{"id":24289080,"url":"https://github.com/keowu/birosca","last_synced_at":"2025-06-14T11:04:17.506Z","repository":{"id":174319751,"uuid":"651742989","full_name":"keowu/birosca","owner":"keowu","description":"A Dynamic Study Vmprotect 1.x-1.9X Unpacking Toolkit, Recovery OEP, FIX PE, IAT and bypass protection with custom Loader and interceptor vmexit(aka context exchange) from packer stub.","archived":false,"fork":false,"pushed_at":"2023-07-14T01:27:28.000Z","size":1679,"stargazers_count":32,"open_issues_count":0,"forks_count":7,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-06-14T11:02:27.546Z","etag":null,"topics":["reverse-engineering","study","study-project","tool","unpacking","vmprotect","windows"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/keowu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-06-10T01:05:31.000Z","updated_at":"2025-04-27T18:54:52.000Z","dependencies_parsed_at":null,"dependency_job_id":"ab108e85-6d5b-4e37-858a-cd576abce2fa","html_url":"https://github.com/keowu/birosca","commit_stats":null,"previous_names":["keowu/birosca"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/keowu/birosca","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keowu%2Fbirosca","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keowu%2Fbirosca/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keowu%2Fbirosca/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keowu%2Fbirosca/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/keowu","download_url":"https://codeload.github.com/keowu/birosca/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keowu%2Fbirosca/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259804834,"owners_count":22913900,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["reverse-engineering","study","study-project","tool","unpacking","vmprotect","windows"],"created_at":"2025-01-16T10:51:17.697Z","updated_at":"2025-06-14T11:04:17.500Z","avatar_url":"https://github.com/keowu.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Birosca VMP\n\nA Dynamic Study Vmprotect 1.x-1.9X Unpacking Toolkit, Recovery OEP, FIX PE, IAT and bypass protection with custom Loader and interceptor vmexit(aka context exchange) from packer stub.\n\n![#1](imgs/imga.png)\n\n### How it work\n\nDiagram of the operation of the Birosca framework:\n\n![#2](imgs/diagram.jpg)\n\n\n##### Birosca:\n- Debugger vmprotect process\n- Find OEP (Based on vm type)\n- Insert Keo Stub to load Lain\n- Find Vmexit(aka context exchange) standard present on version bellow than 2.x\n- Make raw dumps\n- Fix PE and IAT and make a dump\n\n##### Lain:\n- Hooking Anti-debugger (Usermode, Kernel Mode, Antivm)\n- Give process memory level access to Birosca without VmProtect detecting it.\n\nBirosca (A Brazilian term that accurately describes the functioning of the project: A simple project that fulfills its purpose without offering anything more for it, nor presenting itself as an expert, and focuses on its own growth over time. The tool was not developed for anything other than studies.) Birosca is capable of obtaining the Entrypoint of all versions below 2.X of the commercial packer VMPROTECT, through routines nicknamed \"vmexit(aka context exchange)\". During the development of the tool, the packer was studied in different protected files and versions to find the pattern present in these routines of virtualized code exit. Signatures were created for both (which work in a generic way), and the \"vmexit(aka context exchange)\" routines are used for context switching, API loading, and jumps to addresses when they have already been processed by the virtualized code of vmprotect (which is unique). However, the \"vmexit\"(aka context exchange) routines are standardized. Here is an example of such a routine:\n\n```\n.vmp2:0006AFED\t\t\t _vmexit_ proc near\n.vmp2:0006AFED var_2C = byte ptr -2Ch\n.vmp2:0006AFED arg_10 = dword ptr 14h\n.vmp2:0006AFED arg_14 = dword ptr 18h\n.vmp2:0006AFED\n.vmp2:0006AFED FC cld\n.vmp2:0006AFEE FC cld\n.vmp2:0006AFEF 9C pushf\n.vmp2:0006AFF0 FF 74 24 18 push [esp+4+arg_10]\n.vmp2:0006AFF4 9D popf\n.vmp2:0006AFF5 60 pusha\n.vmp2:0006AFF6 68 62 0F AC 2D push 2DAC0F62h\n.vmp2:0006AFFB 54 push esp\n.vmp2:0006AFFC 88 04 24 mov [esp+2Ch+var_2C], al\n.vmp2:0006AFFF FF 74 24 44 push [esp+2Ch+arg_14]\n.vmp2:0006B003 C2 48 00 retn 48h ; 'H' ; Vai saltar ao endereço de stack(Alguns hooks também fazem isso. com informações via stack)\n.vmp2:0006B003 _vmexit_ endp\n```\nExample of vmexit routine in action (For Usermode Anti-debug checks):\n\n\n![#3](imgs/imgb.png)\n\n![#4](imgs/imgc.png)\n\nIn the examples of the screenshots above, vmprotect uses the routine to check for user-mode debuggers. However, it is also capable of checking for kernel-mode debuggers. It also utilizes syscalls for these checks, and after that, it will initiate the process of initializing the original PE.