VMProtect 2 Virtual Machines Profiler Library
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
Go to file
_xeroxz 64f7eec391
Update README.md
3 years ago
dependencies fixed a spelling mistake... 4 years ago
include i messed with transforms and vminstrs encrypt_operand, check to make 4 years ago
src Merge branch 'master' of https://githacks.org/vmp2/vmprofiler into HEAD 4 years ago
.clang-format added clang format, its 90% ok 4 years ago
.gitignore added gitignore, testing it 4 years ago
.gitmodules fixed a spelling mistake... 4 years ago
LICENSE Add LICENSE 4 years ago
README.md Update README.md 3 years ago
vmprofiler.sln removed useless options in sln 4 years ago
vmprofiler.vcxproj added vm::ctx_t which can be passed around >:) 4 years ago
vmprofiler.vcxproj.filters added vm::ctx_t which can be passed around >:) 4 years ago

README.md

VMProfiler - Library To Profile VMProtect 2 Virtual Machines

vmprofiler is a c++ library which is used to statically analyze VMProtect 2 polymorphic virtual machines. This project is inherited in vmprofiler-qt, vmprofiler-cli, and vmemu. This is the base project for all other VMProtect 2 projects inside of this group on githacks.

Credit & Contributors

  • VTIL - Virtual-machine Translation Intermediate Language
  • Zydis - Fast and lightweight x86/x86-64 disassembler library
  • irql0 - helped with the first version of vm handler pattern matching

Basic Usage - Creating a vm::ctx_t Object

The vm::ctx_t class is a small container-like class which is simply used to contain all information for a given vm entry. This class contains the following useful information:

  • all vm handlers for a given vm entry
  • the linear virtual address of the module base in memory
  • the image base address
  • the image size in virtual memory
  • which way VIP advances (exec_type)
  • vm entry relative virtual address
  • vm entry deobfuscated and flattened
  • calc jmp deobfuscated and flattened

All of the above information is generated by executing the vm::ctx_t::init member function. Below is a C++ example of how to create a vm::ctx_t object.

const auto module_base = reinterpret_cast< std::uintptr_t >(
    LoadLibraryExA( parser.get< std::string >( "bin" ).c_str(),
        NULL, DONT_RESOLVE_DLL_REFERENCES ) );

const auto vm_entry_rva = std::strtoull( parser.get< std::string >( "vmentry" ).c_str(), nullptr, 16 );
const auto image_base = umtils->image_base( parser.get< std::string >( "bin" ).c_str() );
const auto image_size = NT_HEADER( module_base )->OptionalHeader.SizeOfImage;
vm::ctx_t vmctx( module_base, image_base, image_size, vm_entry_rva );

if ( !vmctx.init() )
{
    std::printf( "[!] failed to init vm::ctx_t... make sure all cli arguments are correct!\n" );
    return -1;
}

Copyright (c) 2021 _xeroxz, Independent Researcher @back.engineering

Licensed under the MIT License