VMProtect 3.x IAT Fix
# VMProtect 3.x IAT FixThis Program is a dynamic x86/x64 VMProtect 3.x import fixer(Tested on VMP3.3). The main goal of this project was to build correct and reliable tool to fix imports in x86/x64 applications.
Note: **this tool can dump and rebuild import directory**.
**Fix 32bit program,please use 32bit version,vice versa**.
## Before
!(https://github.com/woxihuannisja/vmp3-import-fix/raw/main/README.assets/image-20220716105829428.png)
After
!(https://github.com/woxihuannisja/vmp3-import-fix/raw/main/README.assets/image-20220716105855534.png)
new IAT:
!(https://github.com/woxihuannisja/vmp3-import-fix/raw/main/README.assets/image-20220716110043838.png)
## Compile
VS2019
## Usage
!(https://github.com/woxihuannisja/vmp3-import-fix/raw/main/README.assets/image-20220723214955839.png)
**-p**:target process pid
**-s**:This tool first search call IAT address in sections,-s option specify ignoresections default [`.vmp0,.vmp1,.vmp2`]
**-i**:specify the section that is used to storage IAT in memory,if you don'tspecify this option, this tool default will use **VirtualAlloc** alloc memory that is used to store IAT content
**-d**:dump file and rebuild import table
Tips:**VMProtect unpacking must be complete before running this tool**,
Example:
when target program is reach to OEP
!( https://github.com/woxihuannisja/vmp3-import-fix/raw/main/README.assets/image-20220716111549696.png)
execute this tool
`.\vmp3-import-fix.exe -p 31652 `
if you want dump and rebuild import table
`.\vmp3-import-fix.exe -p 31652 -d`
if you want dump,rebuild import table and fix new iat in `.vmp0` section
`.\vmp3-import-fix.exe -p 31652 -d -i ".vmp0"`
below is dump and fix import table result for **ida.vmp.exe**
!(https://github.com/woxihuannisja/vmp3-import-fix/raw/main/README.assets/image-20220723215541893.png)
new IAT section in the last section
!(https://github.com/woxihuannisja/vmp3-import-fix/raw/main/README.assets/image-20220723215557934.png)
you can see logfile in `log/logger.txt`
!(https://github.com/woxihuannisja/vmp3-import-fix/raw/main/README.assets/image-20220716111801572.png)
!(https://github.com/woxihuannisja/vmp3-import-fix/raw/main/README.assets/image-20220716111829226.png)
## VMProtect Encrypt IAT detail
VMProtect encrypt IAT through 3 modes
1. call ret or call int3 or call 0xXX
2. push call
3. pop call
### Call Ret mode
original code:
```asm
.text:0040D87E 50 push eax *; hFile*
.text:0040D87F FF 15 1C C1 45 00 call ds:FlushFileBuffers
.text:0040D885 85 C0 test eax, eax
```
encdrypt IAT
```asm
0040D87E | 50 | push eax |
0040D87F | E8 47890B00 | call test1_vmp.4C61CB |
0040D884 | C3 | ret |
0040D885 | 85C0 | test eax,eax |
```
at address 0x0040D87F,code **`call ds:FlushFileBuffers`** has changed to `call test1_vmp.4C61CB ;ret`
we follow encrypt IAT code,below code analyze process that VMProtect decrypt API Address
```asm
004C61CC | 55 | push ebp |保存ebp
004C61CD | 0FCD | bswap ebp |
004C61CF | 66:8BE9 | mov bp,cx |
004C61D2 | 66:BD F53D | mov bp,3DF5 |
004C61D6 | 8B6C24 04 | mov ebp,dword ptr ss: |ebp=call返回地址
0048718D | 8D6D 01 | lea ebp,dword ptr ss: |ebp=call返回地址+1
0056A3E4 | 896C24 04 | mov dword ptr ss:,ebp |=call返回地址+1
0056A3E8 | 66:0F47EB | cmova bp,bx |
0056A3EC | 0FBFED | movsx ebp,bp |
0056A3EF | BD E6224000 | mov ebp,test1_vmp.4022E6 |
004B2DCA | 8BAD 432F0800 | mov ebp,dword ptr ss: |
004BF11F | 8DAD C713DE73 | lea ebp,dword ptr ss: |
004F561B | 872C24 | xchg dword ptr ss:,ebp |恢复ebp,esp=api地址
ret |ret返回到Api
```
## Push Callmode
original code
```asm
.text:004099DF 56 push esi
.text:004099E0 8B 35 0C C0 45 00 mov esi,ds:InitializeCriticalSection
.text:004099E6 FF 35 A4 41 41 00 push lpCriticalSection ; lpCriticalSection
```
encrypt IAT call
```code
004099DF | 56 | push esi |
004099E0 | 53 | push ebx |
004099E1 | E8 299B1600 | call test1_vmp.57350F |
004099E6 | FF35 A4414100 | push dword ptr ds: | 004141A4:"@kA"
```
code `mov esi,ds:InitializeCriticalSection` has changed to `push ebxcall test1_vmp.57350F`
## Thanks
(https://github.com/unicorn-engine/unicorn)
(https://github.com/DarthTon/Blackbone.git)
(https://github.com/archercreat/vmpfix)
(https://github.com/NtQuery/Scylla)
(https://github.com/zyantific/zydis.git)
(https://github.com/gabime/spdlog.git)
## Down
https://github.com/woxihuannisja/vmp3-import-fix 好无奈!在中文论坛里看帖子还需要 右击 选择 翻译为中文(简体)! qwert0312 发表于 2022-7-27 09:07
虽然我也看不懂怎么的英文,但是我不支持你的说法。
不好意思!我应该以英语回复。
so helpless! To read the posts in the Chinese forum, you also need to right-click and select Translate to Chinese (Simplified)! 学习使用! 感谢分享! Thank you very much, I have to learn English!!! Why do you write articles in English?
Are you a foreigner? 大大牛逼 感谢分享,大佬们英文都这么牛吗 感谢大佬,学习到了