2017-07-21 12:56 CEST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0000399Cheat Engine(No Category)public2015-08-28 16:58
Reporterpausebreak7 
Assigned To 
PrioritynormalSeverityminorReproducibilityalways
StatusnewResolutionopen 
PlatformwindowsOSx64OS Version
Summary0000399: darkbyte one more question?
DescriptionVMPROTECT DBVM DETECT BYPASS?

dbvm 5~9 version always error messangebox

VMPROTECT
Sorry,this application cannot run under a virtual Machine

new dbvm9 version not bypass

Do you ever can be bypassed?





Steps To ReproduceFile Download link:
https://www.dropbox.com/s/ilop072569dv23a/TEST%20VMPROTECT.zip?dl=0
TagsNo tags attached.
Attached Files

-Relationships
+Relationships

-Notes

~0000832

Dark Byte (developer)

show the sourcecode on how it detects it and i'll look into it.
without sourcecode i can't help you

~0000833

pausebreak7 (reporter)

my test vmprotect pack link:
https://www.dropbox.com/s/5yijydzjlxg6qc7/VmProtect.V2.12.3.License.INCLUDED.RETAIL.BY-1ST.rar?dl=0

I do not know the source code for the Detection

VMPROTECT will detect that virtualmachine

~0000837

pausebreak7 (reporter)

I found via Google Search

Found a hypervisor detection methods

http://pastebin.com/2gv72r7d

I do not know how to detect vmdisk.img

DBVM virtual machine LOAD ->Packing File Run-> Error Message

DBVM virtual machine Not Load->Packing File Run-> No error Message

Packing File RUN->DBVM Virtual machine Load -> No error message

~0000838

Dark Byte (developer)

Last edited: 2015-08-16 00:00

View 2 revisions

What CPU do you have? Apparently my test system (i7 920) doesn't have this cpuid feature

Anyhow, if you can compile DBVM (And it's an Intel), go to vmeventhandler.c , find int handleCPUID(VMRegisters *vmregisters)

and after the _cpuid() call add the code
  if (oldeax==1)
  {
    //remove the hypervisor active bit (bit 31 in ecx)
    vmregisters->rcx=vmregisters->rcx & (~(1 << 31));
  }


If it's AMD then you'll have to do some more research on getting it to break on cpuid

~0000839

pausebreak7 (reporter)

my computer intel i5 Sandy Bridge

dbvm 8 version vmeventhandler.c edit

///////////////////////////////
int handleCPUID(VMRegisters *vmregisters)
{
// sendstring("handling CPUID\n\r");

  UINT64 oldeax=vmregisters->rax;

  _cpuid(&(vmregisters->rax),&(vmregisters->rbx),&(vmregisters->rcx),&(vmregisters->rdx));

  
  if (oldeax==1)
  {
    //remove the hypervisor active bit (bit 31 in ecx)
    vmregisters->rcx=vmregisters->rcx & (~(1 << 31));
  }


  /*
  if (oldeax==1)
  {
    //remove vmx capability in ecx
    vmregisters->rcx=vmregisters->rcx & (~(1 << 5)); //set bit 5 to 0
  }*/

//////////////////////////////

edit dbvm 8 version test error message screenshot error5

i dont'know what you did.you didn't crash,but you also didn't load sys

cheat engine dbvm load fail

dbvm9 version compile?(my test dbvm8 version)

~0000840

pausebreak7 (reporter)

my test vmx password mistake

code not error,but vmprotect detect no bypass

~0000841

Dark Byte (developer)

Last edited: 2015-08-16 11:31

View 2 revisions

I've uploaded dbvm9 with this modification. Try testing it on an official ce 6.4 release first (And reboot first, perhaps your system is already running under DBVM but it's not visible)

Edit, ah ok. Yeah, I guessed this wasn't it. (It's too easy)

~0000842

pausebreak7 (reporter)

cheat engine 6.4 RUN dbvm 9.1 version load test
----------------------

vmprotect no bypass

maybe...
detecting a hypervisor running?

~0000843

pausebreak7 (reporter)

I think this situation detection methods

-Examples--
dbvm run -> vmware run error
dbvm no run -> vmware run success

If you are running other virtualization is detected

~0000844

pausebreak7 (reporter)

Last edited: 2015-08-17 15:14

View 2 revisions

google search

http://artemonsecurity.com/vmde.pdf

51page hypervisor detection code

bypass impossible?

detected flag has been running virtualization?

~0000845

Dark Byte (developer)

That pdf only describes how to detect known virtual machines by scanning for the extra features they come with (vga, devices,etc...).

