Can't find marker in golang Binary

Issues related to VMProtect
Post Reply
andyco
Posts: 16
Joined: Mon Jan 03, 2022 10:20 am

Can't find marker in golang Binary

Post by andyco »

Since there is no official SDK example for golang, I studied it and found that it was feasible.

HWID and serial information can be successfully detected through CGO, but Marker cannot be detected by VMP.

After adding C.VMProtectBeginUltra(C.CString("protect") to my other project, Marker can be detected, but Marker's name cannot be recognized, and the content that needs to be protected cannot be detected.

Code: Select all

package main

// #include <stdbool.h>
// #include <stdlib.h>
// #include "VMProtectSDK.h"
// #cgo LDFLAGS: -L . -lVMProtectSDK
import "C"

import (
	"fmt"
	"unsafe"
)

func main() {
	Cprotect := C.CString("protect")
	defer C.free(unsafe.Pointer(Cprotect))
	//it's not work
	C.VMProtectBeginUltra(Cprotect)
	serial := "CMQz+nTnrgqB4OUBXAwCT9k40JM5qqVCQFSD4IAqega6C3KPidYeqE3iuVNelEbYYykEl2eTrzbjU424kGAsCz+Y478jMVfco6gVWoWDd+FwZrRU06dWdhkBzvzsVxnHmtdpN9An7pKEvH4RCEyqcc19WjBgas4TlSjOBUjXNMtx9txsGVev06nmgOUhx9gELi6R/e9xDMqhnK5Ys58jh52xTjuWUtw58qtRlJyMAnE4YSC8YRH4awnnkOAOFsRqpwMJB2uRIgHjfdkhd5JFUDU1UHFFH8ASZ0w1ti464OSybPB9AmlP+2L/1+ZonvkID3bjHIHPG2Tr55BGE0nxDQ=="
	nSize := C.VMProtectGetCurrentHWID(nil, 0)
	hw := new(C.char)
	C.VMProtectGetCurrentHWID(hw, nSize)
	hwid := C.GoString(hw)
	Cserial := C.CString(serial)
	defer C.free(unsafe.Pointer(Cserial))
	kstate := C.VMProtectSetSerialNumber(Cserial)
	var sd C.VMProtectSerialNumberData
	C.VMProtectGetSerialNumberData(&sd, C.sizeof_VMProtectSerialNumberData)
	var user string
	for _, v := range sd.wUserName {
		if v != 0 {
			user += string(v)
		}
	}
	//it's work
	fmt.Println("HWID: ", hwid)
	//it's work
	fmt.Println("Is Protected: ", C.VMProtectIsProtected())
	//it's work
	fmt.Println(kstate)
	//it's work
	fmt.Println(user)
	C.VMProtectEnd()
	return
}
1.png
1.png (625.72 KiB) Viewed 3941 times
1.png
1.png (625.72 KiB) Viewed 3941 times
Attachments
2.png
2.png (123.19 KiB) Viewed 3941 times
Admin
Site Admin
Posts: 2566
Joined: Mon Aug 21, 2006 8:19 pm
Location: Russia, E-burg
Contact:

Re: Can't find marker in golang Binary

Post by Admin »

Unfortunately VMProtect doesn't support binaries compiled with trash compilers like Golang, etc.
andyco
Posts: 16
Joined: Mon Jan 03, 2022 10:20 am

Re: Can't find marker in golang Binary

Post by andyco »

Admin wrote:Unfortunately VMProtect doesn't support binaries compiled with trash compilers like Golang, etc.
Hello, admin, I just buy VMProtect Ultimate v3.6.0.1410 today.
After a few days of research, I solved the compatibility of some VMProtect with Golang.
Now VMProtect can recognize the addresses of VMProtectBegin and VMProtectEnd.
However, MarkerName are not recognized, and VMProtectDecryptStringA is doesn't work .
Can solve the problem of protecting Golang?
Other functions seem to be feasible, but I'm not sure. please help me check the Virtualization and Mutation ,Has it played a protect role?
Below are unprotected programs, Mach-o and PE.
NoVMP.zip
(2.95 MiB) Downloaded 176 times
Admin
Site Admin
Posts: 2566
Joined: Mon Aug 21, 2006 8:19 pm
Location: Russia, E-burg
Contact:

