Hi, as promised, here is a little tool that will help to reverse the CodeVirtualizer and the Themida /WinLicense Virtual Machine
Must Remark , is a BETA, it suppors almost no opcodes, MultibranchSystem is not well implemented, but the handler deofuscation is, also there is a small engine that help to recognize the Iat position with the Handler ID
Information
- if you want a full diagnosis of a specific handler, chnage Diagnosis_Handler_Number on the ini file (read number as decimal)
- if Dump Virtual Machine doesn't fail it generates two txt files
. LogMatchIatData.txt conatins IAT with corresponding Handler ID
. LogVMData.txt contains decrypted data
- if GetVirtualOpcodes doesn't fail it generates two txt files
. LogVirtualOpcode.txt Contains the sequence of decrypted handlers id
. LogDumpedSyntax.txt contains the hnalderids in 'readable code'
- OreansSyntax.cfg contains the information to convert from ID to CVSyntax
Limitations(for now)
- MultiBranchSystem engine may fail
- Some Sequences may be wrong deofuscated
- OreansSyntax.cfg is poorly developed
- Stops at any unknown opcode
- FakeOpcodes is not implmented yet
GEtVirtualOpcode will fail if you didn't executed first DumpVirtualMachine(coz it reads LogMatchIatData.txt)
Bugs reporst and suggestions are welcome
have fun :P
Little Update, deofucation system improved, also now support some MultiBranch System, OreansSyntax improved, Virtual Opcode reader stops at handler end
http://www.sendspace.com/file/86684o
Don't know why can't update.
Also added a helpèr txt(CV_Syntax.txt) if you want to add more syntaxes (This is a referential file, is not readed by the application)
