{"id":13607412,"url":"https://github.com/void-stack/VMUnprotect","last_synced_at":"2025-04-12T11:32:31.700Z","repository":{"id":38826821,"uuid":"429216832","full_name":"void-stack/VMUnprotect","owner":"void-stack","description":"VMUnprotect can dynamically log and manipulate calls from virtualized methods by VMProtect.","archived":false,"fork":false,"pushed_at":"2023-04-16T18:44:51.000Z","size":3642,"stargazers_count":434,"open_issues_count":6,"forks_count":113,"subscribers_count":21,"default_branch":"main","last_synced_at":"2024-11-07T12:44:46.412Z","etag":null,"topics":["callhijacker","dotnet","harmony","vmp","vmprotect","vmunprotect"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/void-stack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null},"funding":{"github":["void-stack"],"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2021-11-17T22:13:37.000Z","updated_at":"2024-11-03T03:09:19.000Z","dependencies_parsed_at":"2024-01-14T06:54:20.885Z","dependency_job_id":null,"html_url":"https://github.com/void-stack/VMUnprotect","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/void-stack%2FVMUnprotect","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/void-stack%2FVMUnprotect/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/void-stack%2FVMUnprotect/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/void-stack%2FVMUnprotect/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/void-stack","download_url":"https://codeload.github.com/void-stack/VMUnprotect/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248560250,"owners_count":21124616,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["callhijacker","dotnet","harmony","vmp","vmprotect","vmunprotect"],"created_at":"2024-08-01T19:01:18.429Z","updated_at":"2025-04-12T11:32:26.691Z","avatar_url":"https://github.com/void-stack.png","language":"C#","readme":"\u003cp align=\"center\"\u003e\n  \u003cimg width=\"256\" heigth=\"256\" src=\"docs/vmup.png\"\u003e\n\u003ch1 align=\"center\"\u003eVMUnprotect.NET\u003c/h1\u003e\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eVMUnprotect\u003c/strong\u003e is a project engaged in hunting virtualized \u003ca href=\"https://vmpsoft.com\"\u003eVMProtect\u003c/a\u003e methods. It makes use of \u003ca href=\"https://github.com/pardeike/Harmony\"\u003eHarmony\u003c/a\u003e to dynamically read \u003cstrong\u003eVMP\u003c/strong\u003e behavior. Currently only supports method administration. Works on \u003ca href=\"https://vmpsoft.com/20210919/vmprotect-3-5-1/\"\u003eVMProtect 3.6.0\u003c/a\u003e (Latest) and few versions back.\n\u003c/p\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://forthebadge.com/images/badges/built-with-love.svg\" alt=\"appveyor-ci\" /\u003e\n  \u003cimg src=\"https://forthebadge.com/images/badges/made-with-c-sharp.svg\" alt=\"appveyor-ci\" /\u003e\n\u003c/p\u003e\n\u003c/p\u003e\n\n## Showcase\n\u003cimg src=\"docs/show.gif\"\u003e\n\n# Usage\n```sh\nVMUnprotect.exe \n  -f, --file             Required. Path to file.\n  --enableharmonylogs    (Default: false) Disable or Enable logs from Harmony.\n  --bypassantidebug      (Default: false) Bypass VMProtect Anti Debug.\n  --help                 Display this help screen.\n  --version              Display version information.\n```\n\n### Doesn't work? Make sure you dump the file before with:\n* [VMUnprotect.Dumper](https://github.com/void-stack/VMUnprotect.Dumper)\n\n# Supported Protections\nNote: ***All Supported Protections are working combined***\n\nProtection Name         | Is supported \n------------------------|-------------- \nMemory Protection       | ✓  \nImport Protection       | ✓  \nResource Protection     | ✓  \nDebugger Detection      | ✓  \nVirtualization Tools    | ✓ \nStrip Debug Information | ✓  \nPack the Output File    | ✓ \n\n## Current Features\n- Tracing invokes in virtualized methods.\n- Manipulating parameters and return values.