Skip to content

Latest commit

 

History

History
96 lines (55 loc) · 3.57 KB

README.md

File metadata and controls

96 lines (55 loc) · 3.57 KB

exploringVMP

temp location for sharing cool discoveries made while researching VMP [VMProtect 3.6 Ultimate DEMO]

02/12/2024 - at this rate I won't be sharing stuff so i'm just braindumping it... files are messes

uses pefile and iced_x86

  • there are patterns you can make to find instructions that correspond to push someEncryptedAddr, call vmenter.

    • you can check if they're valid by confirming you can use the offset to calculate the address that corresponds to the push someEncryptedAddr portion (see image below in the section "Statically obtaining valid addresses for 'VM enter' and decrypting them.")
  • also applicable to the decryption routine used to calculate location of the next starting point of the bytecode and location of table containing handlers

same_binary_recompiled.zip - each binary is the same: provide 2 numbers and youll get output of secret1: secret2: (dont remember but i think secret2 is addition LOL)

MUST READ

VMProtect

VMs

stuff

made use of my tool

Statically obtaining valid addresses for 'VM enter' and decrypting them.

image

image

no obvious relationships...

  • no effect on read direction of bytecode
  • doesn't affect if push/ret or jmp qword ptr
  • only the DWORD portion of the addresses are used

image

'scan' for 20 byte patterns that fit the requirement of:

push <encrypted_addr>
call vm_enter_fn

image

Bytecode addresses scattered all around

image

image

image

image

image

Anti-disassembly tricks

this was one of the coolest things i saw (each binary seems to have a couple of these grouped together near the end)

image

after manually re-analyzing

image