View Single Post
  #1  
Old 12-05-2019, 05:17 AM
CodeRipper CodeRipper is offline
Member
 
Join Date: Mar 2009
Location: Romania
Posts: 23
Default Oreans UnVirtualizer

Oreans UnVirtualizer v1.8 by Deathway
It is hard to find targets for which this Olly plugin works

Orean VM section has empty name "":
Memory map, item 25
Address=00EFF000
Size=00220000 (2228224.)
Owner=LOTOdemo 00400000
Section=
Type=Imag 01001002
Access=R
Initial access=RWE

So first thing to do is search for VMs jumps in code section:
In Olly Code Section do right click and choose Orean Unvirtualizer -> Find references
As VM Start enter the previous Orean VM section Address = 00EFF000
As VM Size enter the Orean VM section Size = 00220000
After pressing OK it should find Oreans Virtual Machine References

We have two more options after "Find references" command:
1. Unvirtualize No Jmp Alt+U
2. Unvirtualize With Jmp Alt+I
Those refers to the way to assemble unvirtualized instructions:
the recommended one is 1. Unvirtualize No Jmp Alt+U

So how we unvirtualize:
On Oreans Virtual Machine References list choose a VM jump
and right click on it and choose Follow Enter
and that address should be displayed on code Windows,
now we right click the address from code Windows
and we do Orean Unvirtualizer -> Unvirtualize No Jmp Alt+U
Then a new txt windows appears (notepad Cisc_UV_dump.txt) containing unvirtualized instructions
and also ask for an Unvirtualized First Memory Address
- this is the address of REAL first instruction in notepad Cisc_UV_dump.txt

ENTRY POINT:
00FCD78E PUSH DWORD PTR [ESP]
00FCD790 MOV EAX,DWORD PTR [ESP]
00FCD7A7 ADD ESP,0x4
00FCD7CE ADD ESP,0x4

00FCD81E PUSH EBP
00FCD825 MOV EBP,ESP
00FCD842 MOV ECX,0x6

Here Unvirtualized First Memory Address is 00FCD81E
right after second ADD ESP,0x4

It must say that finding real first address is a bit tricky,
if you see call to code section we know for sure that this is good address called like:
00FDB9A4 CALL 0x40149c


00FDB6C9 ADD ESP,0x4
00FDB6F3 ADD ESP,0x4

00FDB713 MOV ECX,DWORD PTR [ESP]
00FDB726 PUSH EDI
00FDB731 MOV EDI,ESP
00FDB747 ADD EDI,0x4
00FDB794 ADD EDI,0x4
00FDB7CD PUSH DWORD PTR [ESP]
00FDB7CF MOV DWORD PTR [ESP],EDI
00FDB818 POP EDI
00FDB82A MOV ESP,DWORD PTR [ESP]
00FDB849 MOV EDX,DWORD PTR [ESP]
00FDB861 PUSH ESI
00FDB879 MOV ESI,ESP
00FDB88E ADD ESI,0x4
00FDB8F2 ADD ESI,0x4
00FDB939 PUSH DWORD PTR [ESP]
00FDB93B MOV DWORD PTR [ESP],ESI
00FDB98E POP ESI
00FDB992 MOV ESP,DWORD PTR [ESP]
00FDB9A4 CALL 0x40149c
// This time real address is 00FDB9A4

@Label_00FDB9D4
00FDBA04 AND EAX,0x80000000
00FDBA3F CMP EAX,0x80000000
00FDBAA4 JMP 0x407ade



00407AE1 8B0C24 MOV ECX,DWORD PTR SS:[ESP]
00407AE4 57 PUSH EDI
00407AE5 89E7 MOV EDI,ESP
00407AE7 83C7 04 ADD EDI,0x4
00407AEA 83C7 04 ADD EDI,0x4
00407AED FF3424 PUSH DWORD PTR SS:[ESP]
00407AF0 893C24 MOV DWORD PTR SS:[ESP],EDI
00407AF3 5F POP EDI
00407AF4 8B2424 MOV ESP,DWORD PTR SS:[ESP]
00407AF7 8B1424 MOV EDX,DWORD PTR SS:[ESP]
00407AFA 56 PUSH ESI
00407AFB 89E6 MOV ESI,ESP
00407AFD 83C6 04 ADD ESI,0x4
00407B00 83C6 04 ADD ESI,0x4
00407B03 FF3424 PUSH DWORD PTR SS:[ESP]
00407B06 893424 MOV DWORD PTR SS:[ESP],ESI
00407B09 5E POP ESI
00407B0A 8B2424 MOV ESP,DWORD PTR SS:[ESP]
00407B0D E8 8A99FFFF CALL 0040149C
00407B12 25 00000080 AND EAX,0x80000000
00407B17 3D 00000080 CMP EAX,0x80000000
00407B1C ^ EB C0 JMP SHORT 00407ADE

This time real address is 00407B0D

We can also see if the unvirtualized code is right by placing unvirtualized code starting from
"VM jump" address and you should see if it matches until you fill out perfectly where last jump leads
(JMP SHORT 00407ADE) 00407ADE would be the end of restored instructions:
but this will only check if size of instructions matches!
Unvirtualized code will always end with a jump: jump back to code section from Oreans VM.
Reply With Quote