~0000846

pausebreak7 (reporter)

Search for Google do not even know

Check the virtual machine load information

Something about loads at boot detect VT activated

I do not know the solution to this

thank you dark byte

~0000847

pausebreak7 (reporter)

windows 7 x64 intel i5 Sandy Bridge
dbvm 9 version load
fix binding deactivate for children test
////////////////////////////////////
test cap label click information
DBVM UNLOAD no hypervisor detected 1FBAE3FF
DBVM LOAD no hypervisor detected 17BAE3FF
/////////////////////////////////////////////

The same happened cpuid information changes

~0000848

pausebreak7 (reporter)

Last edited: 2015-08-21 17:54

View 2 revisions

--------------------------------------------------
vmprotect windows8.1 hypervisor detect

link:

http://vmpsoft.com/forum/viewtopic.php?f=4&t=1481&hilit=hyper

http://vmpsoft.com/forum/viewtopic.php?f=4&t=1474

--------------------------------------------------

vmprotect can crash Windows 8.1 hyper-v

--------------------------------------------------
screenshot sssd.png

vmplayer run -> hyper-v not detect message

vmplayer also writes the virtualization code

But VMP detection message is not output

-cpuid test label-
DBVM UNLOAD no hypervisor detected 1FBAE3FF
vmplay run no hypervisor detected 1FBAE3FF
DBVM LOAD no hypervisor detected 17BAE3FF

~0000851

pausebreak7 (reporter)

Last edited: 2015-08-26 09:43

View 2 revisions

hmm vmprotect unpack

https://forum.tuts4you.com/topic/30733-vmprotect-ultra-unpacker-10/page-1

----------------------------------------------------------------------------

https://forum.tuts4you.com/topic/33835-vmp-unpack-videeo-by-kge/?hl=vmprotect

http://www.sendspace.com/file/jn8rhb --password:bbs.chinapyg.com

----------------------------------------------------------------------------
Would not the relevant code is detected in the process of unpacking?

When packing a 64-bit program, the message is not output
(64bit cheatengine vmp packing -> vmprotect vt detect not message)
(maybe... vmprotect bug)

Low versions of VMP unpacked, but as I have found during the detection code?

the best ideas

Unpacking for days to find relevant material in the course code to detect

~0000852

pausebreak7 (reporter)

Last edited: 2015-08-26 10:51

View 2 revisions

https://tuts4you.com/download.php?view.3432

VMProtect 1.xx - 2.xx Ultra Unpacker v1.0 folder


VMProtect 2.06 -> VMProtector_2.06_unpackme.exe ->dbvm load detect


VMProtect 2.12 -> notepad.vmp.exe ->dbvm load detect

http://www.52pojie.cn/forum.php?mod=viewthread&tid=129047

http://down.52pojie.cn/LCG/Zeus_Tutorial.rar
-------------------------------------------------------------
not test can not unpack file

If unpacking is not detected, then there side code analysis?
-------------------------------------------------------------

Tutorial video cpuid? Modified

What it is detected by cpuid?

~0000853

pausebreak7 (reporter)

vmprotect Analysis pdf 52page cpuid

http://lille1tv.univ-lille1.fr/telecharge.aspx?id=d5b2487e-cacc-4596-ab37-dab2b362cb9e

VM CPUID
There is a special opcode for making CPUID
instruction
Op_01: Value
Save 0x0C on VM_STACK (EBP) for storing eax, ebx,
ecx, edx

PDF is the analysis of data for VMprotect

~0000857

pausebreak7 (reporter)

