Oreans UnVirtualizer ODBG Plug-in (WL/TMD/CV)

Posted: March 10, 2012 in Oreans UnVirtualizer ODBG Plug-in

Author : Deathway (Lo*eXeTools*rd)

This tool will help conversion VirtualOpcodes -> Assembly Instruction restoring the original code of your virtualized Application, the basic engine
was from CodeUnvirtualizer, my other tool

– Supports WinLicense/Themida/CodeVirtualizer Cisc Machines
– Supports almost all common opcodes
– Supppots MultiBranch Tech

– Right-click on the jump leading to the Virtual Machine Area and press Unvirtualize (If machine isn’t found you have to click again, after checking that the full machine was correctly deofuscated)

– Fixed Unvirtualize with Jump on CISC machines
– Fixed some errors when handling signed constants on RISC
– Fixed an issue when processing MOVS instrution on CISC machine
– Fixed some inversion data when processing COMM, REGX, REGX (like XOR EDI,ESI was decoded as XOR ESI,EDI)
– Fixed a problem when handling AH CH DH BH registers on COMM2 instructions
– Added MOVSX – MOVZX – XCHG – IMUL – MUL – DIV – IDIV – PUSHFD – POPFD instructions on RISC
– Added CALL [ESP+IMMC] on Cisc Machine
– Added support of dump files on RISC machines
– OreansAssember_Risc.cfg updated
– DLL Support on CISC and RISC machines

There is a fix regarding Risc machines, if you unvirtualized the opcodes, there is a high chance that you obtain the inversed form of this opcodes COMM REGX,REGX (like XOR EDI,ESI was decoded as XOR ESI,EDI). This errrors is fixed on the latest version

DLL support is now avaible, however Risc machines must be initialized first (not a problem, since risc machines are always encrypted).

On both machines, it’s recommended the devirtualization once the eip reach the oep.

Thanks Deathway for sharing his plugin.

Download here:


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.