kao Posted May 12, 2023 Posted May 12, 2023 (edited) Looks like the rumors of leaked VMProtect sources were true. Now they are available for everyone. It was leaked on certain Chinese sites, so use your brain and caution and don't run random files outside of VM... EDIT1: Please note that "intel.cc" and "processor.cc" are missing, so the native code virtualization part is most likely non-working. Thanks to @boot and @lawl3ss and Twitter wisdom for the info! EDIT2: Link changed to anonfiles. Spoiler https://anonfiles.com/d1D7M7q9z4/vmpsrc_zip Edited May 12, 2023 by kao 11 1
X0rby Posted May 12, 2023 Posted May 12, 2023 (edited) That's crazy Maybe vmp days will end now...However, this leak could present an intriguing opportunity to create a custom virtualization tool similar to vmp like the confuser forks...But, it is worth noting that this leak does not necessarily guarantee the swift development of a comprehensive devirtualization tool, so don't expect a "one-click" solution for unpacking and devirtualizing VMProtect. Edited May 12, 2023 by X0rby
Kurapica Posted May 12, 2023 Posted May 12, 2023 Even with the sources leaked, it is still a challenge to restore original code from VM code. Time will tell.
boot Posted May 12, 2023 Posted May 12, 2023 It is NOT considered a TRUE LEAK because of the lack of core code. 🤔
kao Posted May 12, 2023 Author Posted May 12, 2023 1 minute ago, boot said: NOT considered a TRUE LEAK because of the lack of core code. I didn't try to build it. But from the first glance, I didn't see anything missing. If you know more, can you please let us know the details? What exactly is missing?
Kurapica Posted May 12, 2023 Posted May 12, 2023 (edited) The virtualization code seems to be missing, Just my guess from a quick look. The "VmExecutor.cs" is still nice to check for .NET fans. Edited May 12, 2023 by Kurapica 1
lawl3ss Posted May 12, 2023 Posted May 12, 2023 (edited) The leak looks to be legit. It built fine in my VM aside from the Qt project. EDIT: Just noticed intel.cc is missing, nevermind. Now we just wait until someone drops it for clout. Edited May 12, 2023 by lawl3ss
ra1n Posted May 12, 2023 Posted May 12, 2023 1 hour ago, Kurapica said: Even with the sources leaked, it is still a challenge to restore original code from VM code. Time will tell. Depends, my write-up details how to lift the VM completely, the only difficulty (time consuming) is gathering all the virtual patterns. If the leak did contain the "main" VM code (i.e. probably just a huge switch statement of direct translations from x86 to their custom bytecode), then the virtual patterns would be in plain sight and can easily be added to your tool; taking you at most ~20 minutes. 2
Salin Posted May 12, 2023 Posted May 12, 2023 afaik basic principles of vmprotect and approaches for deobfuscation have been explained by researchers such as Rolf Rolles since at least the late 2000s. besides, there were discussions on this topic here in 2010s and there are some detailed writeup past few years. but still people looking for unpacking and devirtualize vmprotect....😅
X0rby Posted May 12, 2023 Posted May 12, 2023 (edited) Just now, Salin said: afaik basic principles of vmprotect and approaches for deobfuscation have been explained by researchers such as Rolf Rolles since at least the late 2000s. besides, there were discussions on this topic here in 2010s and there are some detailed writeup past few years. but still people looking for unpacking and devirtualize vmprotect....😅 There's a challenge in this forum about vmp 3.8.1 and still unsolved. If it's so easy like this, try to unpack and devirtualize it ! Edited May 12, 2023 by X0rby
deepzero Posted May 12, 2023 Posted May 12, 2023 > However, this leak could present an intriguing opportunity to create a custom virtualization tool similar to vmp like the confuser forks oh lord
X0rby Posted May 12, 2023 Posted May 12, 2023 (edited) Just now, deepzero said: > However, this leak could present an intriguing opportunity to create a custom virtualization tool similar to vmp like the confuser forks oh lord any problem? @deepzero I meant if the code is compiled they might be copies as new protections names, I put the "confuser" as example because it's open source and everyone is making his own version of it... Edited May 12, 2023 by X0rby
deepzero Posted May 12, 2023 Posted May 12, 2023 no problem. you are right and i dread the wave of vmp re-skins. 1
0x29A Posted May 12, 2023 Posted May 12, 2023 4 hours ago, Kurapica said: The virtualization code seems to be missing, Just my guess from a quick look. The "VmExecutor.cs" is still nice to check for .NET fans. this isn't EazVM?
X0rby Posted May 12, 2023 Posted May 12, 2023 (edited) 1 hour ago, deepzero said: no problem. you are right and i dread the wave of vmp re-skins. It will be a huge mess 😅 ------------------------------------------------------- https://github.com/Alukym/VMProtect-Source Github Edited May 12, 2023 by X0rby
X0rby Posted May 12, 2023 Posted May 12, 2023 (edited) the archive was repacked and the missing files were removed by the person who uploaded it "vmprotect.ddk" + intel.cc" + "processor.cc" + "arm.cc" are missing Edited May 12, 2023 by X0rby
H1TC43R Posted May 12, 2023 Posted May 12, 2023 (edited) Vmprotect.DDK Is missing as well so with other files mentioned I doubt this will work as I expect more critical files are missing it’s a shame, but I did have a look at the export key pair and licensing files i recently started looking at this protection with a good 3 part paper on breakdown of a couple of their main features, Code Mutation and Virtualization, the paper was released in May 2021 by someone called r0da It's worth a read and he used VMProtect 3.5 so its recent, and definitely worth a look at earlier versions to get a handle on how it works I know VMProtect 3.6 has been cracked (not public) it was used by a company to license their software which is heavily protected, cracker decided to crack the licensing software as well to make license files Edited May 12, 2023 by H1TC43R attaching pic
X0rby Posted May 13, 2023 Posted May 13, 2023 (edited) I found it in Chinese and I translate it : Quote + Edited May 13, 2023 by X0rby politics
softprog Posted May 30, 2023 Posted May 30, 2023 Hello I tried to unzip with megadumper but the exe file is unreadable. can you help me remove enigma 3.9? thank you very much 😉
H1TC43R Posted May 30, 2023 Posted May 30, 2023 2 hours ago, softprog said: Hello I tried to unzip with megadumper but the exe file is unreadable. can you help me remove enigma 3.9? thank you very much 😉 it's supposed to just be a winzip file, but can use Winrar as well Think this is the wrong section for your post
kao Posted December 7, 2023 Author Posted December 7, 2023 And now we have a repo with the missing files. At least "intel.cc" + "processor.cc" are present. https://github.com/jmpoep/vmprotect-3.5.1 4 1
ra1n Posted December 7, 2023 Posted December 7, 2023 You can use pattern(s) found inside "intel.cc" & this write-up to build a tool
RADIOX Posted December 7, 2023 Posted December 7, 2023 1 hour ago, kao said: And now we have a repo with the missing files. At least "intel.cc" + "processor.cc" are present. is it the same files here : https://bbs.kanxue.com/thread-279796.htm ?
kao Posted December 7, 2023 Author Posted December 7, 2023 @RADIOX: I don't have access to Baidu, so I can't check that. Based on the timing, I guess it might be the same.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now