Jump to content
Sign in to follow this  

Oreans UnVirtualizer

Recommended Posts

Oreans UnVirtualizer v1.8 by Deathway
It is hard to find targets for which this Olly plugin works

Orean VM section has empty name "":
Memory map, item 25
 Size=00220000 (2228224.)
 Owner=LOTOdemo 00400000
 Type=Imag 01001002
 Initial access=RWE

So first thing to do is search for VMs jumps in code section:
In Olly Code Section do right click and choose Orean Unvirtualizer -> Find references
As VM Start enter the previous Orean VM section Address = 00EFF000
As VM Size enter the Orean VM section Size = 00220000
After pressing OK it should find Oreans Virtual Machine References

We have two more options after "Find references" command:
1. Unvirtualize No Jmp  Alt+U
2. Unvirtualize With Jmp  Alt+I
Those refers to the way to assemble unvirtualized instructions:
the recommended one is 1. Unvirtualize No Jmp  Alt+U

So how we unvirtualize:
On Oreans Virtual Machine References list choose a VM jump
and right click on it and choose Foolow Enter
and that address should be displayed on code Windows,
now we right click the address from code Windows
and we do Orean Unvirtualizer -> Unvirtualize No Jmp  Alt+U
Then a new txt windows appears (notepad Cisc_UV_dump.txt) containing unvirtualized instructions and also ask for an Unvirtualized First Memory Address
- this is the address of REAL first instruction in notepad Cisc_UV_dump.txt

    00FCD7A7    ADD ESP,0x4
    00FCD7CE    ADD ESP,0x4

    00FCD81E    PUSH EBP
    00FCD825    MOV EBP,ESP
    00FCD842    MOV ECX,0x6

Here Unvirtualized First Memory Address is 00FCD81E
right after second ADD ESP,0x4

It must say that finding real first address is a bit tricky,
if you see call to code section we know for sure that this is good address called like:
    00FDB9A4    CALL 0x40149c

    00FDB6C9    ADD ESP,0x4
    00FDB6F3    ADD ESP,0x4

    00FDB726    PUSH EDI
    00FDB731    MOV EDI,ESP
    00FDB747    ADD EDI,0x4
    00FDB794    ADD EDI,0x4
    00FDB818    POP EDI
    00FDB861    PUSH ESI
    00FDB879    MOV ESI,ESP
    00FDB88E    ADD ESI,0x4
    00FDB8F2    ADD ESI,0x4
    00FDB939    PUSH DWORD PTR [ESP]
    00FDB98E    POP ESI
    00FDB9A4    CALL 0x40149c
// This time real address is 00FDB9A4

    00FDBA04    AND EAX,0x80000000
    00FDBA3F    CMP EAX,0x80000000
    00FDBAA4    JMP 0x407ade


00407AE1    8B0C24          MOV ECX,DWORD PTR SS:[ESP]
00407AE4    57              PUSH EDI
00407AE5    89E7            MOV EDI,ESP
00407AE7    83C7 04         ADD EDI,0x4
00407AEA    83C7 04         ADD EDI,0x4
00407AED    FF3424          PUSH DWORD PTR SS:[ESP]
00407AF0    893C24          MOV DWORD PTR SS:[ESP],EDI
00407AF3    5F              POP EDI
00407AF4    8B2424          MOV ESP,DWORD PTR SS:[ESP]
00407AF7    8B1424          MOV EDX,DWORD PTR SS:[ESP]
00407AFA    56              PUSH ESI
00407AFB    89E6            MOV ESI,ESP
00407AFD    83C6 04         ADD ESI,0x4
00407B00    83C6 04         ADD ESI,0x4
00407B03    FF3424          PUSH DWORD PTR SS:[ESP]
00407B06    893424          MOV DWORD PTR SS:[ESP],ESI
00407B09    5E              POP ESI
00407B0A    8B2424          MOV ESP,DWORD PTR SS:[ESP]
00407B0D    E8 8A99FFFF     CALL 0040149C
00407B12    25 00000080     AND EAX,0x80000000
00407B17    3D 00000080     CMP EAX,0x80000000
00407B1C  ^ EB C0           JMP SHORT 00407ADE

This time real address is 00407B0D

We can also see if the unvirtualized code is right by placing unvirtualized code starting from
"VM jump" address and you should see if it matches until you fill out perfectly where last jump leads
(JMP SHORT 00407ADE) 00407ADE would be the end of restored instructions:
but this will only check if size of instructions matches!
Unvirtualized code will always end with a jump: jump back to code section from Oreans VM.



Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Create New...