Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/can1357/NoVmp

A static devirtualizer for VMProtect x64 3.x. powered by VTIL.
https://github.com/can1357/NoVmp

devirtualization vmprotect vtil

Last synced: 3 months ago
JSON representation

A static devirtualizer for VMProtect x64 3.x. powered by VTIL.

Host: GitHub
URL: https://github.com/can1357/NoVmp
Owner: can1357
License: gpl-3.0
Created: 2020-08-16T15:54:26.000Z (about 4 years ago)
Default Branch: master
Last Pushed: 2021-08-08T16:34:04.000Z (about 3 years ago)
Last Synced: 2024-04-09T10:33:56.133Z (7 months ago)
Topics: devirtualization, vmprotect, vtil
Language: C++
Homepage:
Size: 338 KB
Stars: 1,836
Watchers: 82
Forks: 336
Open Issues: 8
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-hacking-lists - can1357/NoVmp - A static devirtualizer for VMProtect x64 3.x. powered by VTIL. (C++)

README

NoVmp

A static devirtualizer for VMProtect x64 3.x powered by VTIL.

### VMProtect? Nope.
NoVmp is a project devirtualizing VMProtect x64 3.0 - 3.5 (latest) into optimized VTIL and optionally recompiling back to x64 using the [Virtual-machine Translation Intermediate Language](https://github.com/vtil-project/VTIL-Core) library. It is rather experimental and is mostly a PoC I wanted to release. Most things can be improved especially with the new NativeLifters repo, but it did not exist back in the time this was written.

# Usage
NoVmp accepts **unpacked binaries**, so if your binary is packed you'll have to dump it first, additionally if you did dump it using a tool like Scylla, you'll have to provide the original image base using the `-base` parameter like so:

`-base 0x14000000`

By default NoVmp will parse every single jump into a VM, if you are only interested in a number of **specific** virtualized routines you can use the `-vms` parameter like so with relative virtual addresses:

`-vms 0x729B81 0x72521`

These addresses should be pointing at the VMEnter, as shown below:

![VMEnter](https://raw.githubusercontent.com/can1357/NoVmp/master/assets/vmenter.png)

By default section discovery is automatic, but in case your calls are not being chained you should try adding the VMProtect section name into the section list using `-sections` as shown below:

`-sections .xxx0 .yyy0`

Note that the `.1` section is the merged VMProtect DLL which should not be inputted.

Additionally you can use any of the following switches:
- `-noopt`: Disables optimization.
- `-opt:constant`: Optimizes the VMProtect Ultra constant obfuscation out.
- `-experimental:recompile`: Enables the experimental x64 compiler.

# Known bugs
- Known issues from VTIL-Core, mainly the lack of jump table support and propagation passes taking too long/not being great which are being worked on.
- Binaries compiled with relocations stripped are not fully supported yet.
- Experimental compiler is a borderline broken demo, issues related to it should not be submitted as it'll be reworked and will be in VTIL-Core.

# License
NoVmp is licensed under the GNU General Public License v3.