吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 3440|回复: 16
收起左侧

[Unpackers] VMP-Import-Deobfuscator

[复制链接]
EternalBlue 发表于 2024-1-9 12:13
本帖最后由 EternalBlue 于 2024-1-9 12:15 编辑
https://github.com/colby57/VMP-Imports-Deobfuscator

VMP-Import-Deobfuscator

VMP-Import-Deobfuscator is a program that allows you to deobfuscate imports, it rebuilds IAT and then patches all obfuscated calls, all you have to do is dump the program itself (Supports only x64).

This project is based on this repository, thanks to the author: https://github.com/woxihuannisja/vmp3-import-fix

Tested on versions: 3.1, 3.5, 3.6, 3.7, 3.8.3, 3.8.4, 3.8.5, 3.8.6.

result.png

Before

before.png

After

after.png

Usage

-p: required.
Usage: VMP-Imports-Deobfuscator [options]

Optional arguments:
-h --help       shows help message and exits
-v --version    prints version information and exits
-p --pid        Target process name [required]
-m --module     Target module name [default: ""]
-i --iat        Section that is used to storage new IAT, it maybe destroy vmp code [default: ".rdata"]

Example usage:

VMP-Imports-Deobfuscator.exe -p 3135
VMP-Imports-Deobfuscator.exe -p 3135 -m "sample.dll"
VMP-Imports-Deobfuscator.exe -p 3135 -m "sample.dll" -i ".sec0"

The user no longer needs to enter the names of all VMProtect sections, the program determines the partitions by the computed entropy. Secure VMProtect applications always have a partition entropy greater than 7.

entropy.png

What about new VMProtect versions?

VMProtect versions higher than 3.7 started using several stubs. In the past, programs that fix VMProtect calls tried to fix calls by only getting as far as the first RET instruction. In the new versions, the number of stubs has increased. As a result, almost all programs became inoperable on new versions of VMProtect.

Example:

mov r15,qword ptr ss:[rsp+10]; First stub
push qword ptr ss:[rsp+48]
popfq 
mov rbp,qword ptr ss:[rsp+20]
lea rsp,qword ptr ss:[rsp+58]
ret ; There will be no import call, it will go to the next stub.

call 7FF79EBAA8D6; Second stub
call 7FF79EB8D041
lea rsp,qword ptr ss:[rsp+10]
ret ; Call import

Credits

  • github.com/woxihuannisja
  • github.com/unicorn-engine/unicorn
  • github.com/DarthTon/Blackbone
  • github.com/archercreat/vmpfix
  • github.com/zyantific/zydis

TODO

  • 32-bit support

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

mycc 发表于 2024-1-9 18:36
不看介绍猜它主动搜索VMP的API调用,并修正
VMP就算模糊了调用系统函数,但也要间接跳过去的,这里就是它模拟它跑了一遍知道目的地后
修正了 E8 (CALL) 为 直接调用 IAT , 10多年没碰了,但原理大概就这样,早年也写过专门的脚本实现该功能
无夜滴滴 发表于 2024-1-9 12:48
不知道改成啥 发表于 2024-1-9 13:47
sabirjan2023 发表于 2024-1-9 13:53
有木有 IDA PRO 使用 ChatGpt的插件,自动转换代码,自动分析,自动识别等等...
sunweiju 发表于 2024-1-9 15:28
有使用教程吗
sdieedu 发表于 2024-1-9 16:21
看不懂  教程一下
toqto 发表于 2024-1-9 16:33
这是属于天书,小白还是看到走开吧。
a13389809 发表于 2024-1-9 16:46
sabirjan2023 发表于 2024-1-9 13:53
有木有 IDA PRO 使用 ChatGpt的插件,自动转换代码,自动分析,自动识别等等...

正己老师的 《有的IDA PRo还要什么女朋友》的文章中,有提到的啊。 你可以去看看
来自星星的我 发表于 2024-1-10 08:53
a13389809 发表于 2024-1-9 16:46
正己老师的 《有的IDA PRo还要什么女朋友》的文章中,有提到的啊。 你可以去看看

求文字链接,想拜读一下
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-17 06:42

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表