MantisBT - Cheat Engine
View Issue Details
0000399Cheat Engine(No Category)public2015-08-11 19:542015-08-28 16:58
Reporterpausebreak7 
Assigned To 
PrioritynormalSeverityminorReproducibilityalways
StatusnewResolutionopen 
PlatformwindowsOSx64OS Version
Summary0000399: darkbyte one more question?
DescriptionVMPROTECT DBVM DETECT BYPASS?

dbvm 5~9 version always error messangebox

VMPROTECT
Sorry,this application cannot run under a virtual Machine

new dbvm9 version not bypass

Do you ever can be bypassed?





Steps To ReproduceFile Download link:
https://www.dropbox.com/s/ilop072569dv23a/TEST%20VMPROTECT.zip?dl=0
TagsNo tags attached.
Attached Filespng error.png (26,613) 2015-08-11 19:54
http://cheatengine.org/mantis/file_download.php?file_id=146&type=bug
png

png error 2.png (101,207) 2015-08-11 19:55
http://cheatengine.org/mantis/file_download.php?file_id=147&type=bug
png

png error5.png (63,121) 2015-08-16 11:02
http://cheatengine.org/mantis/file_download.php?file_id=149&type=bug
png

rar dbvm9.1.rar (81,219) 2015-08-16 11:30
http://cheatengine.org/mantis/file_download.php?file_id=150&type=bug
png sssd.png (325,962) 2015-08-21 17:49
http://cheatengine.org/mantis/file_download.php?file_id=151&type=bug

Notes
(0000832)
Dark Byte   
2015-08-12 02:46   
show the sourcecode on how it detects it and i'll look into it.
without sourcecode i can't help you
(0000833)
pausebreak7   
2015-08-12 09:29   
my test vmprotect pack link:
https://www.dropbox.com/s/5yijydzjlxg6qc7/VmProtect.V2.12.3.License.INCLUDED.RETAIL.BY-1ST.rar?dl=0

I do not know the source code for the Detection

VMPROTECT will detect that virtualmachine
(0000837)
pausebreak7   
2015-08-15 21:15   
I found via Google Search

Found a hypervisor detection methods

http://pastebin.com/2gv72r7d

I do not know how to detect vmdisk.img

DBVM virtual machine LOAD ->Packing File Run-> Error Message

DBVM virtual machine Not Load->Packing File Run-> No error Message

Packing File RUN->DBVM Virtual machine Load -> No error message
(0000838)
Dark Byte   
2015-08-15 23:53   
(Last edited: 2015-08-16 00:00)
What CPU do you have? Apparently my test system (i7 920) doesn't have this cpuid feature

Anyhow, if you can compile DBVM (And it's an Intel), go to vmeventhandler.c , find int handleCPUID(VMRegisters *vmregisters)

and after the _cpuid() call add the code
  if (oldeax==1)
  {
    //remove the hypervisor active bit (bit 31 in ecx)
    vmregisters->rcx=vmregisters->rcx & (~(1 << 31));
  }


If it's AMD then you'll have to do some more research on getting it to break on cpuid

(0000839)
pausebreak7   
2015-08-16 11:06   
my computer intel i5 Sandy Bridge

dbvm 8 version vmeventhandler.c edit

///////////////////////////////
int handleCPUID(VMRegisters *vmregisters)
{
// sendstring("handling CPUID\n\r");

  UINT64 oldeax=vmregisters->rax;

  _cpuid(&(vmregisters->rax),&(vmregisters->rbx),&(vmregisters->rcx),&(vmregisters->rdx));

  
  if (oldeax==1)
  {
    //remove the hypervisor active bit (bit 31 in ecx)
    vmregisters->rcx=vmregisters->rcx & (~(1 << 31));
  }


  /*
  if (oldeax==1)
  {
    //remove vmx capability in ecx
    vmregisters->rcx=vmregisters->rcx & (~(1 << 5)); //set bit 5 to 0
  }*/

//////////////////////////////

edit dbvm 8 version test error message screenshot error5

i dont'know what you did.you didn't crash,but you also didn't load sys

cheat engine dbvm load fail

dbvm9 version compile?(my test dbvm8 version)
(0000840)
pausebreak7   
2015-08-16 11:30   
my test vmx password mistake

code not error,but vmprotect detect no bypass
(0000841)
Dark Byte   
2015-08-16 11:30   
(Last edited: 2015-08-16 11:31)
I've uploaded dbvm9 with this modification. Try testing it on an official ce 6.4 release first (And reboot first, perhaps your system is already running under DBVM but it's not visible)

Edit, ah ok. Yeah, I guessed this wasn't it. (It's too easy)

(0000842)
pausebreak7   
2015-08-16 11:39   
cheat engine 6.4 RUN dbvm 9.1 version load test
----------------------

vmprotect no bypass

maybe...
detecting a hypervisor running?
(0000843)
pausebreak7   
2015-08-16 11:50   
I think this situation detection methods

-Examples--
dbvm run -> vmware run error
dbvm no run -> vmware run success

If you are running other virtualization is detected
(0000844)
pausebreak7   
2015-08-17 14:28   
(Last edited: 2015-08-17 15:14)
google search

http://artemonsecurity.com/vmde.pdf

51page hypervisor detection code

bypass impossible?

detected flag has been running virtualization?

