors] Sound
[E-mail] Sound@niyuan8.com
[Author blog] HtTp :/ / Hi.BaiDu.Com/c3kSoySauce
[Software Name] Crackme Ny.vmp.exe
[Software] size [136 KB
[Download] accessory
[Packers manner] None
[Protection] VMProtect ULTIMATE2.12.3 Vmp variation + virtual protection
[Written language] Microsoft Visual C + + ver 5.0/6.0
[Tools] using OllyDbg
[Platform] Ghost XP sp3
[Software] exercises born Cm,
[Author statement] wrote this article just for the purpose of holding the review, the failure of the Department please heroes!
------------------------------ [Article text] ---------------- -----------

One born of an article console Cm, very simple code to determine whether the true code 2013. Did Vm flag before a relaxing break

After the addition of VMProtect Vm Vm mutation + selection uses a virtual

So it seems with a little bit complicated, this article will explain how this Cm Vm in simple blasting

We analyzed the former first understand Vmp Vm Vm of Vmp with handle bar assembly code encryption Vmp the split, each Vm code just

The original part of the instruction, which is equal to the original code combination of Vm assembly instructions, Vm where most of the instruction has signatures as we said handle.

Vm of Vmp in many of the handle corresponds to one command Vm in normal circumstances each instruction corresponds to a handle

Vmp the VM again about the next jump instruction processing on it before that we first understand the proposed framework of Vm register

Vm register architecture

Save Vm eip Esi Esi where Vm represents the current Eip

Ebp point Vm Vm register address stack items execute each instruction before each parameter will be placed on the stack Vm Vm in the actual execution

As we all know, Vmp of Vm use e_flags to calculate, after which an instruction is Vm_Nor32

Also there are still a Vmp of Vm instruction, Vm_Seteip Vm_Seteip effect of this statement is to calculate the subsequent execution Vm_Nor32 jump address

handle about this

mov e? x, [ebp]
add ebp, 4
mov esi, e? x

In Vm where, Vm get real Esp, Esp is therefore directly available, the stack has been Pushad, pushfd replaced with register

Then decodes the virtual machine Eip, Eip here is the initial offset and offset control Vm decryption code while Vm_Seteip jump left in the stack

Meanwhile Esi Vm is the starting address, which is where the above mentioned Vm Eip

From this we can see that the role of these two directives and Vm_Nor32 Vm_Seteip

We understand these ideas in Vm where blasting is very clear, and in Vm can be used in many handle such Vm_Add32 Vm_ blasting

This article will explain nor32, the other handle is not difficult to understand the implementation of the principle of

This is the paper that we use in nor32 Vm ​​where blasting critical,

Ado, we direct the question

Vm_Nor32 blasting

Modify Vm_Seteip Handle this instruction to the Vm_Seteip Handle this instruction to

Is based on the value of e_flags to judge so we modify the value e_flags

Briefly explain stored under eflags register eflags is Vm

The Vm calculate the eflag, jump or not to jump, followed by the point which address, and then PART III jump instruction inside

e_flags value of 202,242,282 marks

Such as
esi = 004187C4
[Ebp +4] = [00125798] == 0x00000282


esi = 004187C4
[Ebp +4] = [00125798] == 0x00000242

This article was Vm Cm sections of 00,401,080

Starting Vm

0041E000 2C 52 sub al, 0x52
0041E002 A2 30FB89F2 mov byte ptr ds: [0xF289FB30], al

Vm End

00423C05 0000 add byte ptr ds: [eax], al
00423C07 0000 add byte ptr ds: [eax], al

We look at the Vm_Nor32 and features


0041EE01> 27 daa
0041EE02 8B45 00 mov eax, dword ptr ss: [ebp]
0041EE05 80EA 41 sub dl, 0x41
0041EE08 0FBAF2 1C btr edx, 0x1C
0041EE0C 66: D3F2 sal dx, cl
0041EE0F FEC2 inc dl
0041EE11 8B55 04 mov edx, dword ptr ss: [ebp +0 x4]
0041EE14 F5 cmc
0041EE15 F7D0 not eax
0041EE17 68 B81118A7 push 0xA71811B8
0041EE1C 9C pushfd
0041EE1D 9C pushfd
0041EE1E F6C6 46 test dh, 0x46

