You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
_xeroxz
18837c36ea
|
4 years ago | |
---|---|---|
dependencies | 4 years ago | |
src | 4 years ago | |
.clang-format | 4 years ago | |
.gitignore | 4 years ago | |
.gitmodules | 4 years ago | |
CMakeLists.txt | 4 years ago | |
LICENSE | 4 years ago | |
README.md | 4 years ago | |
cmake.toml | 4 years ago | |
cmkr.cmake | 4 years ago |
README.md
VMProfiler CLI - VMProtect 2 Virtual Machine Information Displayer
vmprofiler-cli is a CLI program which displays all details of a specified VMProtect 2 virtual machine. This information includes virtual instruction pointer advancment direction, all vm handlers, virtual instruction rva decrypt instructions, vm handler table entry decrypt instruction, and much more.
Build Instructions
Clone the repository and all submodules using git clone --recursive https://githacks.org/vmp2/vmprofiler-cli.git
. Then execute the following commands:
cd vmprofiler-cli
cmake -G "Visual Studio 16 2019"
Now you can open vmprofiler-cli.sln, select "Release" and "x64" on the top of the visual studios window. Building should take a few minutes.
usage
Usage: vmprofiler-cli [options...]
Options:
--bin, --vmpbin unpacked binary protected with VMProtect 2
--vmentry, --entry rva to push prior to a vm_entry
--showhandlers show all vm handlers...
--showhandler show a specific vm handler given its index...
--vmp2file path to .vmp2 file...
--showblockinstrs show the virtual instructions of a specific code block...
--showallblocks shows all information for all code blocks...
--devirt lift to VTIL IR and apply optimizations, then display the output...
-h, --help Shows this page
output - information example
vmprofiler-cli.exe --vmpbin vmptest.vmp.exe --vmentry 0x1000
> vm entry start = 0x00007FF61C8B1000
> flattened vm entry...
> deobfuscated vm entry...
==================================================================================
> 0x00007FF61C8B822C push 0xFFFFFFFF890001FA
> 0x00007FF61C8B7FC9 push 0x45D3BF1F
> 0x00007FF61C8B48E4 push r13
> 0x00007FF61C8B4690 push rsi
> 0x00007FF61C8B4E53 push r14
> 0x00007FF61C8B74FB push rcx
> 0x00007FF61C8B607C push rsp
> 0x00007FF61C8B4926 pushfq
> 0x00007FF61C8B4DC2 push rbp
> 0x00007FF61C8B5C8C push r12
> 0x00007FF61C8B52AC push r10
> 0x00007FF61C8B51A5 push r9
> 0x00007FF61C8B5189 push rdx
> 0x00007FF61C8B7D5F push r8
> 0x00007FF61C8B4505 push rdi
> 0x00007FF61C8B4745 push r11
> 0x00007FF61C8B478B push rax
> 0x00007FF61C8B7A53 push rbx
> 0x00007FF61C8B500D push r15
> 0x00007FF61C8B6030 push [0x00007FF61C8B7912]
> 0x00007FF61C8B593A mov rax, 0x7FF4DC8B0000
> 0x00007FF61C8B5955 mov r13, rax
> 0x00007FF61C8B595F test dl, al
> 0x00007FF61C8B5965 push rax
> 0x00007FF61C8B5969 btr si, bx
> 0x00007FF61C8B596F mov esi, [rsp+0xA0]
> 0x00007FF61C8B5979 not esi
> 0x00007FF61C8B5985 neg esi
> 0x00007FF61C8B598D ror esi, 0x1A
> 0x00007FF61C8B599E mov rbp, rsp
> 0x00007FF61C8B59A8 sub rsp, 0x140
> 0x00007FF61C8B59B5 and rsp, 0xFFFFFFFFFFFFFFF0
> 0x00007FF61C8B59BE inc ax
> 0x00007FF61C8B59C1 mov rdi, rsp
> 0x00007FF61C8B59C7 bsr r12, rax
> 0x00007FF61C8B59CB lea r12, [0x00007FF61C8B6473]
> 0x00007FF61C8B59DF mov rax, 0x100000000
> 0x00007FF61C8B59EC add rsi, rax
> 0x00007FF61C8B59F3 mov rbx, rsi
> 0x00007FF61C8B59FA add rsi, [rbp]
> 0x00007FF61C8B5A03 rcr dl, cl
> 0x00007FF61C8B5A05 mov al, [rsi]
> 0x00007FF61C8B5A0A xor al, bl
> 0x00007FF61C8B5A11 neg al
> 0x00007FF61C8B5A19 rol al, 0x05
> 0x00007FF61C8B5A26 inc al
> 0x00007FF61C8B5A2F xor bl, al
> 0x00007FF61C8B5A34 movzx rax, al
> 0x00007FF61C8B5A41 mov rdx, [r12+rax*8]
> 0x00007FF61C8B5A49 xor rdx, 0x7F3D2149
> 0x00007FF61C8B5507 inc rsi
> 0x00007FF61C8B7951 add rdx, r13
> 0x00007FF61C8B7954 jmp rdx
> calc_jmp extracted from vm_entry... calc_jmp:
==================================================================================
> 0x00007FF61C8B5A05 mov al, [rsi]
> 0x00007FF61C8B5A0A xor al, bl
> 0x00007FF61C8B5A11 neg al
> 0x00007FF61C8B5A19 rol al, 0x05
> 0x00007FF61C8B5A26 inc al
> 0x00007FF61C8B5A2F xor bl, al
> 0x00007FF61C8B5A34 movzx rax, al
> 0x00007FF61C8B5A41 mov rdx, [r12+rax*8]
> 0x00007FF61C8B5A49 xor rdx, 0x7F3D2149
> 0x00007FF61C8B5507 inc rsi
> 0x00007FF61C8B7951 add rdx, r13
> 0x00007FF61C8B7954 jmp rdx
==================================================================================
> virtual instruction pointer advancement: forward
> located vm handler table... at = 0x00007FF61C8B6473, rva = 0x0000000140006473
> vm handler table entries decrypted with = xor rdx, 0x7F3D2149
> vm handler table entries encrypted with = xor rdx, 0x7F3D2149
==================================================================================
> virtual instruction rva decryption instructions:
not esi
neg esi
ror esi, 0x1A
> virtual instruction rva encryption instructions:
rol esi, 0x1A
neg esi
not esi
==================================================================================