https://github.com/atrexus/vulkan

A PE dumper for processes protected by user mode anti-tamper solutions (hyperion, theia, etc.)
https://github.com/atrexus/vulkan

dumper roblox thefinals windows x64

Last synced: 3 months ago
JSON representation

A PE dumper for processes protected by user mode anti-tamper solutions (hyperion, theia, etc.)

• Host: GitHub
• URL: https://github.com/atrexus/vulkan
• Owner: atrexus
• License: mit
• Created: 2024-09-01T04:11:11.000Z (11 months ago)
• Default Branch: main
• Last Pushed: 2024-09-08T20:09:50.000Z (10 months ago)
• Last Synced: 2024-09-09T03:12:06.672Z (10 months ago)
• Topics: dumper, roblox, thefinals, windows, x64
• Language: C
• Homepage:
• Size: 54.7 KB
• Stars: 26
• Watchers: 1
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# Vulkan

Vulkan restores PE images by dumping them from memory. It was specifically designed for processes protected by dynamic code encryption, implemented by the [hyperion](https://roblox.fandom.com/wiki/Hyperion) and [theia](https://reversingthread.info/index.php/2024/01/10/the-finals-defeating-theia-packer/) anti-tamper solutions. Vulkan can also dump regular images from memory as well as modules loaded by a process.

Vulkan has been tested on [Roblox](https://roblox.com) and [The Finals](https://www.reachthefinals.com/).

## How to use

After downloading the latest version from the [releases](https://github.com/atrexus/vulkan/releases) tab, you can run it from the command line like so:

```

vulkan.exe -p  -o  --resolve-imports

```

If no output file is specified, the file will be saved to the current working directory.

To view the help message use the `-h` or `--help` option.

### Decryption

As mentioned, Vulkan will continue to query pages of code in the target module untill all `NOACCESS` pages are resolved. Depending on the application, there might always be `NOACCESS` pages so decryption could end in an infinite loop. To terminate the decryption task, you can use the `Ctrl+C` keyboard shortcut (for best results wait until 50% of the module is decrypted).

If you would like to automate termination, you can use the `-d` or `--decryption-factor` option, and provide it with a threshold ranging from `0.0` to `1.0` (again, for best results provide a value of `0.5` or above):

```

vulkan.exe -p  --decryption-factor 0.5

```

### Imports

To resolve imports for the main module, you can use the `i` or `--resolve-imports` flag. This will locate the custom IAT and restore the import directory in a new section. This may take a while, depending on how many pages were decrypted. This will have no effect on any modules other than the main one:

```

vulkan.exe -p  --resolve-imports

```

## Contributing

If you have anything to contribute to this project, please send a pull request, and I will review it. If you want to contribute but are unsure what to do, check out the [issues](https://github.com/atrexus/vulkan/issues) tab for the latest stuff I need help with.