Re: Can't find marker in golang Binary

Post by Admin »

I have already wrote that VMProtect doesn't support Golang. Look at this:

Code: Select all

000000014008E7E9	lea rax, [00000001400C53DF] → string "marker"
000000014008E7F0	mov ebx, 00000007
000000014008E7F5	call 000000014008E100 → VMProtect.CString
000000014008E7FA	call 000000014008F278 → VMProtectBeginUltra
000000014008E7FF	lea rax, [00000001400C66BE] → string "DecryptString"
000000014008E806	mov ebx, 0000000E
000000014008E80B	call 000000014008E100 → VMProtect.CString
000000014008E810	call 000000014008F2A0 → VMProtectDecryptStringA
VMProtect doesn't know what happens here:

Code: Select all

000000014008E7F0	mov ebx, 00000007
000000014008E7F5	call 000000014008E100 → VMProtect.CString
So it doesn't see strings "marker" and "DecryptString"
andyco
Posts: 16
Joined: Mon Jan 03, 2022 10:20 am

Re: Can't find marker in golang Binary

Post by andyco »

Okay, I see. Golang call C and needs to be converted many times, but it doesn't matter. Can code virtualization work?
Admin
Site Admin
Posts: 2566
Joined: Mon Aug 21, 2006 8:19 pm
Location: Russia, E-burg
Contact:

Re: Can't find marker in golang Binary

Post by Admin »

Can code virtualization work?
I don't know because Golang is very strange compiler.
andyco
Posts: 16
Joined: Mon Jan 03, 2022 10:20 am

Re: Can't find marker in golang Binary

Post by andyco »

Thank you for your answer. If possible, I hope it will be compatible in the future.
Admin
Site Admin
Posts: 2566
Joined: Mon Aug 21, 2006 8:19 pm
Location: Russia, E-burg
Contact:

Re: Can't find marker in golang Binary

Post by Admin »

We have no such plans.
andyco
Posts: 16
Joined: Mon Jan 03, 2022 10:20 am

Re: Can't find marker in golang Binary

Post by andyco »

update

After some code modify,use some alternative methods of golang,
Now golang is basically compatible with VMP.
MarkerName and string for VMProtectDecryptString can be detected.
After tested,VMProtectDecryptString is work,string is encrypted.
The PE compiled by w64-mingw32 is work,
but mach-o compiled by apple clang 13 also can't detect the MarkerName and string for VMProtectDecryptString.
I will try the GCC for test.
1.png
1.png (1.43 MiB) Viewed 3225 times
Admin
Site Admin
Posts: 2566
Joined: Mon Aug 21, 2006 8:19 pm
Location: Russia, E-burg
Contact:

Re: Can't find marker in golang Binary

Post by Admin »

Please attach the mach-o binary.
andyco
Posts: 16
Joined: Mon Jan 03, 2022 10:20 am

Re: Can't find marker in golang Binary

Post by andyco »

Admin wrote:Please attach the mach-o binary.
golang.zip
(1.2 MiB) Downloaded 210 times
Admin
Site Admin
Posts: 2566
Joined: Mon Aug 21, 2006 8:19 pm
Location: Russia, E-burg
Contact:

Re: Can't find marker in golang Binary

Post by Admin »

The calling convention is wrong for mach-o:

Code: Select all

000000000408E2C0	lea rcx, [00000000040A89D7] → string "DecryptString"
000000000408E2C7	mov [rax], rcx
000000000408E2CA	call 000000000408ED8C → _VMProtectDecryptStringA
The first parameter for API must be RDI instead of RCX.
Post Reply