VMProtect 3.5.0 x64 build 1213;
=========================================================
All experiments were conducted on Windows 10 x64 1909 (OS Build 18363.1016) - Intel processor
Test subject: C++ x64 PE file, maximum protection preset
TitanHide – not used
=========================================================
Let's figure out what the new version brought us.
Let's start by preparing ScyllaHide:
![[صورة مرفقة: scyllahide.png]](https://i.ibb.co/6bnCxTn/scyllahide.png)
Next, in the kernel settings of the debugger itself(x64dbg), you need to set the "default breakpoint Type” to" UD2”:
![[صورة مرفقة: settingx64dbg.png]](https://i.ibb.co/FYzcykw/settingx64dbg.png)
The thing is that UD2 is less detected by VMProtect itself. For sure, if you want to load Titanide, but I did not need it.
The point is that as you may have noticed, when debugging an application that is protected by the new version of the protector, you do not get a 3-nop exception, as in the old versions. All this happens because of one VMProtect trick, which we will now bypass. Plug-ins can't work around this either, since the call is made directly via SYSCALL.
We search for all SYSCALL's by searching for the pattern "0F0568“, where ”0F05“ is the SYSCALL instruction itself, and ”68" is needed to filter out extra SYSCALL's.
![[صورة مرفقة: bpsyscalls.png]](https://i.ibb.co/RYTHZPr/bpsyscalls.png)
Next, we install breakpoints on all our found instructions.
![[صورة مرفقة: bpsetsyscalls.png]](https://i.ibb.co/qsSTrD3/bpsetsyscalls.png)
And click " Execute” until the RAX register has the value 0xD.
Why 0xD? Because this is the new protector trick. The fact is that SYSCALL 0xD is a call to the WinAPI function "NtSetInformationThread” with a constant that I think will tell you everything with its name - "ThreadHideFromDebugger” (or 0x11, the value is in the RDX register):
![[صورة مرفقة: Thread-Hide-From-Debugger.png]](https://i.ibb.co/72cz34m/Thread-Hide-From-Debugger.png)
Next, change 0x11, in the RDX register to any other, but not 0x11, you will get the result of executing the function in the RAX register with an error – do not pay attention to it, everything is fine ?
DELETE all BREAKPOINTS, and only then click “Execute”
Success! What do we see? Our cherished NOP exceptions:
![[صورة مرفقة: result-NOPs.png]](https://i.ibb.co/WVx9nNk/result-NOPs.png)
The section with the program code is decrypted. Next, just put the hardware breakpoint on your OEP, how to search for it, I think you know) Well, or put a breakpoint on the WinAPI function. GetCommandLineA - your friend
Rar Pas: www.at4re.net
=========================================================
All experiments were conducted on Windows 10 x64 1909 (OS Build 18363.1016) - Intel processor
Test subject: C++ x64 PE file, maximum protection preset
TitanHide – not used
=========================================================
Let's figure out what the new version brought us.
Let's start by preparing ScyllaHide:
Next, in the kernel settings of the debugger itself(x64dbg), you need to set the "default breakpoint Type” to" UD2”:
The thing is that UD2 is less detected by VMProtect itself. For sure, if you want to load Titanide, but I did not need it.
The point is that as you may have noticed, when debugging an application that is protected by the new version of the protector, you do not get a 3-nop exception, as in the old versions. All this happens because of one VMProtect trick, which we will now bypass. Plug-ins can't work around this either, since the call is made directly via SYSCALL.
We search for all SYSCALL's by searching for the pattern "0F0568“, where ”0F05“ is the SYSCALL instruction itself, and ”68" is needed to filter out extra SYSCALL's.
Next, we install breakpoints on all our found instructions.
And click " Execute” until the RAX register has the value 0xD.
Why 0xD? Because this is the new protector trick. The fact is that SYSCALL 0xD is a call to the WinAPI function "NtSetInformationThread” with a constant that I think will tell you everything with its name - "ThreadHideFromDebugger” (or 0x11, the value is in the RDX register):
Next, change 0x11, in the RDX register to any other, but not 0x11, you will get the result of executing the function in the RAX register with an error – do not pay attention to it, everything is fine ?
DELETE all BREAKPOINTS, and only then click “Execute”
Success! What do we see? Our cherished NOP exceptions:
The section with the program code is decrypted. Next, just put the hardware breakpoint on your OEP, how to search for it, I think you know) Well, or put a breakpoint on the WinAPI function. GetCommandLineA - your friend
Rar Pas: www.at4re.net