vmpfix icon indicating copy to clipboard operation
vmpfix copied to clipboard
verified publisher icon archercreat

Some difficult with protected 32-bit DLL

Open MrPavlik opened this issue 4 years ago • 5 comments

Can you help me to understand how to use vmpfix application with some protected 32-bit dll?

Here is the link to download it. 32-bit protected DLL. Written on Delphi. Sections' names are standard.

Found OEP: 001413FC

Used x32dbg to load target. HW break at OEP, then trying to use vmpfix with the next parameter:

vmpfix.exe -p 14964 (PID of DLLLoader32 process) -m interweb.dll

Then I got the next result:

Collecting stubs on interweb.dll Failed to resolve api at 0x28a2425 [*] 0x2a65296 mov edx, [esp+0x24] [*] 0x2a6529a push 0x5F254182 [*] 0x2a6529f xchg [esp+0x2C], edx [*] 0x2a72562 xchg [esp+0x28], edx [*] 0x2a7256d mov edx, 0x28DAF27 [*] 0x2a72574 mov edx, [edx+0x13FD6B]

Is there some unsupported VM version or I make something wrong? I read the next remark:

VMProtect unpacking must be complete before running VMPfix.

I'm right that it's enough to break at correct OEP then use vmpfix or i'm wrong?

Thanks in advance.

MrPavlik avatar Jan 24 '22 19:01 MrPavlik

Hello. From what I can tell, this is a false positive and it will sometimes happen because the tool scans memory linearly. Does it resolve any other api?

I'm right that it's enough to break at correct OEP then use vmpfix or i'm wrong?

Yes, being at oep or past vmprotected entrypoint is enough.

archercreat avatar Jan 25 '22 09:01 archercreat

Does it resolve any other api?

Unfortunately, no. vmpfix breaks after this lines (the adresses are different because I reload target dll in debugger):

d:!vmp\vmpimpfix>vmpfix.exe -p 8420 -m interweb.dll Collecting stubs on interweb.dll Failed to resolve api at 0x24a2425 [*] 0x2665296 mov edx, [esp+0x24] [*] 0x266529a push 0x5F254182 [*] 0x266529f xchg [esp+0x2C], edx [*] 0x2672562 xchg [esp+0x28], edx [*] 0x267256d mov edx, 0x24DAF27 [*] 0x2672574 mov edx, [edx+0x13FD6B]

d:!vmp\vmpimpfix>pause

No any other functions was found.

From what I can tell, this is a false positive and it will sometimes happen because the tool scans memory linearly. I'm not sure, because it break after that and not found any other import calls. Actually, I try to use Vm2Import for the quote's example and it found kernel32_CloseHandle function at the adress 0x24a2425. I found also something import calls at the neighbour adresses using Vm2Import:

https://ibb.co/z6hSjXC

But I'm not able to use it because it searching import calls one by one and I must find all target calls by myself (and bind new import table manually after that because Vm2Import just mark target import call by comment string). So, I just hope to use vmpfix to make this process some automatic.

MrPavlik avatar Jan 25 '22 09:01 MrPavlik

Thanks for making this issue, looking at vmenter I can tell that this vmprotect version is 2.07-2.08. Unfortunately right now the tool can not resolve api redirections implemented in this versions. Perhaps I should clarify this in readme 🤔

archercreat avatar Jan 25 '22 11:01 archercreat

Understood. Thanks.

MrPavlik avatar Jan 25 '22 12:01 MrPavlik

By the way, I have licensed VMProtect v2.13 and trying to make simple "Hello, World!" application to test vmpfix and have no result too. Here is the link to download it. The archive contains unpacked file with map and pdb information, OEP address and the packed version.

Here is the result window after vmpfix start:

c:\time_test\Release\vmpimpfix>vmpfix.exe -p 17780 -m time_test.vmp.exe Collecting stubs on time_test.vmp.exe Failed to resolve api at 0xa41560 [*] 0xa54e72 push 0x288C094F [*] 0xa54e78 mov byte ptr [esp], 0xC6 [*] 0xa54e7c push [esp] [*] 0xa54e80 push ebx [*] 0xa54e81 xchg [esp+0x28], eax [*] 0xa54e85 push esi [*] 0xa54e86 mov eax, [esp+0x30] [*] 0xa5ac26 lea eax, [eax+0x01] Failed to resolve api at 0xa4261c [*] 0xa562c8 mov ebp, [esp+0x20] [*] 0xa562cc push [esp+0x10] [*] 0xa562d0 xchg [esp+0x28], ebp [*] 0xa562d4 push [esp] [*] 0xa55ccd push edx [*] 0xa55cce mov [esp+0x30], ebp [*] 0xa55cd6 push 0xE3CAD039 [*] 0xa55cdb mov ebp, 0xA431B9 Failed to resolve api at 0xa4266e [*] 0xa55c22 mov esi, [esp+0x20] [*] 0xa55c26 mov byte ptr [esp+0x08], 0x92 [*] 0xa55c2b xchg [esp+0x24], esi [*] 0xa55c2f mov byte ptr [esp], 0xB8 [*] 0xa55c33 push [esp+0x0C] Failed to resolve api at 0xa42681 [*] 0xa5a7e1 push 0x3E7E32AD [*] 0xa5a7f2 mov edi, [esp+0x08] [*] 0xa5a7f7 push 0x1615A53F [*] 0xa54d40 xchg [esp+0x34], edi [*] 0xa54d44 push edx [*] 0xa54d45 push ecx [*] 0xa5a882 mov [esp+0x3C], edi [*] 0xa5a88a mov edi, 0xA41C02 [*] 0xa5a423 push 0x2AF8A8EF [*] 0xa5a428 mov edi, [edi+0x15A7F] [*] 0xa5aa30 lea esp, [esp+0x44] Failed to resolve api at 0xa4297c [*] 0xa5ac7c push edx [*] 0xa5ac7f lea esp, [esp+0x24] [*] 0xa577ca push esp [*] 0xa577cc mov [esp+0x04], ecx [*] 0xa577d4 pop ecx [*] 0xa577d5 mov ecx, [esp+0x04]

I will glad to help for some targets or any other information if you have a wish (and enough time, of course) for add VMProtect 2.xx support.

MrPavlik avatar Jan 25 '22 17:01 MrPavlik