\n- Bypass NtQueryInformationProcess, IsLogging, get_IsAttached\n\n## Usage can be found in VMUnprotect.Runtime.MiddleMan\n```csharp\n/// \u003csummary\u003e\n/// A prefix is a method that is executed before the original method\n/// \u003c/summary\u003e\npublic bool Prefix(ref object __result, ref object __instance, ref object obj, ref object[] parameters, ref object[] arguments) {\n    var virtualizedMethodName = new StackTrace().GetFrame(7).GetMethod();\n    var method = (MethodBase) __instance;\n    Logger.Print(\"VMP MethodName: {0} (MDToken 0x{1:X4})\", virtualizedMethodName.FullDescription(),\n                 virtualizedMethodName.MetadataToken.ToString());\n    Logger.Print(\"MethodName: {0}\", method.Name);\n    Logger.Print(\"FullDescription: {0}\", method.FullDescription());\n    Logger.Print(\"MethodType: {0}\", method.GetType());\n    // ReSharper disable once ConditionIsAlwaysTrueOrFalse\n    if (obj is not null)\n        Logger.Print(\"Obj: {0}\", Formatter.FormatObject(obj));\n    // Loop through parameters and log them\n    for (var i = 0; i \u003c parameters.Length; i++) {\n        var parameter = parameters[i];\n        Logger.Print(\"Parameter ({1}) [{0}]: ({2})\", i, parameter.GetType(), Formatter.FormatObject(parameter));\n    }\n    var returnType = method is MethodInfo info ? info.ReturnType.FullName : \"System.Object\";\n    Logger.Print(\"MDToken: 0x{0:X4}\", method.MetadataToken);\n    Logger.Print(\"Return Type: {0}\", returnType ?? \"null\");\n    return true;\n}\n\n/// \u003csummary\u003e\n///  A postfix is a method that is executed after the original method\n/// \u003c/summary\u003e\npublic void Postfix(ref object __instance, ref object __result, ref object obj, ref object[] parameters, ref object[] arguments) {\n    Logger.Print(\"Returns: {0}\", __result);\n}\n```\n\n# FAQ\n### What is code virtualization? \nAs VMProtect describes it on their's website. Code virtualization is the next step in software protection. Most protection systems encrypt the code and then decrypt it at the application’s startup. VMProtect doesn’t decrypt the code at all! Instead, the encrypted code runs on a virtual CPU that is markedly different from generic x86 and x64 CPUs as the command set is different for each protected file.\n\n### Can it devirtualize VMP?\nNo, isn't even meant for devirtualization.\n\nTodo                             | Done\n---------------------------------|---------\nChange this to support more VM's | X\nVMP Stack tracing                | X \nBypass VMP Debugger Detection    | ✓  \nBypass VMP CRC Check             | X  \nWPF GUI                          | X \n\n\n# Credits, checkout my blog about [VMUnprotect](https://void-stack.github.io)\n* [Washi](https://github.com/Washi1337) Overall credits for the project and inspiration with UnsafeInvokeInternal, thanks \u003c3\n\nThis tool uses the following (open source) software:\n* [dnlib](https://github.com/0xd4d/dnlib) by [0xd4d](https://github.com/0xd4d), licensed under the MIT license, for reading/writing assemblies.\n* [Harmony](https://github.com/pardeike/Harmony) by [Andreas Pardeike](https://github.com/pardeike), licensed under the MIT license\n* [Serilog](https://github.com/serilog/serilog) provides diagnostic logging to files, the console, and elsewhere. It is easy to set up, has a clean API.\n* [commandline](https://github.com/commandlineparser/commandline) offers CLR applications a clean and concise API for manipulating command line arguments and related tasks\n* [Autofac](https://github.com/autofac/Autofac) Autofac is an IoC container for Microsoft .NET. It manages the dependencies between classes so that applications stay easy to change as they grow in size and complexity. This is achieved by treating regular .NET classes as components.\n\n## 💵 Want to buy me a Coffee?\n     - Donate BTC at `bc1q048wrqztka5x2syt9mtj68uuf73vqry60s38vf`\n     - Donate ETH at `0x86b2C17C94A1E6f35d498d17a37dc1f8A715139b`\n","funding_links":["https://github.com/sponsors/void-stack"],"categories":["C# #"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvoid-stack%2FVMUnprotect","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvoid-stack%2FVMUnprotect","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvoid-stack%2FVMUnprotect/lists"}