Quote

I'm releasing my VMProtect devirtualizer for others to research, learn, and improve. This project started in 2018 as a hobby project and was rewritten at least 4 times. During my research, I've met with awesome people, made friends, and learned a lot. The tool is for educational purposes only, it works for vmprotect < 3.8 but produces less than ideal output.

How does it work?

The tool uses Triton for emulation, symbolic execution, and lifting. The easiest way to match VM handlers is to match them on the Triton AST level. The tool symbolizes vip and vsp registers and propagates memory loads and stores. Almost every handler ends with the store (to the stack, vm register or memory). We take Triton AST of the value that is being stored and match against known patterns:

https://github.com/archercreat/titan

Anyone cloned titan repo? It's currently down, please share!

13 hours ago, hank said:

Anyone cloned titan repo? It's currently down, please share!

Here you go:

https://mega.nz/file/y4ZGVIiQ#M8OgBUWMwMqzwYH0z0WFA6ihNuYvCDaOtHTN6gT5MNo

 

16 hours ago, hank said:

Anyone cloned titan repo? It's currently down, please share!

https://github.com/gmh5225/titan-1