Oreans

~~xUrban~~ · 03-08-2010, 02:01 AM

Hello Guys ...

some piece of code in a game has been protected using Oreans's Code Virtualizer or a similar tool, maybe themida's codereplace macro or a similar one .
i would like to know how i can restore virtualized code back to x86 asm instructions.

Thanks To All UC-Forum for Any Help

**Jesus.** · 03-08-2010, 02:11 AM

Follow the mutated headers and rebuild.

~~xUrban~~ · 03-08-2010, 02:22 AM

Thanks But I did not understand ...

You might be a little more clear Thanks alot ^ ^

~~xUrban~~ · 03-14-2010, 05:34 PM

unkonw thanks alot now understand how thanks for helping

**Alkatraz** · 03-14-2010, 07:39 PM

Do a live dump. You'll have enough info to go on

~~xUrban~~ · 03-14-2010, 08:26 PM

yeah thanks alot Alkatraz i understand now how code work after replaced

**Strife** · 03-14-2010, 09:55 PM

Here's a pretty good article that breaks down Code Virtualizer by Oreans.

NOTE: Not sure how up to date it is.

http://tuts4you.com/download.php?view.2640

~~wav~~ · 03-22-2010, 07:55 AM

Dump the vm instructions and match them up to a handler then work through what each handler does to match to x86 opcode.

assuming they aren't encrypted or obstuficated w/e

~~xUrban~~ · 03-26-2010, 04:19 AM

now xD I will rebuild code like UnknowHacker Said

E.T. · 03-31-2010, 10:52 PM

If it's the same one I was dealt with, a trick you can do is break right before the jump that takes you into the virtual machine. After you break there, set a hardware breakpoint on a part of the memory that you know is going to be accessed or modified by the virtualized code and run into the virtual machine. You should break at the raw devirtualized code, which of course you can dump.

However, you must unpack to memory and do this. You can't use a dumped version as the virtual machine will be broken.