Posted May 12, 20232 yr Looks like the rumors of leaked VMProtect sources were true. Now they are available for everyone. It was leaked on certain Chinese sites, so use your brain and caution and don't run random files outside of VM... EDIT1: Please note that "intel.cc" and "processor.cc" are missing, so the native code virtualization part is most likely non-working. Thanks to @boot and @lawl3ss and Twitter wisdom for the info! EDIT2: Link changed to anonfiles. Spoiler https://anonfiles.com/d1D7M7q9z4/vmpsrc_zip Edited May 12, 20232 yr by kao
May 12, 20232 yr That's crazy Maybe vmp days will end now...However, this leak could present an intriguing opportunity to create a custom virtualization tool similar to vmp like the confuser forks...But, it is worth noting that this leak does not necessarily guarantee the swift development of a comprehensive devirtualization tool, so don't expect a "one-click" solution for unpacking and devirtualizing VMProtect. Edited May 12, 20232 yr by X0rby
May 12, 20232 yr Even with the sources leaked, it is still a challenge to restore original code from VM code. Time will tell.
May 12, 20232 yr Author 1 minute ago, boot said: NOT considered a TRUE LEAK because of the lack of core code. I didn't try to build it. But from the first glance, I didn't see anything missing. If you know more, can you please let us know the details? What exactly is missing?
May 12, 20232 yr The virtualization code seems to be missing, Just my guess from a quick look. The "VmExecutor.cs" is still nice to check for .NET fans. Edited May 12, 20232 yr by Kurapica
May 12, 20232 yr The leak looks to be legit. It built fine in my VM aside from the Qt project. EDIT: Just noticed intel.cc is missing, nevermind. Now we just wait until someone drops it for clout. Edited May 12, 20232 yr by lawl3ss
May 12, 20232 yr 1 hour ago, Kurapica said: Even with the sources leaked, it is still a challenge to restore original code from VM code. Time will tell. Depends, my write-up details how to lift the VM completely, the only difficulty (time consuming) is gathering all the virtual patterns. If the leak did contain the "main" VM code (i.e. probably just a huge switch statement of direct translations from x86 to their custom bytecode), then the virtual patterns would be in plain sight and can easily be added to your tool; taking you at most ~20 minutes.
May 12, 20232 yr afaik basic principles of vmprotect and approaches for deobfuscation have been explained by researchers such as Rolf Rolles since at least the late 2000s. besides, there were discussions on this topic here in 2010s and there are some detailed writeup past few years. but still people looking for unpacking and devirtualize vmprotect....😅
May 12, 20232 yr Just now, Salin said: afaik basic principles of vmprotect and approaches for deobfuscation have been explained by researchers such as Rolf Rolles since at least the late 2000s. besides, there were discussions on this topic here in 2010s and there are some detailed writeup past few years. but still people looking for unpacking and devirtualize vmprotect....😅 There's a challenge in this forum about vmp 3.8.1 and still unsolved. If it's so easy like this, try to unpack and devirtualize it ! Edited May 12, 20232 yr by X0rby
May 12, 20232 yr > However, this leak could present an intriguing opportunity to create a custom virtualization tool similar to vmp like the confuser forks oh lord
May 12, 20232 yr Just now, deepzero said: > However, this leak could present an intriguing opportunity to create a custom virtualization tool similar to vmp like the confuser forks oh lord any problem? @deepzero I meant if the code is compiled they might be copies as new protections names, I put the "confuser" as example because it's open source and everyone is making his own version of it... Edited May 12, 20232 yr by X0rby
May 12, 20232 yr 4 hours ago, Kurapica said: The virtualization code seems to be missing, Just my guess from a quick look. The "VmExecutor.cs" is still nice to check for .NET fans. this isn't EazVM?
May 12, 20232 yr 1 hour ago, deepzero said: no problem. you are right and i dread the wave of vmp re-skins. It will be a huge mess 😅 ------------------------------------------------------- https://github.com/Alukym/VMProtect-Source Github Edited May 12, 20232 yr by X0rby
May 12, 20232 yr the archive was repacked and the missing files were removed by the person who uploaded it "vmprotect.ddk" + intel.cc" + "processor.cc" + "arm.cc" are missing Edited May 12, 20232 yr by X0rby
May 12, 20232 yr Vmprotect.DDK Is missing as well so with other files mentioned I doubt this will work as I expect more critical files are missing it’s a shame, but I did have a look at the export key pair and licensing files i recently started looking at this protection with a good 3 part paper on breakdown of a couple of their main features, Code Mutation and Virtualization, the paper was released in May 2021 by someone called r0da It's worth a read and he used VMProtect 3.5 so its recent, and definitely worth a look at earlier versions to get a handle on how it works I know VMProtect 3.6 has been cracked (not public) it was used by a company to license their software which is heavily protected, cracker decided to crack the licensing software as well to make license files Edited May 12, 20232 yr by H1TC43R attaching pic
May 13, 20232 yr I found it in Chinese and I translate it : Quote + Edited May 13, 20232 yr by X0rby politics
May 30, 20232 yr Hello I tried to unzip with megadumper but the exe file is unreadable. can you help me remove enigma 3.9? thank you very much 😉
May 30, 20232 yr 2 hours ago, softprog said: Hello I tried to unzip with megadumper but the exe file is unreadable. can you help me remove enigma 3.9? thank you very much 😉 it's supposed to just be a winzip file, but can use Winrar as well Think this is the wrong section for your post
December 7, 20231 yr Author And now we have a repo with the missing files. At least "intel.cc" + "processor.cc" are present. https://github.com/jmpoep/vmprotect-3.5.1
December 7, 20231 yr 1 hour ago, kao said: And now we have a repo with the missing files. At least "intel.cc" + "processor.cc" are present. is it the same files here : https://bbs.kanxue.com/thread-279796.htm ?
December 7, 20231 yr Author @RADIOX: I don't have access to Baidu, so I can't check that. Based on the timing, I guess it might be the same.
Create an account or sign in to comment