wrta sFile2, "CPUID Exsample:"
wrta sFile2, "----------------------------------"
wrta sFile2, "CPUID ; Command of VMP code!Access first and read and note the return values!"
wrta sFile2, "\r\n"
wrta sFile2, "VMP COMMAND xy ; Original VMP command before hooking!"
wrta sFile2, "cmp R32, 01 ; In some cases VMP access the command with conditions!Mostly eax 1!"
wrta sFile2, "je short @PATCH ; If eax 01 then jump to our patch!"
wrta sFile2, "CPUID ; Fill CPUID if you hooked VMP before that command!"
wrta sFile2, "jmp Back to VMP ; Jump to VMP code again after Hook! >>>> A1 <<<<"
wrta sFile2, "@PATCH: ; Your Patch code label!"
wrta sFile2, "mov eax, xxxxxxxx ; Enter value of "eax" after the step over the VMP CPUID!"
wrta sFile2, "mov ecx, xxxxxxxx ; Enter value of "ecx" after the step over the VMP CPUID!"
wrta sFile2, "mov edx, xxxxxxxx ; Enter value of "edx" after the step over the VMP CPUID!"
wrta sFile2, "mov ebx, xxxxxxxx ; Enter value of "ebx" after the step over the VMP CPUID!"
wrta sFile2, "jmp Back to VMP ; Jump to VMP code again after Hook!You can also make a short jump to >>>> A1! <<<<"
wrta sFile2, "\r\n\r\n"
wrta sFile2, "\r\n"
wrta sFile2, "////////////////////"
wrta sFile2, "RDTSC Exsample:"
wrta sFile2, "----------------------------------"
wrta sFile2, "RDTSC ; Command of VMP code!Access first and read and note the return values!"
wrta sFile2, "\r\n"
wrta sFile2, "VMP COMMAND xy ; Original VMP command before hooking!"
wrta sFile2, "RDTSC" ; Insert command if needed!"
wrta sFile2, "mov eax, xxxxxxxx ; Enter value of "eax" after the step over the VMP RDTSC!"
wrta sFile2, "mov edx, xxxxxxxx ; Enter value of "edx" after the step over the VMP RDTSC!"
wrta sFile2, "jmp Back to VMP ; Jump to VMP code again after Hook!"
wrta sFile2, "\r\n\r\n"
wrta sFile2, "Just test your dumped file under VM with a other OS and check whether it's needed to patch CPUID & RDTSC!"
wrta sFile2, "Note that you will have problems with that if VMP used also CRC checks on that VMP addresses!"
wrta sFile2, "Just play a little with that till you got some success or till you failed!"
wrta sFile2, "\r\n"
wrta sFile2, "So I hope that you have understand the exsamples above!"
wrta sFile2, "\r\n"
wrta sFile2, "----------------------------------"
wrta sFile2, "LCF-AT"


cpuid eax,ebx,ecx,edx -> ORIGINAL value
cpuid eax,ebx,ecx,edx -> DBVM LOAD value

cpuid data difference?

and rdtsc(read timestamp count) dbvm check possible?

------------------------------------------------
I do not know any more information to give up

When the time comes I'll try once again

thank you darkbyte

have a good day
+Notes

-Issue History
Date Modified Username Field Change
2015-08-11 19:54 pausebreak7 New Issue
2015-08-11 19:54 pausebreak7 File Added: error.png
2015-08-11 19:55 pausebreak7 File Added: error 2.png
2015-08-12 02:46 Dark Byte Note Added: 0000832
2015-08-12 09:29 pausebreak7 Note Added: 0000833
2015-08-15 21:15 pausebreak7 Note Added: 0000837
2015-08-15 23:53 Dark Byte Note Added: 0000838
2015-08-16 00:00 Dark Byte Note Edited: 0000838 View Revisions
2015-08-16 11:02 pausebreak7 File Added: error5.png
2015-08-16 11:06 pausebreak7 Note Added: 0000839
2015-08-16 11:30 Dark Byte File Added: dbvm9.1.rar
2015-08-16 11:30 pausebreak7 Note Added: 0000840
2015-08-16 11:30 Dark Byte Note Added: 0000841
2015-08-16 11:31 Dark Byte Note Edited: 0000841 View Revisions
2015-08-16 11:39 pausebreak7 Note Added: 0000842
2015-08-16 11:50 pausebreak7 Note Added: 0000843
2015-08-17 14:28 pausebreak7 Note Added: 0000844
2015-08-17 15:14 pausebreak7 Note Edited: 0000844 View Revisions
2015-08-17 22:50 Dark Byte Note Added: 0000845
2015-08-17 23:00 pausebreak7 Note Added: 0000846
2015-08-18 14:28 pausebreak7 Note Added: 0000847
2015-08-21 17:49 pausebreak7 Note Added: 0000848
2015-08-21 17:49 pausebreak7 File Added: sssd.png
2015-08-21 17:54 pausebreak7 Note Edited: 0000848 View Revisions
2015-08-26 09:40 pausebreak7 Note Added: 0000851
2015-08-26 09:43 pausebreak7 Note Edited: 0000851 View Revisions
2015-08-26 10:07 pausebreak7 Note Added: 0000852
2015-08-26 10:51 pausebreak7 Note Edited: 0000852 View Revisions
2015-08-26 16:57 pausebreak7 Note Added: 0000853
2015-08-28 16:58 pausebreak7 Note Added: 0000857
2016-02-29 11:30 Carter Greatshow Issue cloned: 0000447
+Issue History