FreePascal map file bug

Issues related to VMProtect
Post Reply
Coldzer0
Posts: 7
Joined: Tue Dec 27, 2022 9:19 pm

FreePascal map file bug

Post by Coldzer0 »

Hello,

I just got my license yesterday, and I was testing the map file feature but noticed something weird.

VMProtect reads only 1 instruction from some functions.
All these functions are "assembler" functions with "nostackframe".

As you can see in this screenshot, the function size is 0x40 in the map file, and I confirm it in the debugger.
But VMProtect reads only 1 instruction 2 bytes and not the full 0x40.

Image
Admin
Site Admin
Posts: 2566
Joined: Mon Aug 21, 2006 8:19 pm
Location: Russia, E-burg
Contact:

Re: FreePascal map file bug

Post by Admin »

Please notice that VMProtect gets only addresses and symbols names from the MAP file and doesn't use other information like unit name, function size, etc.
Coldzer0
Posts: 7
Joined: Tue Dec 27, 2022 9:19 pm

Re: FreePascal map file bug

Post by Coldzer0 »

Admin wrote:Please notice that VMProtect gets only addresses and symbols names from the MAP file and doesn't use other information like unit name, function size, etc.

But The function has more instructions, and VMP identifies only 1 instruction.

If I add anything before the first jmp it will detect it, but anything after the jmp will not get detected.

Here's a test function

Code: Select all

function ASMTestFunc() : DWORD; stdcall; assembler; nostackframe;
asm
jmp @_push_rcx_
@_push_rdx_:
push rdx
jmp @_push_r8_
@_push_rcx_:
push rcx
jmp @_push_rdx_
@_push_r9_:
push r9
jmp @_push_end_
@_push_r8_:
push r8
jmp @_push_r9_
@_push_end_:
  mov rcx, 0xDEADBEEF  
jmp @_pop_r9_
@_pop_rdx_:
pop rdx
jmp @_pop_rcx_
@_pop_r8_:
pop r8
jmp @_pop_rdx_
@_pop_r9_:
pop r9
jmp @_pop_r8_
@_pop_rcx_:
pop rcx
jmp @_pop_end_
@_pop_end_:
 mov rax, 0xDEADC0DE
end;
Admin
Site Admin
Posts: 2566
Joined: Mon Aug 21, 2006 8:19 pm
Location: Russia, E-burg
Contact:

Re: FreePascal map file bug

Post by Admin »

You have to remove all forward JUMPs because they look like optimized calls to other function, so vmprotect didn't process them.

Something like this:

Code: Select all

asm
push rcx
push rdx
push r8
push r9
mov rcx, 0xDEADBEEF 
pop r9
pop r8
pop rdx
pop rcx
mov rax, 0xDEADC0DE
end;
Anyway, all instructions except "mov rax, 0xDEADC0DE" are useless.
Coldzer0
Posts: 7
Joined: Tue Dec 27, 2022 9:19 pm

Re: FreePascal map file bug

Post by Coldzer0 »

Admin wrote:You have to remove all forward JUMPs because they look like optimized calls to other function, so vmprotect didn't process them.

Something like this:

Code: Select all

asm
push rcx
push rdx
push r8
push r9
mov rcx, 0xDEADBEEF 
pop r9
pop r8
pop rdx
pop rcx
mov rax, 0xDEADC0DE
end;
Anyway, all instructions except "mov rax, 0xDEADC0DE" are useless.

I know that, But I want the JMPs in the code.
But thanks for the info, I will use the clear version then.
Post Reply