{"id":19179350,"url":"https://github.com/archercreat/vmpfix","last_synced_at":"2025-09-02T17:24:09.619Z","repository":{"id":276446035,"uuid":"441944803","full_name":"archercreat/vmpfix","owner":"archercreat","description":"Universal x86/x64 VMProtect 2.0-3.X Import fixer","archived":false,"fork":false,"pushed_at":"2021-12-29T08:52:54.000Z","size":436,"stargazers_count":3,"open_issues_count":4,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-08T09:44:06.056Z","etag":null,"topics":["cmkr","cpp","reverse-engineering","vmprotect"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"unlicense","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/archercreat.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-26T17:16:10.000Z","updated_at":"2025-01-25T00:31:19.000Z","dependencies_parsed_at":"2025-02-08T09:44:07.668Z","dependency_job_id":"8963bac4-ab26-4412-89b1-716767b8c173","html_url":"https://github.com/archercreat/vmpfix","commit_stats":null,"previous_names":["archercreat/vmpfix"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/archercreat%2Fvmpfix","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/archercreat%2Fvmpfix/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/archercreat%2Fvmpfix/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/archercreat%2Fvmpfix/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/archercreat","download_url":"https://codeload.github.com/archercreat/vmpfix/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239550271,"owners_count":19657541,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cmkr","cpp","reverse-engineering","vmprotect"],"created_at":"2024-11-09T10:42:54.949Z","updated_at":"2025-02-18T21:05:35.294Z","avatar_url":"https://github.com/archercreat.png","language":"C++","readme":"# vmpfix\n*VMPfix* is a dynamic x86/x64 VMProtect 2.0-3.x import fixer.\nThe main goal of this project was to build correct and reliable tool to fix imports in x86/x64 applications.\n\nNote: this tool does not dump and rebuild import directory. You can do this from your favorite debugger.\n\n## Before\n![](media/before.png) \n\n## After\n![](media/after.png)\n\n## Usage\n```bash\nvmpfix.exe\n-p: required.\nUsage: Universal VMProtect Import fixer [options]\n\nOptional arguments:\n-h --help       shows help message and exits [default: false]\n-v --version    prints version information and exits [default: false]\n-p --pid        Target process id [required]\n-s --sections   VMProtect sections in target module [default: {\".vmp0\" \".vmp1\" \".be1\" \".be0\"}]\n-i --iat        New IAT section name [default: \".vmp0\"]\n-m --module     VMProtected module name (default: main executable) [default: \"\"]\n```\n\nExample commands:\n```\nvmpfix.exe -p 3336 -m beservice_x64.exe -s .be0 -s .be1 -i .be0\nvmpfix.exe -p 11250\n```\n\nVMProtect unpacking must be complete before running *VMPfix*.\n\n## Details\nThere are 3 types of IAT accesses that VMProtect patches: `call`, `jmp` and `mov`.\nEvery stub resolves protected import with only 3 instructions:\n```\nlea reg, [imm]\nmov reg, [reg + imm]\nlea reg, [reg + imm]\n```\nAlthough stubs are obfuscated, there are only handful of instructions that matters:\n```\npush\npop\nlea\nmov\nxchg\nret\n```\n\n### Call stubs\nEvery `call` stub ends with `xchg` instruction:\n\n`call [IAT]` -\u003e `call .vmp1; int3`:\n```\n[!] push        rax\n[!] mov         rax,qword ptr [rsp+8]\n[!] lea         rax,[rax+1]\n[!] mov         qword ptr [rsp+8],rax\n[!] lea         rax,[1401269B2h]\n[!] mov         rax,qword ptr [rax+0FE1D0h]\n[!] lea         rax,[rax+445A4C4Eh]\n[!] xchg        rax,qword ptr [rsp]\n[!] ret\n```\n\n`call [IAT]` -\u003e `push rcx; call .vmp1`:\n```\n[!] pop         rsi\n[!] xchg        rsi,qword ptr [rsp]\n[!] push        rsi\n[!] lea         rsi,[1401832EDh]\n[!] mov         rsi,qword ptr [rsi+0A7558h]\n[!] lea         rsi,[rsi+49C80AACh]\n[!] xchg        rsi,qword ptr [rsp]\n[!] ret\n```\n### Jmp stubs\nEvery `jmp` stub ends with `ret 4/8` instruction:\n\n`jmp [IAT]` -\u003e `push rcx; call .vmp1`:\n```\n[!] pop         rcx\n[!] xchg        rcx,qword ptr [rsp]\n[!] push        rcx\n[!] lea         rcx,[1400EE9C4h]\n[!] mov         rcx,qword ptr [rcx+14F6B2h]\n[!] lea         rcx,[rcx+36F801BAh]\n[!] xchg        rcx,qword ptr [rsp]\n[!] ret         8\n```\n### Mov stubs\nEvery other stub can be considered as `mov` stub. There are some patterns as well. E.g. there is no `ret 8` or `xchg` at the end.\n\n`mov rsi, [IAT]` -\u003e `push rsi; call .vmp1`:\n```\n[!] pop         rsi\n[!] xchg        rsi,qword ptr [rsp]\n[!] pop         rsi\n[!] lea         rsi,[rsi+1]\n[!] push        rsi\n[!] lea         rsi,[14015634Fh]\n[!] mov         rsi,qword ptr [rsi+0EF63Ch]\n[!] lea         rsi,[rsi+0C2B009Ah]\n[!] ret\n```\n\n## Build\n```\ngit clone --recurse-submodules https://github.com/archercreat/vmpfix.git\ncd vmpfix\ncmake -B build\ncmake --build build\n```\n\n## Tests\nSuccessfully unpacked, dumped and ran:\n\n`steam.exe x86 752ac6ab6ec58c14bcbae0409ac732e4846a37838919806d1cf1b4cd19095f82`\n\n`vncviewer.exe x64 4158a5e55cbd6a5a8f4ed38befe2a8c9fa0c7a7fbc91709a31592dda95110517`\n\n## Credits\nhttps://github.com/build-cpp/cmkr\n\nhttps://github.com/can1357/linux-pe\n\nhttps://github.com/DarthTon/Blackbone\n\n## TODO\n- kernel support\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farchercreat%2Fvmpfix","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Farchercreat%2Fvmpfix","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farchercreat%2Fvmpfix/lists"}