Fighting Oreans' VM (code virtualizer flavour)
g <g_ orange-bat com> |
Tuesday, August 19 2008 12:27.29 CDT |
If you don't know what code virtualizer is, or how it works, you should read this first:
http://rapidshare.com/files/16968098/Inside_Code_Virtualizer.rar
(Inside Code Virtualizer by scherzo)
Now, as you probably already know from paper by scherzo ;), one possible way recover virtualized code is to identify each mutated handler (find corresponding non-mutated version). After this done, we can trace virtual opcodes and "decompile" them to VM instructions. Having "clean" decompiled output, we can translate it to x86 assembly. I consider the last step, to be simple "find and replace" job with flex/yacc.
The problem is, oreans' vm engine can be a bitch. Consider this piece of code:
continued at:
http://www.woodmann.com/forum/showthread.php?t=12015
Comments
 ReWolf |
Posted: Tuesday, August 19 2008 17:34.36 CDT |
| nice research ;> | |
 neoxfx |
Posted: Wednesday, August 20 2008 01:30.27 CDT |
| good work! | |
 Sellmi |
Posted: Thursday, August 21 2008 02:07.17 CDT |
|
Thx! i had a great read on your code during my train ride home. I virtualized a proteced CV app. with pin and logged all changes in the context etc.. but i faced the problem that also the pcode is obfuscated, thus I like your way to optimize the code on txt-file base, it some sort of universal. |
|
|
GynvaelColdwind |
Posted: Tuesday, August 26 2008 08:30.25 CDT |
| good work ;> | |