Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > File Unpacking
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #11  
Old 06-26-2011, 11:21 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

There's a script/addon for OllyDbg posted on Exetools which can gain you knowledge about the target, but in terms of taking a packed exe and turning into a fully functional unpacked exe that works and you can disassemble into standard i386 code in IDA - yes, it's so far impossible. That doesn't mean you can't gain some insight into fractions of the code with the plugin.

Git
Reply With Quote
  #12  
Old 06-26-2011, 11:48 AM
SunBeam SunBeam is offline
Senior Member
 
Join Date: Jun 2011
Posts: 61
Default

The problem is the VM-encoded functions ;-) You may dump it, but most code is enclosed in crypt markers (VMProtect_Begin/VMProtect_End).

See this log:

http://codepad.org/2qY0pYqI

Last edited by SunBeam : 06-26-2011 at 11:51 AM.
Reply With Quote
  #13  
Old 07-06-2011, 05:15 AM
NoobCracker86 NoobCracker86 is offline
Member
 
Join Date: Jun 2011
Posts: 6
Default

Hello All,

I got some information about this file. Basically, it is packed with Themida, not with VMProtect.

Can Anybody Help me with this?
Regards,
Reply With Quote
  #14  
Old 07-06-2011, 05:20 AM
SunBeam SunBeam is offline
Senior Member
 
Join Date: Jun 2011
Posts: 61
Default

It's VMProtected.
Reply With Quote
  #15  
Old 07-06-2011, 05:38 AM
NoobCracker86 NoobCracker86 is offline
Member
 
Join Date: Jun 2011
Posts: 6
Default

Quote:
Originally Posted by SunBeam View Post
It's VMProtected.
@SunBeam, I got this information from the company's site. They said on their forum it is protected with Themida. I think they might give wrong information.

But I'm not sure it is protected with VMProtect, because I have tried every method to unpack it considering VMProtect and failed to unpack it.
Reply With Quote
  #16  
Old 07-06-2011, 06:15 AM
SunBeam SunBeam is offline
Senior Member
 
Join Date: Jun 2011
Posts: 61
Default

If you talk about the mediafire file you linked, then that's 100% VMProtect. I managed to unpack it, but as I said, there is data that is mutated/virtualized. I showed earlier where this happens and why. Themida looks differently, I can distinguish pretty well between them ;-) Besides, what would be the point to use VMP SDK or Themida SDK, then protect them with either one? If you go with VMProtect, you can't use Themida over it and vice-versa..

Last edited by SunBeam : 07-06-2011 at 06:20 AM.
Reply With Quote
  #17  
Old 07-06-2011, 06:41 AM
NoobCracker86 NoobCracker86 is offline
Member
 
Join Date: Jun 2011
Posts: 6
Default

[Please DO NOT quote whole messages, it is unnecessary]

@SunBeam, Thank you SunBeam,
Yeah, they can't use both protections.
Btw, can you please send the Unpacked file by you? I think that might help.

Last edited by Git : 07-06-2011 at 07:39 AM.
Reply With Quote
  #18  
Old 07-06-2011, 07:40 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

It won't help. You can't unpack VMProtect into anything that makes sense if it's properly used. You are wasting your time which is more or less what you told at the start of this thread.

Git
Reply With Quote
  #19  
Old 07-06-2011, 09:35 AM
SunBeam SunBeam is offline
Senior Member
 
Join Date: Jun 2011
Posts: 61
Default

Just to add something to the discussion - why would a developer tell you what protector he's using? Mind-blowing, eh?
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.