吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 10769|回复: 47
收起左侧

[Unpackers] VMProtect 去虚拟化工具 titan

  [复制链接]
nj001 发表于 2023-11-6 08:41
发现一个新的脱VMP壳的工具,利用triton ast匹配和符号执行来工作,记录一下
https://github.com/archercreat/titan

免费评分

参与人数 8吾爱币 +8 热心值 +7 收起 理由
Some + 1 又是一个paper work
captain123 + 1 + 1 热心回复!
netspirit + 1 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!
fanganer + 1 + 1 我很赞同!
fangchang819 + 1 + 1 谢谢@Thanks!
kingwl + 1 + 1 热心回复!
yp17792351859 + 1 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!
ck6102 + 1 + 1 我很赞同!

查看全部评分

本帖被以下淘专辑推荐:

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

Hmily 发表于 2023-11-6 17:10

titan - VMProtect devirtualizer

I'm releasing my VMProtect devirtualizer for others to research, learn, and improve. This project started in 2018 as a hobby project and was rewritten at least 4 times. During my research, I've met with awesome
people, made friends, and learned a lot.

How does it work?

The tool uses Triton for emulation, symbolic execution, and lifting. The easiest way to match VM handlers is to match them on the Triton AST level. The tool symbolizes vip and vsp registers and propagates memory loads and stores. Almost every handler ends with the store (to the stack, vm register or memory). We take Triton AST of the value that is being stored and match against known patterns:

// Match [vsp] + [vsp].
//
static bool match_add(const triton::ast::SharedAbstractNode& ast)
{
    if (ast->getType() == triton::ast::EXTRACT_NODE)
    {
        return match_add(ast->getChildren()[2]->getChildren()[1]);
    }
    return ast->getType() == triton::ast::BVADD_NODE
        && is_variable(ast->getChildren()[1], variable::vsp_fetch);
}

No matter how obfuscated handlers are, it is possible to match them with a single x86 instruction! Once the handler is identified, it is lifted into a basic block. Once the basic block is terminated, the partial control-flow graph is computed and the RIP register is sliced, giving the address of the next basic block. The process repeats until no new basic blocks are found.
Every basic block is lifted into separate LLVM function. The process of building control-flow graph comes down chaining calls to basic block functions in the right order.
The tool has few custom LLVM passes like no-alias and memory coalescing passes. The only pass that is left to implement is flag synthesis pass which will give the cleanest LLVM bitcode.

Usage

The tool requires 3 arguments:

  • Path to vmprotect intrinsics file
  • Path to virtualized binary
  • Virtual address of vm entry point
    ./build/titan
    titan: for the -i option: must be specified at least once!
    titan: for the -b option: must be specified at least once!
    titan: for the -e option: must be specified at least once!
    ./build/titan -i intrinsics/vmprotect64.ll -b samples/loop_hash.0x140103FF4.exe -e 0x140103FF4

Acknowledgements

Matteo Favaro and Vlad Malagar for answering my sometimes dumb questions, helping to find bugs in llvm bitcode, giving motivation and new ideas.

haiyanuser 发表于 2023-11-6 09:55
xiaoxino 发表于 2023-11-6 10:35
fangchang819 发表于 2023-11-6 10:47
试试怎么用.
olexs 发表于 2023-11-6 11:29
能把安装过的虚拟机全部清除吗?我有个硬盘被那所谓的虚拟机锁了,导致无法写入擦除,只能读取。
fanganer 发表于 2023-11-6 12:49
好东西 收藏了
luodaoyi 发表于 2023-11-6 13:01
最新的3.8.4能搞么
狂派威震天 发表于 2023-11-6 13:07
怎么用,可以出下教程吗?
微笑掩盖忧伤 发表于 2023-11-6 13:28
请问怎么使用啊
qqpoly 发表于 2023-11-6 13:58
如何使用啊,好好的学习一下,这么样不会用
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-17 10:39

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表