\n\nIn total, versions below 2.x perform the following calls for verification:\n\n| Module | API |\n|----------|----------------------------|\n| kernel32 | IsDebuggerPresent |\n| kernel32 | CheckRemoteDebuggerPresent |\n| Kernel32 | GetThreadContext |\n| ntdll | ZwQueryInformationProcess |\n| ntdll | ZwSetInformationThread |\n| kernel32 | CreateFileA |\n\n[ ! ] CreateFileA is used to check for debuggers using:\n- \\\\\\\\.\\\\SICE\n- \\\\\\\\.\\\\SIWVID\n- \\\\\\\\.\\\\NTICE\n- \\\\\\\\.\\\\ICEEXT\n- \\\\\\\\.\\\\SYSERBOOT\n\nAll these calls can be bypassed simply by inserting the Keo stub so that Birosca can load the \"KELAIN\" module into memory space and handle the calls to these APIs. This allows the Birosca VMP debugger to function smoothly.\n\n##### Kelain and KeoStub in action:\n\n![#5](imgs/workinglain.gif)\n\n### Running Birosca\n\n![#6](imgs/working.gif)\n\nBirosca output log:\n\n```\n\n ______ ___________ _____ _____ _____ ___ _ ____ _________ \n | ___ \\_ _| ___ \\ _ / ___/ __ \\ / _ \\ | | | | \\/ || ___ \\\n | |_/ / | | | |_/ / | | \\ `--.| / \\// /_\\ \\ | | | | . . || |_/ /\n | ___ \\ | | | /| | | |`--. \\ | | _ | | | | | |\\/| || __/ \n | |_/ /_| |_| |\\ \\\\ \\_/ /\\__/ / \\__/\\| | | | \\ \\_/ / | | || | \n \\____/ \\___/\\_| \\_|\\___/\\____/ \\____/\\_| |_/ \\___/\\_| |_/\\_| \n A DYNAMIC STUDY VMPROTECT 1.X-1.9X Unpacking toolkit \n \nHello World!\n\n[X] Image Base catch from PEB: 0x400000\n[X] Virtual Machine Section -\u003e .vmp0\n[X] Virtual Machine Section -\u003e .vmp1\n[!] Let's Disasm VMP PACKER Entry. please remember that if you have injected KeoStub into the protected file\nthis will be KeoStubVm ASM.\nBEGIN VM PROTECT PACKER ENTRY DISAM\n_______\n1 (05) e953130100 JMP 0x11359\n6 (05) e9f24c0000 JMP 0x4cfd\nb (05) e95e260000 JMP 0x266e\n10 (05) e9792a0000 JMP 0x2a8e\n15 (05) e9a4350000 JMP 0x35be\n1a (05) e9ef340000 JMP 0x350e\n1f (05) e9fd4c0000 JMP 0x4d21\n24 (05) e9d5130000 JMP 0x13fe\n29 (05) e950130000 JMP 0x137e\n2e (05) e98b270000 JMP 0x27be\n33 (05) e9d6150000 JMP 0x160e\n38 (05) e971350000 JMP 0x35ae\n3d (01) e9 DB 0xe9\n3e (01) 9c PUSHF\n3f (02) 3c00 CMP AL, 0x0\n_______\nEND VM PROTECT PACKER ENTRY DISAM\n[?] Searching on .vmp0\n________REG'S________\nRAX: 7fffa23711dd\nRBX: b36000\nRCX: 7fffa233c574\nRDX: 0\nRSI: 7fffa23cd4c0\nRDI: 10\nRIP: 7fffa23711dd\nRSP: 8fedb0\nRBP: 0\nEFLAGS: 246\n_____________________\n________REG'S________\nRAX: 7fffa23711dd\nRBX: b36000\nRCX: 7fffa233c574\nRDX: 0\nRSI: 7fffa23cd4c0\nRDI: 10\nRIP: 7fffa23711dd\nRSP: 8fedb0\nRBP: 0\nEFLAGS: 246\n_____________________\n________REG'S________\nRAX: 77c3e9d3\nRBX: b37000\nRCX: 595a39d07ac20000\nRDX: 0\nRSI: d81e28\nRDI: 77b9688c\nRIP: 77c3e9d3\nRSP: 9ff370\nRBP: 9ff39c\nEFLAGS: 246\n_____________________\n________REG'S________\nRAX: 422276\nRBX: b37000\nRCX: 411023\nRDX: 411023\nRSI: 411023\nRDI: 411023\nRIP: 422276\nRSP: 9ff8bc\nRBP: 9ff8d0\nEFLAGS: 246\n_____________________\nEntrypoint recovery from vmexit into third position of stack: 0x412df0\nBEGIN ENTRY POINT ROUTINE ASM RECOVERED FROM VMEXIT\n_______\n1 (01) 55 PUSH EBP\n2 (02) 8bec MOV EBP, ESP\n4 (05) e858fcffff CALL 0xfffffc61\n9 (01) 5d POP EBP\na (01) c3 RET\nb (01) cc INT 3\nc (01) cc INT 3\nd (01) cc INT 3\ne (01) cc INT 3\nf (01) cc INT 3\n10 (01) cc INT 3\n11 (01) 55 PUSH EBP\n12 (02) 8bec MOV EBP, ESP\n14 (01) 83 DB 0x83\n_______\nEND ENTRY POINT ROUTINE ASM RECOVERED FROM VMEXIT\nif you are trying to unpack a VB 6.0 binary protected with VM Protect. remember that the entrypoint is not the entrypoint routine, but the entrypoint of the VB 6.0 opcode that Vmprotect has already resolved the symbol of the DLL(MSVBVM60.DLL) that interprets the opcodes and only makes the call, the stubs are the same, you can solve it manually only with the address I gave you.\n```\n\nFeel free to collaborate on improvements. this is developed for my study (This technique obviously won't work for newer versions as vmexit presents itself differently).","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeowu%2Fbirosca","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkeowu%2Fbirosca","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeowu%2Fbirosca/lists"}