[v83] UPX packing guide?

[noobhooni]

Hi guys,
I am pretty new. I managed to set up a basic v83 server using HeavenMS within my own network. yay - it was pretty straight forward and I appreciate the time people put in into these projects.

I want to distribute my exe to my computer savvy friends but it looks like localhost.exe is being flagged as a trojan by Windows Defender (false positive) and gets quarantined.

I used UPX to get around this issue and Windows Defender is now fine with exe as long as it is packed.
However, now the exe won't launch. I tried with different packers but same results.

I understand using UPX would probably increase the detection in other virus programs - however, I just want to get around Windows Defender; detection from other virus programs are not as important for me.

Is there something unique about v83 localhost which makes UPX wouldn't work on it?

 

[Eric]

I explained the reasoning behind this stuff in some other thread quite some time ago because of the concerns people were having. Basically, clients like v55/v62/v75/v83/v90 that we call "localhosts" are applications that were unpacked and tampered with in order to run. Since these clients were originally packed, they still contain their Themida segments and have some adjustments in order to reconstruct the IAT. Furthermore, it is still detected as a "packed PE" even though it isn't, and some of the imports (the IAT) are missing. As a result, this causes the application to be detected as false positives by your anti-virus; you could say they aren't big fans of unpacked and altered software.

Now it should be noted that the localhosts we have here are done by various people. The first localhosts like v62 were reversed by kiki, followed by Spudgy for v83, and then Hendi for v90. While localhosts like v62 may have been packed by Themida, I forget if it had even contained VM at the time or not. However, clients like v83 and v90 both contain heavier and heavier virtualization. The difference between v83 and v90, however, is that in v90 Hendi had completely devirtualized the client and cleaned up all of the Themida protection. If you look at v83 more closely, you'll notice that the code remains virtualized still, and that it was altered/bypassed within the VM itself.

So why won't re-packing your UPX client work? Your client contains functions that were virtualized with Themida that need to jump out to a code VM segment. When you pack the client again, you're basically obfuscating code that is still already protected by Themida, and therefore it's unable to execute. This is an issue specifically with v83 because v90 was fully devirtualized and the v62/v75 clients were too. As for old clients like v55 and below, they weren't protected with Themida so re-packing them wouldn't be a problem (assuming they were at least unpacked properly to begin with).

Your best bet is to simply filter the localhost on Windows Defender because it really is just a false positive. You can make it ignore the localhost and allow it rather than continue to delete it each time. That, or try a version like v62/v75/v90 which have clients that were properly unpacked and devirtualized.

 

[klyster]

Any guide here about how to devirtualize the exe? is done through any ollydbg plugin or other hack tool?

 

[shailist]

Any guide here about how to devirtualize the exe? is done through any ollydbg plugin or other hack tool?

You can try searching for them, but AFAIK currently there aren't any publicly available resources for devirtualizing Themida.
You can try fiddling with generic devirtualizers (like VMAttack) but I doubt you'll get much out of them.

There is NoVmp for VMProtect devirtualization, which looks great.
It is based on the VTIL library, which if you can probably use to write a devirtualizer.