Page 1 of 2 12 LastLast
Results 1 to 10 of 17
  1. #1
    Grooguz
    Grooguz is offline
    BanHammer Holder
    Grooguz's Avatar
    Join Date
    2010 May
    Posts
    678
    Thanks Thanks Given 
    152
    Thanks Thanks Received 
    537
    Thanked in
    167 Posts
    Rep Power
    15

    BOI VMProtect Unpacking

    This tutorial will show you how to bypass the IsDebuggerPresent function from VMProtect and how to remove protector from Battle of the Immortals main executable file Game.exe

    1. Requirements
    • Ollydbg 1.10 Unmodified
    • On olly we need the plugins:
      • StrongOD
      • OllyDump
    • Any Hex Editor
    • ImpRec V1.7
    • Universal Import Fixer (UIF)


    2. Preparations
    We need to setup ollydbg to make it invisible, if we don't do this, the game will detect and close itself.
    Extract olly, get the plugins and start it once then close it. (it will ask to patch the class name windows, press ok)
    Now open the ollydbg.ini and search for text "fengyue". U will find the StrongOD settings, change the Drivername from "fengyue0" to something different (for example "XXXXXXX0") save and close ollydbg.ini

    Now open ur hex editor and select the ollydbg, we need do some changes here.
    First search the text "fengyue" and change it to (for example) "XXXXXXX"
    The next thing to do is search for the text "ACPU" and change all to (for example) "AXXX"

    Ok now we need to setup the options of StrongOD (change them to what you see in the picture)


    Now change the ollydbg debug settings to the following:





    Ok if everything is right, close the olly, open it again and open the game.exe from the bin folder. To test ur olly, press Run (F9) twice and if the game just runs like normal then that means u already bypassed the IsDebuggerPresent check. But if u put a breakpoint in the code section u will see that the program will detect it, and will stop, that is the vmprotection. And thats what were going to unpack now, see the next Part.

    [-]3. Unpacking Game.exe
    Load Game.exe in olly you will break at the system breakpoint in ntdll section. Press run or F9 and u will break at the EP.

    Here you must find the call to the VMProtect function, so i will show you this easy way..
    Press ctrl + G and search for the expresion "VirtualProtect"

    Put a soft break on it with double click or F2.
    In the stack window (the one in the bottom right corner) u will see this:


    (Dont remove the BP yet!)
    If u follow the address "00401000" in dump u will see that its empty, so we will press run (F9) until we see that in the address 00401000 get filled.

    That means the code section is filled and now we can set a break in that section, so delete the BP at the begining of the function and press F8 until u reach the RETN 10.

    After this if we press F7 or F8 we will be at the EP again and thats where want to get at this time so press F7 or F8.

    Now go to the Memory map tab, pressing the M in the olly menu bar, select the code section, set a memory breakpoint on access and press F9.

    The instruction we break at is the function that we need to find to fix our OEP. So save this address we will need it later.
    First delete the memory bp, then go to the RETN at the end of this function and put a BP.

    Press run u to get there, delete the soft break, press F7 and u will be at the EP again.

    Follow the Application with Ctrl+F8 (or F7, long way) until you find the call where the window is created, set a BP on that call, restart and run till that call press F7 and animate (Ctrl+F8) till the next Call. You might want to do that 3 or 4 times.

    At the 3rd or 4th Call you press Ctrl+G and go to "GetStartupInfoA", scroll down to the RETN set a BP there and press F9 after that press F7 or F8 to leave the function.

    Now 7 Lines above where you landed the second address needed can be found (The command is "PUSH 60"). So save that address again!

    Now we need to rebuild our OEP, go to the free space at the end and assemble the following two lines:
    Code:
    CALL <Address1>
    JMP <Address2>
    After you assembled these instructions, you need to set the new origin on the CALL. Now you can create your dump, so use the plugin ollydump for this without "Rebuild Import" Option checked.

    Great you just unpacked VMProtect =)
    You can test this dump file and you will see that its working, but if u send that dump file to another OS it wont work, and u will feel frustrated.. =(

    But don't worry, we don't finish here, you need to fix the dump file so it can run on other OS's too

    4. Fixing the IAT
    After creating an unpacked dump file that's working you need to fix the IAT so the Dump will work on other OS's too.

    Run your Dump File in Olly and break at the EP you created (press F9 twice) now you need the Process ID of your Dump, to get this you can use Taskmanager or something similar or just run cmd.exe and execute the command "tasklist"

    After that run the Universal Import Fixer (UIF) and input the PID of your Dump and leave "Code Start/End" and "New IAT VA" untouched (means 0)
    Press "Start" and let it work, when it finished you will see something like this:


    The info that is shown after "Fixing Success..." is what we need now to fix the dump, so start ImpRec now.
    Attach the process of the dump file, if you click "AutoSearch" button you will see a bad message telling that it cant find anything interesting in that OEP, and if u press the button get imports, it will fill the listbox of imported functions with invalid values, and thats what we are going to fix ^^

    Press the "Clear Import" button, now fill OEP box with "00000000", in the RVA box put what the UIF showed you, then the same with the size, and then press the button "Get Imports" again, and u will see a list of Valid Thunks in the Listbox.

