temp location for sharing cool discoveries made while researching VMP [VMProtect 3.6 Ultimate DEMO]
02/12/2024 - at this rate I won't be sharing stuff so i'm just braindumping it... files are messes
-
there are patterns you can make to find instructions that correspond to push someEncryptedAddr, call vmenter.
- you can check if they're valid by confirming you can use the offset to calculate the address that corresponds to the push someEncryptedAddr portion (see image below in the section "Statically obtaining valid addresses for 'VM enter' and decrypting them.")
-
also applicable to the decryption routine used to calculate location of the next starting point of the bytecode and location of table containing handlers
same_binary_recompiled.zip - each binary is the same: provide 2 numbers and youll get output of
secret1: secret2:
(dont remember but i think secret2 is addition LOL)
- https://0xnobody.github.io/devirtualization-intro/
- https://www.msreverseengineering.com/blog/2014/6/23/vmprotect-part-0-basics
- https://blog.back.engineering/17/05/2021/
- https://www.mitchellzakocs.com/blog/vmprotect3
- https://whereisr0da.github.io/blog/posts/2021-01-05-vmp-1/
- https://secret.club/2021/09/08/vmprotect-llvm-lifting-1.html
- https://synthesis.to/2021/10/21/vm_based_obfuscation.html
- https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-4-second-attempt-at-devirtualization
- https://cis.temple.edu/~qzeng/papers/deobfuscation-icics2017.pdf
- https://blog.esetafrica.com/wp-content/uploads/2018/01/ESET%E2%80%99s-guide-to-deobfuscating-and-devirtualizing-FinFisher.pdf
- https://github.com/st4ckh0und/AntiOreans-CodeDevirtualizer
made use of my tool
no obvious relationships...
- no effect on read direction of bytecode
- doesn't affect if push/ret or jmp qword ptr
- only the DWORD portion of the addresses are used
'scan' for 20 byte patterns that fit the requirement of:
push <encrypted_addr>
call vm_enter_fn
this was one of the coolest things i saw (each binary seems to have a couple of these grouped together near the end)
after manually re-analyzing