Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Oct 15 15:32
    AndyWatterman commented #2749
  • Oct 15 15:30
    AndyWatterman commented #2749
  • Oct 15 14:33
    mrexodia commented #2763
  • Oct 15 14:15
    AppVeyorBot commented #2763
  • Oct 15 14:03
    torusrxxx commented #2730
  • Oct 15 13:55
    torusrxxx opened #2763
  • Oct 15 08:10
    mrexodia commented #2754
  • Oct 15 08:00
    mrexodia commented #2762
  • Oct 15 08:00

    mrexodia on development

    Fix some warnings Merge pull request #2762 from Z… (compare)

  • Oct 15 08:00
    mrexodia closed #2762
  • Oct 14 19:49
    mrexodia commented #2760
  • Oct 14 19:49

    mrexodia on development

    Fixed a bug that overwrites las… Merge pull request #2760 from t… (compare)

  • Oct 14 19:49
    mrexodia closed #2760
  • Oct 14 18:57

    mrexodia on gh-actions

    WIP (compare)

  • Oct 14 16:47
    mrexodia commented #2761
  • Oct 14 16:23
    myocytebd closed #2761
  • Oct 14 16:23
    myocytebd commented #2761
  • Oct 14 15:07
    AppVeyorBot commented #2762
  • Oct 14 14:47
    ZehMatt opened #2762
  • Oct 14 13:50
    mrexodia commented #2760
x64dbgbot
@x64dbgbot
<Matti> whether you need ultimate depends on whether you need to support license keys basically I think
<Matti> for obfuscation or anti-debugging there's no difference
<Matti> tbh for most companies I know, that really isn't much
x64dbgbot
@x64dbgbot
<TomieKawakami> @Matti https://disk.yandex.com/d/Dqk1qhxj6YV6cQ 🙂 the crack me sample xD that i made .. pass: test
<Matti> ok
<Matti> for scyllahide, could you make an issue please?
<TomieKawakami> v3 and v2 ... vmprotect version is there.. maybe u can compare why it dint work
<TomieKawakami> on v2
<TomieKawakami> sure sure
<Matti> otherwise I will lose track
<Matti> there's also an open one for v3 I think
<Matti> so that'll be interesting
<TomieKawakami> done
x64dbgbot
@x64dbgbot
<Matti> thanks!
x64dbgbot
@x64dbgbot
<the_janitor> @Matti if it helps troubleshooting: SharpOD works fine with any vmp 3+ that i had to deal with
x64dbgbot
@x64dbgbot
<Matti> oh
<Matti> thanks, but I just looked at the VMP 3 issue and I doubt it'll be needed
<Matti> it's made by a guy who sometimes makes uh, rather... quirky bug reports/issues
<Matti> I don't know how else to describe it
<Matti> and insists on using ollydbg, which is fine I guess but I'm personally not super interested in maintaining support for it
<Matti> I try to fix bugs if they're reported but that's basically it
<Matti> in this case it's almost certainly something ollydbg is doing that x64dbg users don't have problems with
x64dbgbot
@x64dbgbot
<the_janitor> i see...wow ollydbg, guess 32b is still alive and kicking
<Matti> yeah heh
<Matti> I wonder what he does when he needs to debug a 64 bit program?
<Matti> maybe he just runs a 32 bit OS
<Matti> that would solve that issue
x64dbgbot
@x64dbgbot
<TomieKawakami> I tried all vmp3 leaked on the internet for educational purposes..xD all of them beaten by Scylla. Kinda strange when vmprotect says u can do user mode or kernel mode or both when doing anti dbg.. how do they do kernel mode? Do they need their own sys for that? To happen. I don't know if usermode can detect kernel. Or maybe i miss understand what it means.
x64dbgbot
@x64dbgbot
<Matti> what they mean by that is that they provide detection of both usermode and kernelmode debuggers
<Matti> which is true, and you can choose which (if any) you want to enable detection for
<Matti> but it's not really very useful because (A) most people don't debug programs with a kernel debugger, and (B) if you have a kernel debugger attached you control the entire system, so 'defeating' VMProtect at that point isn't really an achievement, just a bit tedious
<Matti> what they also do though, and as far as I know they are the only commercial protector to do this, is protect kernel mode drivers
<Matti> meaning a .sys and not .dll/.exe
<Matti> there is also an anti debug for that mode, and it's a bit harder to defeat because VMP is now also running in kernel mode
x64dbgbot
@x64dbgbot
<Matti> but overall it is still pretty easy to bypass
x64dbgbot
@x64dbgbot
<TomieKawakami> That's interesting
x64dbgbot
@x64dbgbot
<Matti> oh yea
<Matti> forgot to answer this
<Matti> > To happen. I don't know if usermode can detect kernel.
<Matti> you can detect a kernel debugger from user mode via a few ways
<Matti> but the most commonly used by far is NtQuerySystemInformation(SystemKernelDebuggerInformation)
<Matti> which basically just tells you if a kernel debugger is attached
<Matti> but - if you're attached with a kernel debugger, you can just edit that function to return a value that says there's no debugger
<Matti> so you can see how it's sort of pointless to try this from user mode
x64dbgbot
@x64dbgbot
<Matti> when VMP is running in kernel mode too, it has access to a lot more of the information the kernel exports that it can use to do debugger detection
<Matti> plus of course the normal extra privileges you get in kernel mode compared to user
<Matti> but it doesn't really do a lot of interesting stuff with that anti-debug wise
<Matti> hypervisor detection though... that's different
x64dbgbot
@x64dbgbot
<TomieKawakami> 🙏 for the knowledge. That was awesome