    Great, so now i will show how to setup ImpRect to fix the dump. Check "Add New section" in the main window, and press the "Options"-Button. Now select only the things that you see in this pic:


    Close the options and then press the "Fix Dump"-Button, a window will pop up, select the dump file that u need to fix.

    Let ImpRec work and u will have a fixed dump file, gratz =)
    Now it will work in other OS's too. ImpRec saves the file with an extra "_" at the end. If you want to do some research in the game code now, you dont need an invisible Olly anymore, but you can use it anyways.

    Please register or login to download attachments.


  2. The Following 5 Users Say Thank You to Grooguz For This Useful Post:


  3. #2
    munkese
    munkese is offline
    New member
    Join Date
    2012 Jul
    Posts
    6
    Thanks Thanks Given 
    2
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0

    Thumbs up VMProtect 1.7 - 2.0 (Unpacking)

    Vmprotect is one of the packers used by games to make code analysis hard. For code analysis we should dump them first.
    To do these we have to write scripts or google them.

  4. #3
    luciffer92
    luciffer92 is offline
    Guest
    Join Date
    2012 Jul
    Posts
    1
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0

    Question

    Sorry I'm new and what not, but what exactly does this do? Jw

  5. #4
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10
    Quote Originally Posted by luciffer92 View Post
    what exactly does this do
    This tutorial helps with removing VMProtect
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  6. #5
    munkese
    munkese is offline
    New member
    Join Date
    2012 Jul
    Posts
    6
    Thanks Thanks Given 
    2
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    For those who want to unpack and study different versions of VMProtect protection, there is a good script and tutorial written by LCF-AT.
    for more
    http://forum.tuts4you.com/topic/24390-vmprotect-api-turbo-tracer-12/
    great work by LCF-AT!!!

  7. #6
    h4x0r
    h4x0r is offline
    h4x0r's Avatar
    Join Date
    2011 Aug
    Location
    ..\root\home\pgc
    Posts
    826
    Thanks Thanks Given 
    64
    Thanks Thanks Received 
    525
    Thanked in
    205 Posts
    Rep Power
    15
    This script is for the lazy and for those who do not understand what to do

  8. The Following User Says Thank You to h4x0r For This Useful Post:


  9. #7
    munkese
    munkese is offline
    New member
    Join Date
    2012 Jul
    Posts
    6
    Thanks Thanks Given 
    2
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    Dear h4x0r,

    Quote Originally Posted by h4x0r View Post
    This script is for the lazy and for those who do not understand what to do
    I disagree with what you said.
    I really appreciate the work done by LCF-AT. You can use it not for unpacking but for analyzing what is really done inside your software.
    Thumbs up for LCF-AT!!!

  10. #8
    tondar2008
    tondar2008 is offline
    Guest
    Join Date
    2013 Jan
    Posts
    1
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    hi
    can this method be used to remove VMProtect in software program?

  11. #9
    munkese
    munkese is offline
    New member
    Join Date
    2012 Jul
    Posts
    6
    Thanks Thanks Given 
    2
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    Hi tondar2008
    Exactly it is used to remove VMProtect protection.
    You can also get some scripts from Tuts 4 You

    Regards!

  12. #10
    rokeys
    rokeys is offline
    New member
    Join Date
    2012 Aug
    Posts
    20
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0

    Cool

    nice work,thanks for share.

Page 1 of 2 12 LastLast

Similar Threads

  1. [Tutorial] WOI Unpackig VMProtect
    By h4x0r in forum Battle of the Immortals
    Replies: 18
    Last Post: 2019-03-16, 04:45 PM
  2. [Tutorial] VMProtect 1.7-2.0.1.2 unpacking
    By Dwar in forum Programming Tutorials
    Replies: 5
    Last Post: 2019-03-04, 06:19 PM
  3. [Info] Dofus Unpacking D2P Archives
    By h4x0r in forum Game Files
    Replies: 12
    Last Post: 2012-06-27, 03:28 PM
  4. Nid HELP on my project pls (unpacking)
    By pornpinoy in forum Research Requests
    Replies: 3
    Last Post: 2011-11-25, 05:25 PM
  5. cabal unpacking
    By pornpinoy in forum Game Files
    Replies: 2
    Last Post: 2011-11-20, 11:21 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •