Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Dec 05 17:47
    mrexodia deleted #2797
  • Dec 05 16:48
    ZehMatt closed #2797
  • Dec 05 16:48
    ZehMatt commented #2797
  • Dec 05 15:45
    lsh7161 edited #2797
  • Dec 05 15:44
    lsh7161 labeled #2797
  • Dec 05 15:44
    lsh7161 opened #2797
  • Dec 05 15:44
    rajkumarananthu commented #2752
  • Dec 05 15:43
    rajkumarananthu commented #2752
  • Dec 05 14:28

    mrexodia on development

    Attempt to scale the column wid… (compare)

  • Dec 04 15:30
    mrexodia commented #2752
  • Dec 04 11:52
    mrexodia assigned #2752
  • Dec 04 05:25
    rajkumarananthu commented #2752
  • Dec 03 13:42
    mrexodia commented #2752
  • Dec 03 10:43
    rajkumarananthu commented #2752
  • Dec 03 03:27

    mrexodia on development

    Update FUNDING.yml (compare)

  • Dec 03 03:26

    mrexodia on development

    Update README.md (compare)

  • Dec 03 01:13
    stevemk14ebr closed #2278
  • Dec 02 13:49
    SNOW-Loli commented #2796
  • Dec 02 13:28
    SNOW-Loli commented #2796
  • Dec 02 13:11
    mrexodia commented #2796
x64dbgbot
@x64dbgbot
<Matti> ok
<Matti> for scyllahide, could you make an issue please?
<TomieKawakami> v3 and v2 ... vmprotect version is there.. maybe u can compare why it dint work
<TomieKawakami> on v2
<TomieKawakami> sure sure
<Matti> otherwise I will lose track
<Matti> there's also an open one for v3 I think
<Matti> so that'll be interesting
<TomieKawakami> done
<Matti> thanks!
x64dbgbot
@x64dbgbot
<the_janitor> @Matti if it helps troubleshooting: SharpOD works fine with any vmp 3+ that i had to deal with
x64dbgbot
@x64dbgbot
<Matti> oh
<Matti> thanks, but I just looked at the VMP 3 issue and I doubt it'll be needed
<Matti> it's made by a guy who sometimes makes uh, rather... quirky bug reports/issues
<Matti> I don't know how else to describe it
<Matti> and insists on using ollydbg, which is fine I guess but I'm personally not super interested in maintaining support for it
<Matti> I try to fix bugs if they're reported but that's basically it
<Matti> in this case it's almost certainly something ollydbg is doing that x64dbg users don't have problems with
x64dbgbot
@x64dbgbot
<the_janitor> i see...wow ollydbg, guess 32b is still alive and kicking
<Matti> yeah heh
<Matti> I wonder what he does when he needs to debug a 64 bit program?
<Matti> maybe he just runs a 32 bit OS
<Matti> that would solve that issue
x64dbgbot
@x64dbgbot
<TomieKawakami> I tried all vmp3 leaked on the internet for educational purposes..xD all of them beaten by Scylla. Kinda strange when vmprotect says u can do user mode or kernel mode or both when doing anti dbg.. how do they do kernel mode? Do they need their own sys for that? To happen. I don't know if usermode can detect kernel. Or maybe i miss understand what it means.
x64dbgbot
@x64dbgbot
<Matti> what they mean by that is that they provide detection of both usermode and kernelmode debuggers
<Matti> which is true, and you can choose which (if any) you want to enable detection for
<Matti> but it's not really very useful because (A) most people don't debug programs with a kernel debugger, and (B) if you have a kernel debugger attached you control the entire system, so 'defeating' VMProtect at that point isn't really an achievement, just a bit tedious
<Matti> what they also do though, and as far as I know they are the only commercial protector to do this, is protect kernel mode drivers
<Matti> meaning a .sys and not .dll/.exe
<Matti> there is also an anti debug for that mode, and it's a bit harder to defeat because VMP is now also running in kernel mode
x64dbgbot
@x64dbgbot
<Matti> but overall it is still pretty easy to bypass
x64dbgbot
@x64dbgbot
<TomieKawakami> That's interesting
x64dbgbot
@x64dbgbot
<Matti> oh yea
<Matti> forgot to answer this
<Matti> > To happen. I don't know if usermode can detect kernel.
<Matti> you can detect a kernel debugger from user mode via a few ways
<Matti> but the most commonly used by far is NtQuerySystemInformation(SystemKernelDebuggerInformation)
<Matti> which basically just tells you if a kernel debugger is attached
<Matti> but - if you're attached with a kernel debugger, you can just edit that function to return a value that says there's no debugger
<Matti> so you can see how it's sort of pointless to try this from user mode
x64dbgbot
@x64dbgbot
<Matti> when VMP is running in kernel mode too, it has access to a lot more of the information the kernel exports that it can use to do debugger detection
<Matti> plus of course the normal extra privileges you get in kernel mode compared to user
<Matti> but it doesn't really do a lot of interesting stuff with that anti-debug wise
<Matti> hypervisor detection though... that's different
x64dbgbot
@x64dbgbot
<TomieKawakami> 🙏 for the knowledge. That was awesome
x64dbgbot
@x64dbgbot
<mrfearless> x64dbg/x64dbg#2764
<mrfearless> lol nice
<Matti> haha