diff --git a/README.md b/README.md index e1bbc9f..8f8c60d 100644 --- a/README.md +++ b/README.md @@ -17,4 +17,96 @@ Options: --vmentry, --entry rva to push prior to a vm_entry (Required) --showhandlers show all vm handlers... -h, --help Shows this page +``` + +# output - information + +``` +vmprofiler-cli.exe --vmpbin vmptest.vmp.exe --vmentry 0x1000 +> vm entry start = 0x00007FF61C8B1000 +> flattened vm entry... +> deobfuscated vm entry... +================================================================================== +> 0x00007FF61C8B822C push 0xFFFFFFFF890001FA +> 0x00007FF61C8B7FC9 push 0x45D3BF1F +> 0x00007FF61C8B48E4 push r13 +> 0x00007FF61C8B4690 push rsi +> 0x00007FF61C8B4E53 push r14 +> 0x00007FF61C8B74FB push rcx +> 0x00007FF61C8B607C push rsp +> 0x00007FF61C8B4926 pushfq +> 0x00007FF61C8B4DC2 push rbp +> 0x00007FF61C8B5C8C push r12 +> 0x00007FF61C8B52AC push r10 +> 0x00007FF61C8B51A5 push r9 +> 0x00007FF61C8B5189 push rdx +> 0x00007FF61C8B7D5F push r8 +> 0x00007FF61C8B4505 push rdi +> 0x00007FF61C8B4745 push r11 +> 0x00007FF61C8B478B push rax +> 0x00007FF61C8B7A53 push rbx +> 0x00007FF61C8B500D push r15 +> 0x00007FF61C8B6030 push [0x00007FF61C8B7912] +> 0x00007FF61C8B593A mov rax, 0x7FF4DC8B0000 +> 0x00007FF61C8B5955 mov r13, rax +> 0x00007FF61C8B595F test dl, al +> 0x00007FF61C8B5965 push rax +> 0x00007FF61C8B5969 btr si, bx +> 0x00007FF61C8B596F mov esi, [rsp+0xA0] +> 0x00007FF61C8B5979 not esi +> 0x00007FF61C8B5985 neg esi +> 0x00007FF61C8B598D ror esi, 0x1A +> 0x00007FF61C8B599E mov rbp, rsp +> 0x00007FF61C8B59A8 sub rsp, 0x140 +> 0x00007FF61C8B59B5 and rsp, 0xFFFFFFFFFFFFFFF0 +> 0x00007FF61C8B59BE inc ax +> 0x00007FF61C8B59C1 mov rdi, rsp +> 0x00007FF61C8B59C7 bsr r12, rax +> 0x00007FF61C8B59CB lea r12, [0x00007FF61C8B6473] +> 0x00007FF61C8B59DF mov rax, 0x100000000 +> 0x00007FF61C8B59EC add rsi, rax +> 0x00007FF61C8B59F3 mov rbx, rsi +> 0x00007FF61C8B59FA add rsi, [rbp] +> 0x00007FF61C8B5A03 rcr dl, cl +> 0x00007FF61C8B5A05 mov al, [rsi] +> 0x00007FF61C8B5A0A xor al, bl +> 0x00007FF61C8B5A11 neg al +> 0x00007FF61C8B5A19 rol al, 0x05 +> 0x00007FF61C8B5A26 inc al +> 0x00007FF61C8B5A2F xor bl, al +> 0x00007FF61C8B5A34 movzx rax, al +> 0x00007FF61C8B5A41 mov rdx, [r12+rax*8] +> 0x00007FF61C8B5A49 xor rdx, 0x7F3D2149 +> 0x00007FF61C8B5507 inc rsi +> 0x00007FF61C8B7951 add rdx, r13 +> 0x00007FF61C8B7954 jmp rdx +> calc_jmp extracted from vm_entry... calc_jmp: +================================================================================== +> 0x00007FF61C8B5A05 mov al, [rsi] +> 0x00007FF61C8B5A0A xor al, bl +> 0x00007FF61C8B5A11 neg al +> 0x00007FF61C8B5A19 rol al, 0x05 +> 0x00007FF61C8B5A26 inc al +> 0x00007FF61C8B5A2F xor bl, al +> 0x00007FF61C8B5A34 movzx rax, al +> 0x00007FF61C8B5A41 mov rdx, [r12+rax*8] +> 0x00007FF61C8B5A49 xor rdx, 0x7F3D2149 +> 0x00007FF61C8B5507 inc rsi +> 0x00007FF61C8B7951 add rdx, r13 +> 0x00007FF61C8B7954 jmp rdx +================================================================================== +> virtual instruction pointer advancement: forward +> located vm handler table... at = 0x00007FF61C8B6473, rva = 0x0000000140006473 +> vm handler table entries decrypted with = xor rdx, 0x7F3D2149 +> vm handler table entries encrypted with = xor rdx, 0x7F3D2149 +================================================================================== +> virtual instruction rva decryption instructions: + not esi + neg esi + ror esi, 0x1A +> virtual instruction rva encryption instructions: + rol esi, 0x1A + neg esi + not esi +================================================================================== ``` \ No newline at end of file