Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

VMProtect 2 - Detailed Analysis of the Virtual Machine Architecture

BlackHat
BlackHat
in Reverse Engineering Articles

Featured Replies

  • 3 weeks later...

So has anyone gotten this (vmemu) to work with real vmp2 files? Always crashes for me trying to create a trace.

I'll compile it myself and look into the crash later.

 

On 6/10/2021 at 7:55 AM, deepzero said:

So has anyone gotten this (vmemu) to work with real vmp2 files? Always crashes for me trying to create a trace.

I'll compile it myself and look into the crash later.

 

fixed in v1.7 https://githacks.org/vmp2/vmemu/-/releases/v1.7 (make sure your commandline arguments are also correct)... Also be aware that vmemu currently does NOT support dumped modules as it uses LoadLibraryExA - DONT_RESOLVE_DLL_REFERENCES to load the module... 

Support for dumped modules will come very shortly, as well as an auto unpacking/drag & drop project.

Edited by _xeroxz

    • Like 7
    • Author
    On 6/13/2021 at 11:11 AM, _xeroxz said:

    fixed in v1.7 https://githacks.org/vmp2/vmemu/-/releases/v1.7 (make sure your commandline arguments are also correct)... Also be aware that vmemu currently does NOT support dumped modules as it uses LoadLibraryExA - DONT_RESOLVE_DLL_REFERENCES to load the module... 

    Support for dumped modules will come very shortly, as well as an auto unpacking/drag & drop project.

    Loved Your work. ❤️ You are Marvelous.

    • Thanks 1
    • 2 weeks later...

    VMProtect 2 - Part Two, Complete Static Analysis

    https://back.engineering/21/06/2021/

    Edited by deepzero

    • Like 1
    • 1 month later...

    auto unpacker (really just a dumper that uses unicorn-engine and automates the process, this has been done a thousand times) for usermode vmp2 bins as of this commit: https://githacks.org/vmp2/vmemu/-/commit/3c08edac2c4c452f0c50080eb0d801331f7ce4f6

    The unpacker does not recover the original entry point, its simply just a way for me to statically decrypt/unpack all sections in a standardized way so that you can run VMEmu upon the module. I fix sections (set raw ptr/size equal to virtual rva/virtual size) and append relocation blocks and relocation entries for relocations not declared in the relocation directory. A "dump" is pretty subjective term so the need for this auto unpacker/dumper was clear.

    I also recoded VMEmu entirely (https://githacks.org/vmp2/vmemu/-/blob/3c08edac2c4c452f0c50080eb0d801331f7ce4f6/src/vmemu_t.cpp) as the older code was very incorrect. Such things as the virtual JMP instruction can change virtual machine handler tables if the binary has more than a single virtual machine. This caused crashing. This is fixed now. Here is an example of what im talking about though: 

    ======================== [JMP #12] ========================
> 0x00007FF70775ECA5 mov esi, [rbp]
> 0x00007FF70775ECAE add rbp, 0x08
> 0x00007FF7077659EF lea r12, [0x00007FF7077AB900] <-- vm handler table
> 0x00007FF7077659F9 mov rax, 0x100000000
> 0x00007FF707765A08 add rsi, rax
> 0x00007FF707765A0F mov rbx, rsi
> 0x00007FF707765A1B add rsi, [rbp]

======================== [JMP #26] ========================
> 0x00007FF70774EF41 mov esi, [rbp]
> 0x00007FF70775CE38 add rbp, 0x08
> 0x00007FF707737355 lea r12, [0x00007FF707740E7D] <-- vm handler table
> 0x00007FF70773735E mov rax, 0x100000000
> 0x00007FF70773736D add rsi, rax
> 0x00007FF707737376 mov rbx, rsi
> 0x00007FF70773737F add rsi, [rbp]

    Im now preparing to lift to llvm-ir and I have removed VTIL as I dont see a clear path forward using VTIL to get back to native x86_64. I am making steps to do entire module devirtualization and not just a single virtual routine. Ive written the code/algos to locate all virtual machine handler tables and all vm enters. You can find them here:

    https://githacks.org/vmp2/vmprofiler/-/blob/99f1f695ed0e10c278076b037edd399965563140/src/vmlocate.cpp#L5

    https://githacks.org/vmp2/vmprofiler/-/blob/99f1f695ed0e10c278076b037edd399965563140/src/vmlocate.cpp#L130

    I have added a new flag "--locateconst" which will first locate every single vm enter and then run vmemu upon it to statically decrypt all virtual instructions. It will then loop over the virtual instruction code blocks for each virtual instruction and try and find any virtual instructions with an operand that matches the constant value you specified. This is really useful for locating math primes/relative virtual addresses and such... great for attacking.

     

    Lastly, I rewrote the deadstore removal algo so that it produces much cleaner output. This algo will only work on vm arch related code such as vm handlers/vm_entry/calc_jmp as these are all linear and dont have any real JCC's.

    https://githacks.org/vmp2/vmprofiler/-/blob/99f1f695ed0e10c278076b037edd399965563140/src/vmutils.cpp#L161

    Edited by _xeroxz

    • Like 5
    • 2 weeks later...
    • 4 weeks later...

    https://githacks.org/vmp2/vmdevirt

    vmdevirt lifts vmp IL generated by vmemu to llvm ir which can then be optimized and compiled back to native instructions. I have released a pretty rough/early version of EasyAntiCheat devirtualized here: https://www.unknowncheats.me/forum/anti-cheat-bypass/468099-easyanticheat-sys-devirtualized-version-1-optimizations.html

     

    The goal  has been to generate semantically correct native so that you can execute the binary... here is hello world devirtualized: https://githacks.org/-/snippets/45

     

    If you have any input/suggestions for llvm you can reply or email me at _xeroxz@back.engineer

    P.S vmdevirt will also be used for vmp3 as the lifters/profiles are pretty much the same. All I need to do to support vmp3 is to recode some of vmemu...

    Edited by _xeroxz

    • Like 4
    • Thanks 3
    • Author
    6 hours ago, _xeroxz said:

    https://githacks.org/vmp2/vmdevirt

    vmdevirt lifts vmp IL generated by vmemu to llvm ir which can then be optimized and compiled back to native instructions. I have released a pretty rough/early version of EasyAntiCheat devirtualized here: https://www.unknowncheats.me/forum/anti-cheat-bypass/468099-easyanticheat-sys-devirtualized-version-1-optimizations.html

     

    The goal  has been to generate semantically correct native so that you can execute the binary... here is hello world devirtualized: https://githacks.org/-/snippets/45

     

    If you have any input/suggestions for llvm you can reply or email me at _xeroxz@back.engineer

    P.S vmdevirt will also be used for vmp3 as the lifters/profiles are pretty much the same. All I need to do to support vmp3 is to recode some of vmemu...

    Your work is super impressive. Kudos to You. 

    • Like 1

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.