vmprofiler-qt is a GUI program designed to view trace files generated by vmtracer programs. Currently um-tracer is the only program that will generate a trace file, however in the near future another repo will be added using unicorn to generate traces.
A trace is simply a file that contains all native register values, virtual stack values, virtual register values, for every single executed virtual instruction. This allows for very indepth analysis of the executed virtual instructions. Without this level of information it is very difficult to make sense of virtual instructions and the effects on the virtual stack.
# Usage Requirements
In order to use vmprofiler-qt a few requirements must be met. When using the GUI make sure to have the following information ready:
* `vm_entry rva` - the relative virtual address, from the base of the module, of `vm_entry`.
* `image base rva` - the `ImageBase` value located inside of the optional PE header.
* `.vmp2 file` - a trace file generated by vmtracer project such as `um-tracer`.
* an unpacked VMProtect'ed binary which you know all of the above about (use vmprofiler-cli to locate the values you dont know).
# Usage
Click file -> open, navigate to the location of the VMProtect'ed file. Select it. After, enter the RVA to the vm_entry routine as well as the `ImageBase` value described in the above section. You can grab a trace file from [um-tracer v1.0 release](https://githacks.org/vmp2/um-tracer/-/releases/v1.0).
A trace is simply a file that contains all native register values, virtual stack values, virtual register values, for every single executed virtual instruction. This allows for very indepth analysis of the executed virtual instructions. Without this level of information it is very difficult to make sense of virtual instructions and the effects on the virtual stack.
_xeroxz
3 years ago