Hi, as promised, here is a little tool that will help to reverse the CodeVirtualizer and the ThemIDA /WinLicense Virtual Machine
Must Remark , is a BETA, it suppors almost no opcodes, MultibranchSystem is not well implemented, but the handler deofuscation is, also there is a small engine that help to recognize the Iat position with the Handler ID
Information
- if you want a full diagnosis of a specific handler, chnage Diagnosis_Handler_Number on the ini file (read number as decimal)
- if Dump Virtual Machine doesn't fail it generates two txt files
. LogMatchIatData.txt conatins IAT with corresponding Handler ID
. LogVMData.txt contains decrypted data
- if GetVirtualOpcodes doesn't fail it generates two txt files
. LogVirtualOpcode.txt Contains the sequence of decrypted handlers id
. LogDumpedSyntax.txt contains the hnalderids in 'readable code'
- OreansSyntax.cfg contains the information to convert from ID to CVSyntax
GEtVirtualOpcode will fail if you didn't executed first DumpVirtualMachine(coz it reads LogMatchIatData.txt)
v0.2
Little Update, deofucation system improved, also now support some MultiBranch System, OreansSyntax improved, Virtual Opcode reader stops at handler end
Also added a help�r txt(CV_Syntax.txt) if you want to add more syntaxes (This is a referential file, is not readed by the application)
v0.3
- Virtual Opcode now detects labels and registers
- OreansSyntax.cfg Updated with common operations
- Now you can setup the number of handlers according to your VM
- VM Identify database is from 1.9.9.0(Themida) on newer version it can mismatch, but can be easily replaced with the corresponding handlers
发表于 2011-3-11 02:12
发表于 2011-3-11 20:59
