The Oreans (Themida/Winlicense) VM antidumps.
quosego
October 6, 2009
Intro;
The virtual machine of any Oreans protected application usually tries to prevent itself from running
in any dumped application. It does so with the use of antidumps, these antidumps are small parts of
code that try to detect if you’re running a protected application or an unprotected application.
This code always resided in the VM making it very hard to analyze. However usually the code checks
for values somewhere in memory which get wiped when you dump an application, these checks
usually end up in the familiar access violations. However when a value is available, when the
application is unprotected, the antidump code will check it against a stored value, if it is not the same
it’ll try to disrupt the program. (Quite often successfully.) Another more recent method is the
checking of API locations in memory, an API’s location or data is checked against stored values.
In this tutorial I will attempt to explain all known antidumps fully. Using new techniques I can now
present you all antidumps fully devirtualised. I will however not tell you easy methods to defeat
them. That is something you can now do yourself. Please consider the antidumps were first defeated
without knowing the actual ASM code, doing it with the info in this tutorial should be easy.
General idea of antidumps;
Antidumps attempt to detect whether a program dumped or it is run on a different computer.
Many things are different between a dumped application and a protected application. The stack is no
longer the same, the heap has been wiped and perhaps you’ve changed your PE header. Each of
these variables is semi-randomly checked by the Themida VM if they are still the same as defined by
the protection. You will notice these antidumps immediately after you dump an application.
However some do not show and are only revealed when your dump runs on a different OS, this is
due to the checking of API’s. API locations can differ between operating systems and the VM checks
for such differences when dumped. The locations of these API’s stored by the VM get updated
whenever you run the protected application so that they are no problem for protected apps.
评论0