(0000845)
Dark Byte   
2015-08-17 22:50   
That pdf only describes how to detect known virtual machines by scanning for the extra features they come with (vga, devices,etc...).
(0000846)
pausebreak7   
2015-08-17 23:00   
Search for Google do not even know

Check the virtual machine load information

Something about loads at boot detect VT activated

I do not know the solution to this

thank you dark byte
(0000847)
pausebreak7   
2015-08-18 14:28   
windows 7 x64 intel i5 Sandy Bridge
dbvm 9 version load
fix binding deactivate for children test
////////////////////////////////////
test cap label click information
DBVM UNLOAD no hypervisor detected 1FBAE3FF
DBVM LOAD no hypervisor detected 17BAE3FF
/////////////////////////////////////////////

The same happened cpuid information changes
(0000848)
pausebreak7   
2015-08-21 17:49   
(Last edited: 2015-08-21 17:54)
--------------------------------------------------
vmprotect windows8.1 hypervisor detect

link:

http://vmpsoft.com/forum/viewtopic.php?f=4&t=1481&hilit=hyper

http://vmpsoft.com/forum/viewtopic.php?f=4&t=1474

--------------------------------------------------

vmprotect can crash Windows 8.1 hyper-v

--------------------------------------------------
screenshot sssd.png

vmplayer run -> hyper-v not detect message

vmplayer also writes the virtualization code

But VMP detection message is not output

-cpuid test label-
DBVM UNLOAD no hypervisor detected 1FBAE3FF
vmplay run no hypervisor detected 1FBAE3FF
DBVM LOAD no hypervisor detected 17BAE3FF

(0000851)
pausebreak7   
2015-08-26 09:40   
(Last edited: 2015-08-26 09:43)
hmm vmprotect unpack

https://forum.tuts4you.com/topic/30733-vmprotect-ultra-unpacker-10/page-1

----------------------------------------------------------------------------

https://forum.tuts4you.com/topic/33835-vmp-unpack-videeo-by-kge/?hl=vmprotect

http://www.sendspace.com/file/jn8rhb --password:bbs.chinapyg.com

----------------------------------------------------------------------------
Would not the relevant code is detected in the process of unpacking?

When packing a 64-bit program, the message is not output
(64bit cheatengine vmp packing -> vmprotect vt detect not message)
(maybe... vmprotect bug)

Low versions of VMP unpacked, but as I have found during the detection code?

the best ideas

Unpacking for days to find relevant material in the course code to detect

(0000852)
pausebreak7   
2015-08-26 10:07   
(Last edited: 2015-08-26 10:51)
https://tuts4you.com/download.php?view.3432

VMProtect 1.xx - 2.xx Ultra Unpacker v1.0 folder


VMProtect 2.06 -> VMProtector_2.06_unpackme.exe ->dbvm load detect


VMProtect 2.12 -> notepad.vmp.exe ->dbvm load detect

http://www.52pojie.cn/forum.php?mod=viewthread&tid=129047

http://down.52pojie.cn/LCG/Zeus_Tutorial.rar
-------------------------------------------------------------
not test can not unpack file

If unpacking is not detected, then there side code analysis?
-------------------------------------------------------------

Tutorial video cpuid? Modified

What it is detected by cpuid?

(0000853)
pausebreak7   
2015-08-26 16:57   
vmprotect Analysis pdf 52page cpuid

http://lille1tv.univ-lille1.fr/telecharge.aspx?id=d5b2487e-cacc-4596-ab37-dab2b362cb9e

VM CPUID
There is a special opcode for making CPUID
instruction
Op_01: Value
Save 0x0C on VM_STACK (EBP) for storing eax, ebx,
ecx, edx

