kao Posted May 12 Share Posted May 12 (edited) Looks like the rumors of leaked VMProtect sources were true. Now they are available for everyone. It was leaked on certain Chinese sites, so use your brain and caution and don't run random files outside of VM... EDIT1: Please note that "intel.cc" and "processor.cc" are missing, so the native code virtualization part is most likely non-working. Thanks to @boot and @lawl3ss and Twitter wisdom for the info! EDIT2: Link changed to anonfiles. Spoiler https://anonfiles.com/d1D7M7q9z4/vmpsrc_zip Edited May 12 by kao 10 1 Link to comment
X0rby Posted May 12 Share Posted May 12 (edited) That's crazy Maybe vmp days will end now...However, this leak could present an intriguing opportunity to create a custom virtualization tool similar to vmp like the confuser forks...But, it is worth noting that this leak does not necessarily guarantee the swift development of a comprehensive devirtualization tool, so don't expect a "one-click" solution for unpacking and devirtualizing VMProtect. Edited May 12 by X0rby Link to comment
Kurapica Posted May 12 Share Posted May 12 Even with the sources leaked, it is still a challenge to restore original code from VM code. Time will tell. Link to comment
boot Posted May 12 Share Posted May 12 It is NOT considered a TRUE LEAK because of the lack of core code. 🤔 Link to comment
kao Posted May 12 Author Share Posted May 12 1 minute ago, boot said: NOT considered a TRUE LEAK because of the lack of core code. I didn't try to build it. But from the first glance, I didn't see anything missing. If you know more, can you please let us know the details? What exactly is missing? Link to comment
Kurapica Posted May 12 Share Posted May 12 (edited) The virtualization code seems to be missing, Just my guess from a quick look. The "VmExecutor.cs" is still nice to check for .NET fans. Edited May 12 by Kurapica 1 Link to comment
lawl3ss Posted May 12 Share Posted May 12 (edited) The leak looks to be legit. It built fine in my VM aside from the Qt project. EDIT: Just noticed intel.cc is missing, nevermind. Now we just wait until someone drops it for clout. Edited May 12 by lawl3ss Link to comment
ra1n Posted May 12 Share Posted May 12 1 hour ago, Kurapica said: Even with the sources leaked, it is still a challenge to restore original code from VM code. Time will tell. Depends, my write-up details how to lift the VM completely, the only difficulty (time consuming) is gathering all the virtual patterns. If the leak did contain the "main" VM code (i.e. probably just a huge switch statement of direct translations from x86 to their custom bytecode), then the virtual patterns would be in plain sight and can easily be added to your tool; taking you at most ~20 minutes. 2 Link to comment
Salin Posted May 12 Share Posted May 12 afaik basic principles of vmprotect and approaches for deobfuscation have been explained by researchers such as Rolf Rolles since at least the late 2000s. besides, there were discussions on this topic here in 2010s and there are some detailed writeup past few years. but still people looking for unpacking and devirtualize vmprotect....😅 Link to comment
X0rby Posted May 12 Share Posted May 12 (edited) Just now, Salin said: afaik basic principles of vmprotect and approaches for deobfuscation have been explained by researchers such as Rolf Rolles since at least the late 2000s. besides, there were discussions on this topic here in 2010s and there are some detailed writeup past few years. but still people looking for unpacking and devirtualize vmprotect....😅 There's a challenge in this forum about vmp 3.8.1 and still unsolved. If it's so easy like this, try to unpack and devirtualize it ! Edited May 12 by X0rby Link to comment
deepzero Posted May 12 Share Posted May 12 > However, this leak could present an intriguing opportunity to create a custom virtualization tool similar to vmp like the confuser forks oh lord Link to comment
X0rby Posted May 12 Share Posted May 12 (edited) Just now, deepzero said: > However, this leak could present an intriguing opportunity to create a custom virtualization tool similar to vmp like the confuser forks oh lord any problem? @deepzero I meant if the code is compiled they might be copies as new protections names, I put the "confuser" as example because it's open source and everyone is making his own version of it... Edited May 12 by X0rby Link to comment
deepzero Posted May 12 Share Posted May 12 no problem. you are right and i dread the wave of vmp re-skins. 1 Link to comment
0x29A Posted May 12 Share Posted May 12 4 hours ago, Kurapica said: The virtualization code seems to be missing, Just my guess from a quick look. The "VmExecutor.cs" is still nice to check for .NET fans. this isn't EazVM? Link to comment
X0rby Posted May 12 Share Posted May 12 (edited) 1 hour ago, deepzero said: no problem. you are right and i dread the wave of vmp re-skins. It will be a huge mess 😅 ------------------------------------------------------- https://github.com/Alukym/VMProtect-Source Github Edited May 12 by X0rby Link to comment
X0rby Posted May 12 Share Posted May 12 (edited) the archive was repacked and the missing files were removed by the person who uploaded it "vmprotect.ddk" + intel.cc" + "processor.cc" + "arm.cc" are missing Edited May 12 by X0rby Link to comment
H1TC43R Posted May 12 Share Posted May 12 (edited) Vmprotect.DDK Is missing as well so with other files mentioned I doubt this will work as I expect more critical files are missing it’s a shame, but I did have a look at the export key pair and licensing files i recently started looking at this protection with a good 3 part paper on breakdown of a couple of their main features, Code Mutation and Virtualization, the paper was released in May 2021 by someone called r0da It's worth a read and he used VMProtect 3.5 so its recent, and definitely worth a look at earlier versions to get a handle on how it works I know VMProtect 3.6 has been cracked (not public) it was used by a company to license their software which is heavily protected, cracker decided to crack the licensing software as well to make license files Edited May 12 by H1TC43R attaching pic Link to comment
X0rby Posted May 13 Share Posted May 13 (edited) I found it in Chinese and I translate it : Quote + Edited May 13 by X0rby politics Link to comment
softprog Posted May 30 Share Posted May 30 Hello I tried to unzip with megadumper but the exe file is unreadable. can you help me remove enigma 3.9? thank you very much 😉 Link to comment
H1TC43R Posted May 30 Share Posted May 30 2 hours ago, softprog said: Hello I tried to unzip with megadumper but the exe file is unreadable. can you help me remove enigma 3.9? thank you very much 😉 it's supposed to just be a winzip file, but can use Winrar as well Think this is the wrong section for your post Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now