Jump to content
Tuts 4 You

VMProtect 2 - Detailed Analysis of the Virtual Machine Architecture

BlackHat

By BlackHat
in Reverse Engineering Articles

 Share

Recommended Posts

  • 3 weeks later...
deepzero

deepzero

Posted
Posted

So has anyone gotten this (vmemu) to work with real vmp2 files? Always crashes for me trying to create a trace.

I'll compile it myself and look into the crash later.

 

_xeroxz

_xeroxz

Posted
Posted (edited)
  On 6/10/2021 at 2:55 PM, deepzero said:

So has anyone gotten this (vmemu) to work with real vmp2 files? Always crashes for me trying to create a trace.

I'll compile it myself and look into the crash later.

 

Expand  

fixed in v1.7 https://githacks.org/vmp2/vmemu/-/releases/v1.7 (make sure your commandline arguments are also correct)... Also be aware that vmemu currently does NOT support dumped modules as it uses LoadLibraryExA - DONT_RESOLVE_DLL_REFERENCES to load the module... 

Support for dumped modules will come very shortly, as well as an auto unpacking/drag & drop project.

Edited by _xeroxz
  • Like 7
BlackHat

BlackHat

Posted
  • Author
Posted
  On 6/13/2021 at 5:41 AM, _xeroxz said:

fixed in v1.7 https://githacks.org/vmp2/vmemu/-/releases/v1.7 (make sure your commandline arguments are also correct)... Also be aware that vmemu currently does NOT support dumped modules as it uses LoadLibraryExA - DONT_RESOLVE_DLL_REFERENCES to load the module... 

Support for dumped modules will come very shortly, as well as an auto unpacking/drag & drop project.

Expand  

Loved Your work. ❤️ You are Marvelous.

  • Thanks 1
  • 2 weeks later...
  • 1 month later...
_xeroxz

_xeroxz

Posted
Posted (edited)

auto unpacker (really just a dumper that uses unicorn-engine and automates the process, this has been done a thousand times) for usermode vmp2 bins as of this commit: https://githacks.org/vmp2/vmemu/-/commit/3c08edac2c4c452f0c50080eb0d801331f7ce4f6

The unpacker does not recover the original entry point, its simply just a way for me to statically decrypt/unpack all sections in a standardized way so that you can run VMEmu upon the module. I fix sections (set raw ptr/size equal to virtual rva/virtual size) and append relocation blocks and relocation entries for relocations not declared in the relocation directory. A "dump" is pretty subjective term so the need for this auto unpacker/dumper was clear.

I also recoded VMEmu entirely (https://githacks.org/vmp2/vmemu/-/blob/3c08edac2c4c452f0c50080eb0d801331f7ce4f6/src/vmemu_t.cpp) as the older code was very incorrect. Such things as the virtual JMP instruction can change virtual machine handler tables if the binary has more than a single virtual machine. This caused crashing. This is fixed now. Here is an example of what im talking about though: 

======================== [JMP #12] ========================
> 0x00007FF70775ECA5 mov esi, [rbp]
> 0x00007FF70775ECAE add rbp, 0x08
> 0x00007FF7077659EF lea r12, [0x00007FF7077AB900] <-- vm handler table
> 0x00007FF7077659F9 mov rax, 0x100000000
> 0x00007FF707765A08 add rsi, rax
> 0x00007FF707765A0F mov rbx, rsi
> 0x00007FF707765A1B add rsi, [rbp]

======================== [JMP #26] ========================
> 0x00007FF70774EF41 mov esi, [rbp]
> 0x00007FF70775CE38 add rbp, 0x08
> 0x00007FF707737355 lea r12, [0x00007FF707740E7D] <-- vm handler table
> 0x00007FF70773735E mov rax, 0x100000000
> 0x00007FF70773736D add rsi, rax
> 0x00007FF707737376 mov rbx, rsi
> 0x00007FF70773737F add rsi, [rbp]

Im now preparing to lift to llvm-ir and I have removed VTIL as I dont see a clear path forward using VTIL to get back to native x86_64. I am making steps to do entire module devirtualization and not just a single virtual routine. Ive written the code/algos to locate all virtual machine handler tables and all vm enters. You can find them here:

https://githacks.org/vmp2/vmprofiler/-/blob/99f1f695ed0e10c278076b037edd399965563140/src/vmlocate.cpp#L5

https://githacks.org/vmp2/vmprofiler/-/blob/99f1f695ed0e10c278076b037edd399965563140/src/vmlocate.cpp#L130

I have added a new flag "--locateconst" which will first locate every single vm enter and then run vmemu upon it to statically decrypt all virtual instructions. It will then loop over the virtual instruction code blocks for each virtual instruction and try and find any virtual instructions with an operand that matches the constant value you specified. This is really useful for locating math primes/relative virtual addresses and such... great for attacking.

 

Lastly, I rewrote the deadstore removal algo so that it produces much cleaner output. This algo will only work on vm arch related code such as vm handlers/vm_entry/calc_jmp as these are all linear and dont have any real JCC's.

https://githacks.org/vmp2/vmprofiler/-/blob/99f1f695ed0e10c278076b037edd399965563140/src/vmutils.cpp#L161

Edited by _xeroxz
  • Like 5
  • 2 weeks later...
  • 4 weeks later...
_xeroxz

_xeroxz

Posted
Posted (edited)

https://githacks.org/vmp2/vmdevirt

vmdevirt lifts vmp IL generated by vmemu to llvm ir which can then be optimized and compiled back to native instructions. I have released a pretty rough/early version of EasyAntiCheat devirtualized here: https://www.unknowncheats.me/forum/anti-cheat-bypass/468099-easyanticheat-sys-devirtualized-version-1-optimizations.html

 

The goal  has been to generate semantically correct native so that you can execute the binary... here is hello world devirtualized: https://githacks.org/-/snippets/45

 

If you have any input/suggestions for llvm you can reply or email me at _xeroxz@back.engineer

P.S vmdevirt will also be used for vmp3 as the lifters/profiles are pretty much the same. All I need to do to support vmp3 is to recode some of vmemu...

Edited by _xeroxz
  • Like 4
  • Thanks 3
BlackHat

BlackHat

Posted
  • Author
Posted
  On 9/5/2021 at 8:59 PM, _xeroxz said:

https://githacks.org/vmp2/vmdevirt

vmdevirt lifts vmp IL generated by vmemu to llvm ir which can then be optimized and compiled back to native instructions. I have released a pretty rough/early version of EasyAntiCheat devirtualized here: https://www.unknowncheats.me/forum/anti-cheat-bypass/468099-easyanticheat-sys-devirtualized-version-1-optimizations.html

 

The goal  has been to generate semantically correct native so that you can execute the binary... here is hello world devirtualized: https://githacks.org/-/snippets/45

 

If you have any input/suggestions for llvm you can reply or email me at _xeroxz@back.engineer

P.S vmdevirt will also be used for vmp3 as the lifters/profiles are pretty much the same. All I need to do to support vmp3 is to recode some of vmemu...

Expand  

Your work is super impressive. Kudos to You. 

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...