VMP-Import-Deobfuscator
本帖最后由 EternalBlue 于 2024-1-9 12:15 编辑https://github.com/colby57/VMP-Imports-Deobfuscator# VMP-Import-Deobfuscator
VMP-Import-Deobfuscator is a program that allows you to deobfuscate imports, it rebuilds IAT and then patches all obfuscated calls, all you have to do is dump the program itself (Supports only x64).
This project is based on this repository, thanks to the author: https://github.com/woxihuannisja/vmp3-import-fix
Tested on versions: 3.1, 3.5, 3.6, 3.7, 3.8.3, 3.8.4, 3.8.5, 3.8.6.
## Before
## After
## Usage
```bash
-p: required.
Usage: VMP-Imports-Deobfuscator
Optional arguments:
-h --help shows help message and exits
-v --version prints version information and exits
-p --pid Target process name
-m --module Target module name
-i --iat Section that is used to storage new IAT, it maybe destroy vmp code
```
Example usage:
```
VMP-Imports-Deobfuscator.exe -p 3135
VMP-Imports-Deobfuscator.exe -p 3135 -m "sample.dll"
VMP-Imports-Deobfuscator.exe -p 3135 -m "sample.dll" -i ".sec0"
```
The user no longer needs to enter the names of all VMProtect sections, the program determines the partitions by the computed entropy. Secure VMProtect applications always have a partition entropy greater than 7.
## What about new VMProtect versions?
VMProtect versions higher than 3.7 started using several stubs. In the past, programs that fix VMProtect calls tried to fix calls by only getting as far as the first RET instruction. In the new versions, the number of stubs has increased. As a result, almost all programs became inoperable on new versions of VMProtect.
Example:
```perl
mov r15,qword ptr ss:; First stub
push qword ptr ss:
popfq
mov rbp,qword ptr ss:
lea rsp,qword ptr ss:
ret ; There will be no import call, it will go to the next stub.
call 7FF79EBAA8D6; Second stub
call 7FF79EB8D041
lea rsp,qword ptr ss:
ret ; Call import
```
## Credits
- github.com/woxihuannisja
- github.com/unicorn-engine/unicorn
- github.com/DarthTon/Blackbone
- github.com/archercreat/vmpfix
- github.com/zyantific/zydis
## TODO
- 32-bit support 不看介绍猜它主动搜索VMP的API调用,并修正
VMP就算模糊了调用系统函数,但也要间接跳过去的,这里就是它模拟它跑了一遍知道目的地后
修正了 E8 (CALL) 为 直接调用 IAT , 10多年没碰了,但原理大概就这样,早年也写过专门的脚本实现该功能 大神给翻译翻译{:17_1084:} 无夜滴滴 发表于 2024-1-9 12:48
大神给翻译翻译
不明觉厉,看不懂哈 有木有 IDA PRO 使用 ChatGpt的插件,自动转换代码,自动分析,自动识别等等... 有使用教程吗
看不懂教程一下 这是属于天书,小白还是看到走开吧。 sabirjan2023 发表于 2024-1-9 13:53
有木有 IDA PRO 使用 ChatGpt的插件,自动转换代码,自动分析,自动识别等等...
正己老师的 《有的IDA PRo还要什么女朋友》的文章中,有提到的啊。 你可以去看看 a13389809 发表于 2024-1-9 16:46
正己老师的 《有的IDA PRo还要什么女朋友》的文章中,有提到的啊。 你可以去看看
求文字链接,想拜读一下{:1_893:}
页:
[1]
2