exploringVMP

temp location for sharing cool discoveries made while researching VMP [VMProtect 3.6 Ultimate DEMO]

02/12/2024 - at this rate I won't be sharing stuff so i'm just braindumping it... files are messes

uses pefile and iced_x86

• there are patterns you can make to find instructions that correspond to push someEncryptedAddr, call vmenter.

  • you can check if they're valid by confirming you can use the offset to calculate the address that corresponds to the push someEncryptedAddr portion (see image below in the section "Statically obtaining valid addresses for 'VM enter' and decrypting them.")

• also applicable to the decryption routine used to calculate location of the next starting point of the bytecode and location of table containing handlers

same_binary_recompiled.zip - each binary is the same: provide 2 numbers and youll get output of secret1: secret2: (dont remember but i think secret2 is addition LOL)

MUST READ

VMProtect

• https://0xnobody.github.io/devirtualization-intro/
• https://www.msreverseengineering.com/blog/2014/6/23/vmprotect-part-0-basics
• https://blog.back.engineering/17/05/2021/
• https://www.mitchellzakocs.com/blog/vmprotect3
• https://whereisr0da.github.io/blog/posts/2021-01-05-vmp-1/
• https://secret.club/2021/09/08/vmprotect-llvm-lifting-1.html

VMs

• https://synthesis.to/2021/10/21/vm_based_obfuscation.html
• https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-4-second-attempt-at-devirtualization
• https://cis.temple.edu/~qzeng/papers/deobfuscation-icics2017.pdf
• https://blog.esetafrica.com/wp-content/uploads/2018/01/ESET%E2%80%99s-guide-to-deobfuscating-and-devirtualizing-FinFisher.pdf
• https://github.com/st4ckh0und/AntiOreans-CodeDevirtualizer

stuff

made use of my tool

Statically obtaining valid addresses for 'VM enter' and decrypting them.

no obvious relationships...

• no effect on read direction of bytecode
• doesn't affect if push/ret or jmp qword ptr
• only the DWORD portion of the addresses are used

'scan' for 20 byte patterns that fit the requirement of:

push <encrypted_addr>
call vm_enter_fn

Bytecode addresses scattered all around

Anti-disassembly tricks

this was one of the coolest things i saw (each binary seems to have a couple of these grouped together near the end)

after manually re-analyzing