Leaked VMProtect sources

[kao]

Looks like the rumors of leaked VMProtect sources were true. Now they are available for everyone.  
It was leaked on certain Chinese sites, so use your brain and caution and don't run random files outside of VM...

 

EDIT1: Please note that "intel.cc" and "processor.cc" are missing, so the native code virtualization part is most likely non-working. Thanks to @boot and @lawl3ss and Twitter wisdom for the info!

EDIT2: Link changed to anonfiles.

 

Spoiler

https://anonfiles.com/d1D7M7q9z4/vmpsrc_zip

 

Edited May 12, 2023 by kao

[X0rby]

That's crazy  

Maybe vmp days will end now...However, this leak could present an intriguing opportunity to create a custom virtualization tool similar to vmp like the confuser forks...But, it is worth noting that this leak does not necessarily guarantee the swift development of a comprehensive devirtualization tool, so don't expect a "one-click" solution for unpacking and devirtualizing VMProtect.

Edited May 12, 2023 by X0rby

[Kurapica]

Even with the sources leaked, it is still a challenge to restore original code from VM code.

Time will tell.

[boot]

It is NOT considered a TRUE LEAK because of the lack of core code. 🤔

[kao]

1 minute ago, boot said:

NOT considered a TRUE LEAK because of the lack of core code.

I didn't try to build it. But from the first glance, I didn't see anything missing.
If you know more, can you please let us know the details? What exactly is missing?

[Kurapica]

The virtualization code seems to be missing, Just my guess from a quick look.

The "VmExecutor.cs" is still nice to check for .NET fans.

Edited May 12, 2023 by Kurapica

[lawl3ss]

The leak looks to be legit. It built fine in my VM aside from the Qt project.

 

EDIT: Just noticed intel.cc is missing, nevermind. Now we just wait until someone drops it for clout.

Edited May 12, 2023 by lawl3ss

[RADIOX]

good news thanks for sharing 

[ra1n]

1 hour ago, Kurapica said:

Even with the sources leaked, it is still a challenge to restore original code from VM code.

Time will tell.

Depends, my write-up details how to lift the VM completely, the only difficulty (time consuming) is gathering all the virtual patterns. If the leak did contain the "main" VM code (i.e. probably just a huge switch statement of direct translations from x86 to their custom bytecode), then the virtual patterns would be in plain sight and can easily be added to your tool; taking you at most ~20 minutes.

[Salin]

afaik basic principles of vmprotect and approaches for deobfuscation have been explained by researchers such as Rolf Rolles since  at least the late 2000s. besides, there were discussions on this topic here in 2010s and there are some detailed writeup past few years. but still people looking for unpacking and devirtualize vmprotect....😅

[X0rby]

Just now, Salin said:

afaik basic principles of vmprotect and approaches for deobfuscation have been explained by researchers such as Rolf Rolles since  at least the late 2000s. besides, there were discussions on this topic here in 2010s and there are some detailed writeup past few years. but still people looking for unpacking and devirtualize vmprotect....😅

There's a challenge in this forum about vmp 3.8.1 and still unsolved.

If it's so easy like this, try to unpack and devirtualize it !

 

Edited May 12, 2023 by X0rby

[deepzero]

> However, this leak could present an intriguing opportunity to create a custom virtualization tool similar to vmp like the confuser forks

oh lord

[X0rby]

Just now, deepzero said:

> However, this leak could present an intriguing opportunity to create a custom virtualization tool similar to vmp like the confuser forks

oh lord

any problem? @deepzero

I meant if the code is compiled they might be copies as new protections names, I put the "confuser" as example because it's open source and everyone is making his own version of it...

Edited May 12, 2023 by X0rby

[deepzero]

no problem. you are right and i dread the wave of vmp re-skins.

[0x29A]

4 hours ago, Kurapica said:

The virtualization code seems to be missing, Just my guess from a quick look.

The "VmExecutor.cs" is still nice to check for .NET fans.

this isn't EazVM?

[X0rby]

1 hour ago, deepzero said:

no problem. you are right and i dread the wave of vmp re-skins.

It will be a huge mess 😅

-------------------------------------------------------

https://github.com/Alukym/VMProtect-Source

Github

Edited May 12, 2023 by X0rby

[X0rby]

the archive was repacked and the missing files were removed by the person who uploaded it

"vmprotect.ddk" + intel.cc" + "processor.cc" + "arm.cc"  are missing 

Edited May 12, 2023 by X0rby

[H1TC43R]

Vmprotect.DDK Is missing as well so with other files mentioned I doubt this will work as I expect more critical files are missing  it’s a shame, but I did have a look at the export key pair and licensing  files

 

i recently started looking at this protection with a good 3 part paper on breakdown of a couple of their main features, Code Mutation and Virtualization, the paper was released in May 2021 by someone called r0da

It's worth a read and he used VMProtect 3.5 so its recent, and definitely worth a look at earlier versions to get a handle on how it works

I know VMProtect 3.6 has been cracked (not public) it was used by a company to license their software which is heavily protected, cracker decided to crack the licensing software as well to make license files 

 

 

Edited May 12, 2023 by H1TC43R
attaching pic

[X0rby]

I found it in Chinese and I translate it :

Quote

+

 

Edited May 13, 2023 by X0rby
politics

[softprog]

Hello I tried to unzip with megadumper but the exe file is unreadable. can you help me remove enigma 3.9? thank you very much 😉

[H1TC43R]

2 hours ago, softprog said:

Hello I tried to unzip with megadumper but the exe file is unreadable. can you help me remove enigma 3.9? thank you very much 😉

it's supposed to just be a winzip file, but can use Winrar as well

 

Think this is the wrong section for your post

[kao]

And now we have a repo with the missing files.  At least "intel.cc" + "processor.cc" are present.

https://github.com/jmpoep/vmprotect-3.5.1

 

[ra1n]

You can use pattern(s) found inside "intel.cc" & this write-up to build a tool

[RADIOX]

1 hour ago, kao said:

And now we have a repo with the missing files.  At least "intel.cc" + "processor.cc" are present.

is it the same files here : https://bbs.kanxue.com/thread-279796.htm ?

[kao]

@RADIOX: I don't have access to Baidu, so I can't check that. Based on the timing, I guess it might be the same.