Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/can1357/NoVmp
A static devirtualizer for VMProtect x64 3.x. powered by VTIL.
https://github.com/can1357/NoVmp
devirtualization vmprotect vtil
Last synced: about 1 month ago
JSON representation
A static devirtualizer for VMProtect x64 3.x. powered by VTIL.
- Host: GitHub
- URL: https://github.com/can1357/NoVmp
- Owner: can1357
- License: gpl-3.0
- Created: 2020-08-16T15:54:26.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2021-08-08T16:34:04.000Z (over 3 years ago)
- Last Synced: 2024-04-09T10:33:56.133Z (8 months ago)
- Topics: devirtualization, vmprotect, vtil
- Language: C++
- Homepage:
- Size: 338 KB
- Stars: 1,836
- Watchers: 82
- Forks: 336
- Open Issues: 8
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - can1357/NoVmp - A static devirtualizer for VMProtect x64 3.x. powered by VTIL. (C++)
README
NoVmp
A static devirtualizer for VMProtect x64 3.x powered by VTIL.
### VMProtect? Nope.
NoVmp is a project devirtualizing VMProtect x64 3.0 - 3.5 (latest) into optimized VTIL and optionally recompiling back to x64 using the [Virtual-machine Translation Intermediate Language](https://github.com/vtil-project/VTIL-Core) library. It is rather experimental and is mostly a PoC I wanted to release. Most things can be improved especially with the new NativeLifters repo, but it did not exist back in the time this was written.# Usage
NoVmp accepts **unpacked binaries**, so if your binary is packed you'll have to dump it first, additionally if you did dump it using a tool like Scylla, you'll have to provide the original image base using the `-base` parameter like so:`-base 0x14000000`
By default NoVmp will parse every single jump into a VM, if you are only interested in a number of **specific** virtualized routines you can use the `-vms` parameter like so with relative virtual addresses:
`-vms 0x729B81 0x72521`
These addresses should be pointing at the VMEnter, as shown below:
![VMEnter](https://raw.githubusercontent.com/can1357/NoVmp/master/assets/vmenter.png)
By default section discovery is automatic, but in case your calls are not being chained you should try adding the VMProtect section name into the section list using `-sections` as shown below:
`-sections .xxx0 .yyy0`
Note that the `.1` section is the merged VMProtect DLL which should not be inputted.
Additionally you can use any of the following switches:
- `-noopt`: Disables optimization.
- `-opt:constant`: Optimizes the VMProtect Ultra constant obfuscation out.
- `-experimental:recompile`: Enables the experimental x64 compiler.# Known bugs
- Known issues from VTIL-Core, mainly the lack of jump table support and propagation passes taking too long/not being great which are being worked on.
- Binaries compiled with relocations stripped are not fully supported yet.
- Experimental compiler is a borderline broken demo, issues related to it should not be submitted as it'll be reworked and will be in VTIL-Core.# License
NoVmp is licensed under the GNU General Public License v3.