PDF is the analysis of data for VMprotect
(0000857)
pausebreak7   
2015-08-28 16:58   
wrta sFile2, "CPUID Exsample:"
wrta sFile2, "----------------------------------"
wrta sFile2, "CPUID ; Command of VMP code!Access first and read and note the return values!"
wrta sFile2, "\r\n"
wrta sFile2, "VMP COMMAND xy ; Original VMP command before hooking!"
wrta sFile2, "cmp R32, 01 ; In some cases VMP access the command with conditions!Mostly eax 1!"
wrta sFile2, "je short @PATCH ; If eax 01 then jump to our patch!"
wrta sFile2, "CPUID ; Fill CPUID if you hooked VMP before that command!"
wrta sFile2, "jmp Back to VMP ; Jump to VMP code again after Hook! >>>> A1 <<<<"
wrta sFile2, "@PATCH: ; Your Patch code label!"
wrta sFile2, "mov eax, xxxxxxxx ; Enter value of "eax" after the step over the VMP CPUID!"
wrta sFile2, "mov ecx, xxxxxxxx ; Enter value of "ecx" after the step over the VMP CPUID!"
wrta sFile2, "mov edx, xxxxxxxx ; Enter value of "edx" after the step over the VMP CPUID!"
wrta sFile2, "mov ebx, xxxxxxxx ; Enter value of "ebx" after the step over the VMP CPUID!"
wrta sFile2, "jmp Back to VMP ; Jump to VMP code again after Hook!You can also make a short jump to >>>> A1! <<<<"
wrta sFile2, "\r\n\r\n"
wrta sFile2, "\r\n"
wrta sFile2, "////////////////////"
wrta sFile2, "RDTSC Exsample:"
wrta sFile2, "----------------------------------"
wrta sFile2, "RDTSC ; Command of VMP code!Access first and read and note the return values!"
wrta sFile2, "\r\n"
wrta sFile2, "VMP COMMAND xy ; Original VMP command before hooking!"
wrta sFile2, "RDTSC" ; Insert command if needed!"
wrta sFile2, "mov eax, xxxxxxxx ; Enter value of "eax" after the step over the VMP RDTSC!"
wrta sFile2, "mov edx, xxxxxxxx ; Enter value of "edx" after the step over the VMP RDTSC!"
wrta sFile2, "jmp Back to VMP ; Jump to VMP code again after Hook!"
wrta sFile2, "\r\n\r\n"
wrta sFile2, "Just test your dumped file under VM with a other OS and check whether it's needed to patch CPUID & RDTSC!"
wrta sFile2, "Note that you will have problems with that if VMP used also CRC checks on that VMP addresses!"
wrta sFile2, "Just play a little with that till you got some success or till you failed!"
wrta sFile2, "\r\n"
wrta sFile2, "So I hope that you have understand the exsamples above!"
wrta sFile2, "\r\n"
wrta sFile2, "----------------------------------"
wrta sFile2, "LCF-AT"


cpuid eax,ebx,ecx,edx -> ORIGINAL value
cpuid eax,ebx,ecx,edx -> DBVM LOAD value

cpuid data difference?

and rdtsc(read timestamp count) dbvm check possible?

------------------------------------------------
I do not know any more information to give up

When the time comes I'll try once again

thank you darkbyte

have a good day

Issue History
2015-08-11 19:54pausebreak7New Issue
2015-08-11 19:54pausebreak7File Added: error.png
2015-08-11 19:55pausebreak7File Added: error 2.png
2015-08-12 02:46Dark ByteNote Added: 0000832
2015-08-12 09:29pausebreak7Note Added: 0000833
2015-08-15 21:15pausebreak7Note Added: 0000837
2015-08-15 23:53Dark ByteNote Added: 0000838
2015-08-16 00:00Dark ByteNote Edited: 0000838bug_revision_view_page.php?bugnote_id=838#r90
2015-08-16 11:02pausebreak7File Added: error5.png
2015-08-16 11:06pausebreak7Note Added: 0000839
2015-08-16 11:30Dark ByteFile Added: dbvm9.1.rar
2015-08-16 11:30pausebreak7Note Added: 0000840
2015-08-16 11:30Dark ByteNote Added: 0000841
2015-08-16 11:31Dark ByteNote Edited: 0000841bug_revision_view_page.php?bugnote_id=841#r92
2015-08-16 11:39pausebreak7Note Added: 0000842
2015-08-16 11:50pausebreak7Note Added: 0000843
2015-08-17 14:28pausebreak7Note Added: 0000844
2015-08-17 15:14pausebreak7Note Edited: 0000844bug_revision_view_page.php?bugnote_id=844#r94
2015-08-17 22:50Dark ByteNote Added: 0000845
2015-08-17 23:00pausebreak7Note Added: 0000846
2015-08-18 14:28pausebreak7Note Added: 0000847
2015-08-21 17:49pausebreak7Note Added: 0000848
2015-08-21 17:49pausebreak7File Added: sssd.png
2015-08-21 17:54pausebreak7Note Edited: 0000848bug_revision_view_page.php?bugnote_id=848#r96
2015-08-26 09:40pausebreak7Note Added: 0000851
2015-08-26 09:43pausebreak7Note Edited: 0000851bug_revision_view_page.php?bugnote_id=851#r98
2015-08-26 10:07pausebreak7Note Added: 0000852
2015-08-26 10:51pausebreak7Note Edited: 0000852bug_revision_view_page.php?bugnote_id=852#r100
2015-08-26 16:57pausebreak7Note Added: 0000853
2015-08-28 16:58pausebreak7Note Added: 0000857
2016-02-29 11:30Carter GreatshowIssue cloned: 0000447