VMProtect 2 CLI Virtual Machine Information Displayer
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
Go to file
_xeroxz 625efc4c8e
updated vmprofiler dep...
3 years ago
dependencies updated vmprofiler dep... 3 years ago
src updated to the newest vmprofiler... 3 years ago
.clang-format added clang format, updated main.cpp and removed vmctx deps 4 years ago
.gitignore Port to cmkr 4 years ago
.gitmodules updated to the newest vmprofiler, removed vtil, remove vmlocate because 3 years ago
CMakeLists.txt updated to the newest vmprofiler, removed vtil, remove vmlocate because 3 years ago
LICENSE Add LICENSE 4 years ago
README.md Update README.md 4 years ago
cmake.toml added v4 .vmp2 file format parsing code... still stuff to do... 3 years ago
cmkr.cmake Port to cmkr 4 years ago

README.md

VMProfiler CLI - VMProtect 2 Virtual Machine Information Displayer

vmprofiler-cli is a CLI program which displays all details of a specified VMProtect 2 virtual machine. This information includes virtual instruction pointer advancment direction, all vm handlers, virtual instruction rva decrypt instructions, vm handler table entry decrypt instruction, and much more.

Build Instructions

Clone the repository and all submodules using git clone --recursive https://githacks.org/vmp2/vmprofiler-cli.git. Then execute the following commands:

cd vmprofiler-cli
cmake -G "Visual Studio 16 2019"

Now you can open vmprofiler-cli.sln, select "Release" and "x64" on the top of the visual studios window. Building should take a few minutes.

usage

Usage: vmprofiler-cli [options...]
Options:
    --bin, --vmpbin        unpacked binary protected with VMProtect 2
    --vmentry, --entry     rva to push prior to a vm_entry
    --showhandlers         show all vm handlers...
    --showhandler          show a specific vm handler given its index...
    --vmp2file             path to .vmp2 file...
    --showblockinstrs      show the virtual instructions of a specific code block...
    --showallblocks        shows all information for all code blocks...
    --devirt               lift to VTIL IR and apply optimizations, then display the output...
    -h, --help             Shows this page

output - information example

vmprofiler-cli.exe --vmpbin vmptest.vmp.exe --vmentry 0x1000
> vm entry start = 0x00007FF61C8B1000
> flattened vm entry...
> deobfuscated vm entry...
==================================================================================
> 0x00007FF61C8B822C push 0xFFFFFFFF890001FA
> 0x00007FF61C8B7FC9 push 0x45D3BF1F
> 0x00007FF61C8B48E4 push r13
> 0x00007FF61C8B4690 push rsi
> 0x00007FF61C8B4E53 push r14
> 0x00007FF61C8B74FB push rcx
> 0x00007FF61C8B607C push rsp
> 0x00007FF61C8B4926 pushfq
> 0x00007FF61C8B4DC2 push rbp
> 0x00007FF61C8B5C8C push r12
> 0x00007FF61C8B52AC push r10
> 0x00007FF61C8B51A5 push r9
> 0x00007FF61C8B5189 push rdx
> 0x00007FF61C8B7D5F push r8
> 0x00007FF61C8B4505 push rdi
> 0x00007FF61C8B4745 push r11
> 0x00007FF61C8B478B push rax
> 0x00007FF61C8B7A53 push rbx
> 0x00007FF61C8B500D push r15
> 0x00007FF61C8B6030 push [0x00007FF61C8B7912]
> 0x00007FF61C8B593A mov rax, 0x7FF4DC8B0000
> 0x00007FF61C8B5955 mov r13, rax
> 0x00007FF61C8B595F test dl, al
> 0x00007FF61C8B5965 push rax
> 0x00007FF61C8B5969 btr si, bx
> 0x00007FF61C8B596F mov esi, [rsp+0xA0]
> 0x00007FF61C8B5979 not esi
> 0x00007FF61C8B5985 neg esi
> 0x00007FF61C8B598D ror esi, 0x1A
> 0x00007FF61C8B599E mov rbp, rsp
> 0x00007FF61C8B59A8 sub rsp, 0x140
> 0x00007FF61C8B59B5 and rsp, 0xFFFFFFFFFFFFFFF0
> 0x00007FF61C8B59BE inc ax
> 0x00007FF61C8B59C1 mov rdi, rsp
> 0x00007FF61C8B59C7 bsr r12, rax
> 0x00007FF61C8B59CB lea r12, [0x00007FF61C8B6473]
> 0x00007FF61C8B59DF mov rax, 0x100000000
> 0x00007FF61C8B59EC add rsi, rax
> 0x00007FF61C8B59F3 mov rbx, rsi
> 0x00007FF61C8B59FA add rsi, [rbp]
> 0x00007FF61C8B5A03 rcr dl, cl
> 0x00007FF61C8B5A05 mov al, [rsi]
> 0x00007FF61C8B5A0A xor al, bl
> 0x00007FF61C8B5A11 neg al
> 0x00007FF61C8B5A19 rol al, 0x05
> 0x00007FF61C8B5A26 inc al
> 0x00007FF61C8B5A2F xor bl, al
> 0x00007FF61C8B5A34 movzx rax, al
> 0x00007FF61C8B5A41 mov rdx, [r12+rax*8]
> 0x00007FF61C8B5A49 xor rdx, 0x7F3D2149
> 0x00007FF61C8B5507 inc rsi
> 0x00007FF61C8B7951 add rdx, r13
> 0x00007FF61C8B7954 jmp rdx
> calc_jmp extracted from vm_entry... calc_jmp:
==================================================================================
> 0x00007FF61C8B5A05 mov al, [rsi]
> 0x00007FF61C8B5A0A xor al, bl
> 0x00007FF61C8B5A11 neg al
> 0x00007FF61C8B5A19 rol al, 0x05
> 0x00007FF61C8B5A26 inc al
> 0x00007FF61C8B5A2F xor bl, al
> 0x00007FF61C8B5A34 movzx rax, al
> 0x00007FF61C8B5A41 mov rdx, [r12+rax*8]
> 0x00007FF61C8B5A49 xor rdx, 0x7F3D2149
> 0x00007FF61C8B5507 inc rsi
> 0x00007FF61C8B7951 add rdx, r13
> 0x00007FF61C8B7954 jmp rdx
==================================================================================
> virtual instruction pointer advancement: forward
> located vm handler table... at = 0x00007FF61C8B6473, rva = 0x0000000140006473
> vm handler table entries decrypted with = xor rdx, 0x7F3D2149
> vm handler table entries encrypted with = xor rdx, 0x7F3D2149
==================================================================================
> virtual instruction rva decryption instructions:
        not esi
        neg esi
        ror esi, 0x1A
> virtual instruction rva encryption instructions:
        rol esi, 0x1A
        neg esi
        not esi
==================================================================================