+- الفريق العربي للهندسة العكسية (https://www.at4re.net/f)
+-- قسم : منتديات الهندسة العكسية - Reverse Engineering Forums (https://www.at4re.net/f/forum-4.html)
+--- قسم : فك الضغط اليدوي - Unpacking (https://www.at4re.net/f/forum-27.html)
+--- الموضوع : VMProtect 3.5 x64 anti-anti-debug (/thread-2018.html)
VMProtect 3.5 x64 anti-anti-debug - vosiyons - 23-08-2020
VMProtect 3.5.0 x64 build 1213;
=========================================================
All experiments were conducted on Windows 10 x64 1909 (OS Build 18363.1016) - Intel processor
Test subject: C++ x64 PE file, maximum protection preset
TitanHide – not used
=========================================================
Let's figure out what the new version brought us.
Let's start by preparing ScyllaHide:
![[صورة مرفقة: scyllahide.png]](https://i.ibb.co/6bnCxTn/scyllahide.png)
Next, in the kernel settings of the debugger itself(x64dbg), you need to set the "default breakpoint Type” to" UD2”:
![[صورة مرفقة: settingx64dbg.png]](https://i.ibb.co/FYzcykw/settingx64dbg.png)
The thing is that UD2 is less detected by VMProtect itself. For sure, if you want to load Titanide, but I did not need it.
The point is that as you may have noticed, when debugging an application that is protected by the new version of the protector, you do not get a 3-nop exception, as in the old versions. All this happens because of one VMProtect trick, which we will now bypass. Plug-ins can't work around this either, since the call is made directly via SYSCALL.
We search for all SYSCALL's by searching for the pattern "0F0568“, where ”0F05“ is the SYSCALL instruction itself, and ”68" is needed to filter out extra SYSCALL's.
![[صورة مرفقة: bpsyscalls.png]](https://i.ibb.co/RYTHZPr/bpsyscalls.png)
Next, we install breakpoints on all our found instructions.
![[صورة مرفقة: bpsetsyscalls.png]](https://i.ibb.co/qsSTrD3/bpsetsyscalls.png)
And click " Execute” until the RAX register has the value 0xD.
Why 0xD? Because this is the new protector trick. The fact is that SYSCALL 0xD is a call to the WinAPI function "NtSetInformationThread” with a constant that I think will tell you everything with its name - "ThreadHideFromDebugger” (or 0x11, the value is in the RDX register):
![[صورة مرفقة: Thread-Hide-From-Debugger.png]](https://i.ibb.co/72cz34m/Thread-Hide-From-Debugger.png)
Next, change 0x11, in the RDX register to any other, but not 0x11, you will get the result of executing the function in the RAX register with an error – do not pay attention to it, everything is fine ?
DELETE all BREAKPOINTS, and only then click “Execute”
Success! What do we see? Our cherished NOP exceptions:
![[صورة مرفقة: result-NOPs.png]](https://i.ibb.co/WVx9nNk/result-NOPs.png)
The section with the program code is decrypted. Next, just put the hardware breakpoint on your OEP, how to search for it, I think you know) Well, or put a breakpoint on the WinAPI function. GetCommandLineA - your friend
Rar Pas: www.at4re.net
RE: VMProtect 3.5 x64 anti-anti-debug - Cyros - 29-09-2020
السلام عليكم
يبدو انك تعلم عن Anti-debug
ممكن تشرح قليلا عن Anti-debugging الذي ذكرتها انت بالعنوان
Can you explain about anti-debug
is it protect or algorithm for detect debugger ?
and is IsDebuggePresent which Protect detecor detect it is Anti-debug ?
and is programs like Internet download manger and WinRAR not use protect VMProtect or ASProtect but use IsDebuggerPresent
is this anti-debug ?
RE: VMProtect 3.5 x64 anti-anti-debug - TarekAli - 08-10-2020
هل يعمل على بنية 32bit