Here we run the program began crack at the next break in 0041EE11 enter false yards Sound

Off at the 0041EE11

Stack ss: [0012FF5C] = 00000001
edx = 0000040B

We continue to run when there e_flags flag F9 when

7 F9 run, e_flags 202

Stack ss: [0012FF50] = 00000202
edx = 00000583

Amended as follows

Stack ss: [0012FF50] = 00000242
edx = 00000583

EAX 00000202
ECX 0041EE01 Crackme_.0041EE01
EDX 00000583
EBX B2C2D493
ESP 0012FE88
EBP 0012FF4C
ESI 00420193 Crackme_.00420193
EDI 0012FE88
EIP 0041EE11 Crackme_.0041EE11

Modify e_flags value 242
And record the value of esi = 00420193 Esi

Breakpoint F9 to run at this time to cancel findings suggest Success blasting on the success of the simple

Let Vm write patch code in it

Record the original code

0041EE11 8B55 04 mov edx, dword ptr ss: [ebp +4]
0041EE14 F5 cmc
0041EE15 F7D0 not eax
0041EE17 68 B81118A7 push A71811B8
0041EE1C 9C pushfd
0041EE1D 9C pushfd
0041EE1E F6C6 46 test dh, 46
0041EE21 F7D2 not edx
0041EE23 887C24 08 mov byte ptr ss: [esp +8], bh
0041EE27 3C 71 cmp al, 71
0041EE29 21D0 and eax, edx
0041EE2B C64424 04 2C mov byte ptr ss: [esp +4], 2C
0041EE30 E8 FF090000 call Crackme_.0041F834

hex code

8B 55 04 F5 F7 D0 68 B8 11 18 A7 9C 9C F6 C6 46 F7 D2 88 7C 24 08 3C 71 21 D0 C6 44 24 04 2C E8
FF 09 00 00

Section to find an empty address

00423C0B 0000 add byte ptr ds: [eax], al

Modify 0041EE11 point 00423C08

0041EE11 / E9 F54D0000 jmp Crackme_.00423C0B
0041EE16 | 90 nop
0041EE17 | 68 B81118A7 push A71811B8

Empty assembly code snippet below

cmp esi, 00420193 (we record e_flags value of Esi)
jnz short 00423C1B
mov dword ptr ss: [ebp +4], 242
mov edx, dword ptr ss: [ebp +4]
not eax
jmp 0041ee17

As follows

00423C08 9C pushfd
00423C09 81FE 93014200 cmp esi, Crackme_.00420193
00423C0F 75 07 jnz short Crackme_.00423c18
00423C11 C745 04 4202000> mov dword ptr ss: [ebp +4], 242
00423C18 9C pushfd
00423C19 8B55 04 mov edx, dword ptr ss: [ebp +4]
00423C1C F5 cmc
00423C1D F7D0 not eax
00423C1F ^ E9 F3B1FFFF jmp Crackme_.0041EE17
00423C24 0000 add byte ptr ds: [eax], al

Save and then run code just enter false tips Success! OK, so far in Vm where blasting is over simple

Accessory after the break trial procedures and procedures

-------------------------------- [Copyright statement] -------------- -------------------
[Copyright statement] This article from Sound original, no technical content copyright is not important. Reproduced, please indicate the source from to my blog, thank you!

Crack Learning Group [C.L.G]






  • 5
Site...: http://qwe.tw


#2 Soashyant


    Advanced Member

  • ASA member
  • 36 posts
  • LocationIstanbul

Posted 10 July 2013 - 05:37 AM

Good job SoySauce, thanks
  • 0
Sen hiç görmedin
Su vermeye benzedik plastik çiçeklere
hiç görmedin
sen hiç görmedin
dans ettik durmadan kırık camlar üstünde

#3 Sound


    Advanced Member

  • Members
  • PipPipPip
  • 91 posts

Posted 23 August 2013 - 01:34 PM

  • 0
Site...: http://qwe.tw


#4 apuromafo



  • Members
  • Pip
  • 7 posts

Posted 01 January 2016 - 08:46 PM

i was tried to download both files, and not was posible..some mirrow?

BR, Apuromafo CLS

  • 0

When I come not know how many minutes I can go, but I usually always visit places where I record a greeting
Apuromafo CLS

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users