<Matti> for obfuscation or anti-debugging there's no difference
<Matti> tbh for most companies I know, that really isn't much
<TomieKawakami> @Matti https://disk.yandex.com/d/Dqk1qhxj6YV6cQ 🙂 the crack me sample xD that i made .. pass: test
<Matti> ok
<Matti> for scyllahide, could you make an issue please?
<TomieKawakami> v3 and v2 ... vmprotect version is there.. maybe u can compare why it dint work
<TomieKawakami> on v2
<TomieKawakami> sure sure
<Matti> otherwise I will lose track
<Matti> there's also an open one for v3 I think
<Matti> so that'll be interesting
<TomieKawakami> done
<Matti> thanks, but I just looked at the VMP 3 issue and I doubt it'll be needed
<Matti> it's made by a guy who sometimes makes uh, rather... quirky bug reports/issues
<Matti> I don't know how else to describe it
<Matti> and insists on using ollydbg, which is fine I guess but I'm personally not super interested in maintaining support for it
<Matti> I try to fix bugs if they're reported but that's basically it
<Matti> in this case it's almost certainly something ollydbg is doing that x64dbg users don't have problems with
<Matti> yeah heh
<Matti> I wonder what he does when he needs to debug a 64 bit program?
<Matti> maybe he just runs a 32 bit OS
<Matti> that would solve that issue
<TomieKawakami> I tried all vmp3 leaked on the internet for educational purposes..xD all of them beaten by Scylla. Kinda strange when vmprotect says u can do user mode or kernel mode or both when doing anti dbg.. how do they do kernel mode? Do they need their own sys for that? To happen. I don't know if usermode can detect kernel. Or maybe i miss understand what it means.
<Matti> which is true, and you can choose which (if any) you want to enable detection for
<Matti> but it's not really very useful because (A) most people don't debug programs with a kernel debugger, and (B) if you have a kernel debugger attached you control the entire system, so 'defeating' VMProtect at that point isn't really an achievement, just a bit tedious
<Matti> what they also do though, and as far as I know they are the only commercial protector to do this, is protect kernel mode drivers
<Matti> meaning a .sys and not .dll/.exe
<Matti> there is also an anti debug for that mode, and it's a bit harder to defeat because VMP is now also running in kernel mode
<Matti> forgot to answer this
<Matti> > To happen. I don't know if usermode can detect kernel.
<Matti> you can detect a kernel debugger from user mode via a few ways
<Matti> but the most commonly used by far is
NtQuerySystemInformation(SystemKernelDebuggerInformation)
<Matti> which basically just tells you if a kernel debugger is attached
<Matti> but - if you're attached with a kernel debugger, you can just edit that function to return a value that says there's no debugger
<Matti> so you can see how it's sort of pointless to try this from user mode
<Matti> plus of course the normal extra privileges you get in kernel mode compared to user
<Matti> but it doesn't really do a lot of interesting stuff with that anti-debug wise
<Matti> hypervisor detection though... that's different
<TomieKawakami> 🙏 for the knowledge. That was awesome