You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
134 lines
4.7 KiB
134 lines
4.7 KiB
<div align="center">
|
|
<div>
|
|
<img src="https://githacks.org/uploads/-/system/project/avatar/374/icon-5.png"/>
|
|
</div>
|
|
</div>
|
|
|
|
# VMProfiler CLI - VMProtect 2 Virtual Machine Information Displayer
|
|
|
|
vmprofiler-cli is a CLI program which displays all details of a specified VMProtect 2 virtual machine. This information includes virtual instruction pointer advancment direction, all vm handlers, virtual instruction rva decrypt instructions, vm handler table entry decrypt instruction, and much more.
|
|
|
|
# Build Instructions
|
|
|
|
### Requirements
|
|
|
|
* Visual Studios 2019 *Fully Updated*
|
|
* CMake
|
|
* A good attitude
|
|
|
|
Clone the repository and all submodules using `git clone --recursive https://githacks.org/vmp2/vmprofiler-cli.git`. Then execute the following commands:
|
|
|
|
```
|
|
cd vmprofiler-cli
|
|
cmake -B build
|
|
```
|
|
|
|
Now you can open `vmprofiler-cli.sln`, select "Release" and "x64" on the top of the visual studios window. Building should take a few minutes.
|
|
|
|
# usage
|
|
|
|
```
|
|
Usage: vmprofiler-cli [options...]
|
|
Options:
|
|
--bin, --vmpbin unpacked binary protected with VMProtect 2
|
|
--vmentry, --entry rva to push prior to a vm_entry
|
|
--showhandlers show all vm handlers...
|
|
--showhandler show a specific vm handler given its index...
|
|
--vmp2file path to .vmp2 file...
|
|
--showblockinstrs show the virtual instructions of a specific code block...
|
|
--showallblocks shows all information for all code blocks...
|
|
-h, --help Shows this page
|
|
```
|
|
|
|
# output - information example
|
|
|
|
```
|
|
vmprofiler-cli.exe --vmpbin vmptest.vmp.exe --vmentry 0x1000
|
|
> vm entry start = 0x00007FF61C8B1000
|
|
> flattened vm entry...
|
|
> deobfuscated vm entry...
|
|
==================================================================================
|
|
> 0x00007FF61C8B822C push 0xFFFFFFFF890001FA
|
|
> 0x00007FF61C8B7FC9 push 0x45D3BF1F
|
|
> 0x00007FF61C8B48E4 push r13
|
|
> 0x00007FF61C8B4690 push rsi
|
|
> 0x00007FF61C8B4E53 push r14
|
|
> 0x00007FF61C8B74FB push rcx
|
|
> 0x00007FF61C8B607C push rsp
|
|
> 0x00007FF61C8B4926 pushfq
|
|
> 0x00007FF61C8B4DC2 push rbp
|
|
> 0x00007FF61C8B5C8C push r12
|
|
> 0x00007FF61C8B52AC push r10
|
|
> 0x00007FF61C8B51A5 push r9
|
|
> 0x00007FF61C8B5189 push rdx
|
|
> 0x00007FF61C8B7D5F push r8
|
|
> 0x00007FF61C8B4505 push rdi
|
|
> 0x00007FF61C8B4745 push r11
|
|
> 0x00007FF61C8B478B push rax
|
|
> 0x00007FF61C8B7A53 push rbx
|
|
> 0x00007FF61C8B500D push r15
|
|
> 0x00007FF61C8B6030 push [0x00007FF61C8B7912]
|
|
> 0x00007FF61C8B593A mov rax, 0x7FF4DC8B0000
|
|
> 0x00007FF61C8B5955 mov r13, rax
|
|
> 0x00007FF61C8B595F test dl, al
|
|
> 0x00007FF61C8B5965 push rax
|
|
> 0x00007FF61C8B5969 btr si, bx
|
|
> 0x00007FF61C8B596F mov esi, [rsp+0xA0]
|
|
> 0x00007FF61C8B5979 not esi
|
|
> 0x00007FF61C8B5985 neg esi
|
|
> 0x00007FF61C8B598D ror esi, 0x1A
|
|
> 0x00007FF61C8B599E mov rbp, rsp
|
|
> 0x00007FF61C8B59A8 sub rsp, 0x140
|
|
> 0x00007FF61C8B59B5 and rsp, 0xFFFFFFFFFFFFFFF0
|
|
> 0x00007FF61C8B59BE inc ax
|
|
> 0x00007FF61C8B59C1 mov rdi, rsp
|
|
> 0x00007FF61C8B59C7 bsr r12, rax
|
|
> 0x00007FF61C8B59CB lea r12, [0x00007FF61C8B6473]
|
|
> 0x00007FF61C8B59DF mov rax, 0x100000000
|
|
> 0x00007FF61C8B59EC add rsi, rax
|
|
> 0x00007FF61C8B59F3 mov rbx, rsi
|
|
> 0x00007FF61C8B59FA add rsi, [rbp]
|
|
> 0x00007FF61C8B5A03 rcr dl, cl
|
|
> 0x00007FF61C8B5A05 mov al, [rsi]
|
|
> 0x00007FF61C8B5A0A xor al, bl
|
|
> 0x00007FF61C8B5A11 neg al
|
|
> 0x00007FF61C8B5A19 rol al, 0x05
|
|
> 0x00007FF61C8B5A26 inc al
|
|
> 0x00007FF61C8B5A2F xor bl, al
|
|
> 0x00007FF61C8B5A34 movzx rax, al
|
|
> 0x00007FF61C8B5A41 mov rdx, [r12+rax*8]
|
|
> 0x00007FF61C8B5A49 xor rdx, 0x7F3D2149
|
|
> 0x00007FF61C8B5507 inc rsi
|
|
> 0x00007FF61C8B7951 add rdx, r13
|
|
> 0x00007FF61C8B7954 jmp rdx
|
|
> calc_jmp extracted from vm_entry... calc_jmp:
|
|
==================================================================================
|
|
> 0x00007FF61C8B5A05 mov al, [rsi]
|
|
> 0x00007FF61C8B5A0A xor al, bl
|
|
> 0x00007FF61C8B5A11 neg al
|
|
> 0x00007FF61C8B5A19 rol al, 0x05
|
|
> 0x00007FF61C8B5A26 inc al
|
|
> 0x00007FF61C8B5A2F xor bl, al
|
|
> 0x00007FF61C8B5A34 movzx rax, al
|
|
> 0x00007FF61C8B5A41 mov rdx, [r12+rax*8]
|
|
> 0x00007FF61C8B5A49 xor rdx, 0x7F3D2149
|
|
> 0x00007FF61C8B5507 inc rsi
|
|
> 0x00007FF61C8B7951 add rdx, r13
|
|
> 0x00007FF61C8B7954 jmp rdx
|
|
==================================================================================
|
|
> virtual instruction pointer advancement: forward
|
|
> located vm handler table... at = 0x00007FF61C8B6473, rva = 0x0000000140006473
|
|
> vm handler table entries decrypted with = xor rdx, 0x7F3D2149
|
|
> vm handler table entries encrypted with = xor rdx, 0x7F3D2149
|
|
==================================================================================
|
|
> virtual instruction rva decryption instructions:
|
|
not esi
|
|
neg esi
|
|
ror esi, 0x1A
|
|
> virtual instruction rva encryption instructions:
|
|
rol esi, 0x1A
|
|
neg esi
|
|
not esi
|
|
==================================================================================
|
|
```
|