Author : Deathway (Lo*eXeTools*rd)
This tool will help conversion VirtualOpcodes -> Assembly Instruction restoring the original code of your virtualized Application, the basic engine
was from CodeUnvirtualizer, my other tool
[Features]
– Supports WinLicense/Themida/CodeVirtualizer Cisc Machines
– Supports almost all common opcodes
– Supports CHECK_MACRO_PROTECTION
– Supppots MultiBranch Tech
[Use]
– Right-click on the jump leading to the Virtual Machine Area and press Unvirtualize (If machine isn’t found you have to click again, after checking that the full machine was correctly deofuscated)
[v1.5]
– Fixed Unvirtualize with Jump on CISC machines
– Fixed some errors when handling signed constants on RISC
– Fixed an issue when processing MOVS instrution on CISC machine
– Fixed some inversion data when processing COMM, REGX, REGX (like XOR EDI,ESI was decoded as XOR ESI,EDI)
– Fixed a problem when handling AH CH DH BH registers on COMM2 instructions
– Added MOVSX – MOVZX – XCHG – IMUL – MUL – DIV – IDIV – PUSHFD – POPFD instructions on RISC
– Added CALL [ESP+IMMC] on Cisc Machine
– Added support of dump files on RISC machines
– OreansAssember_Risc.cfg updated
– DLL Support on CISC and RISC machines
There is a fix regarding Risc machines, if you unvirtualized the opcodes, there is a high chance that you obtain the inversed form of this opcodes COMM REGX,REGX (like XOR EDI,ESI was decoded as XOR ESI,EDI). This errrors is fixed on the latest version
DLL support is now avaible, however Risc machines must be initialized first (not a problem, since risc machines are always encrypted).
On both machines, it’s recommended the devirtualization once the eip reach the oep.
Thanks Deathway for sharing his plugin.
Download here:
0day in {REA_TEAM} 