Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-28-2022, 12:25
atom0s's Avatar
atom0s atom0s is offline
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 396
Rept. Given: 26
Rept. Rcvd 126 Times in 63 Posts
Thanks Given: 54
Thanks Rcvd at 730 Times in 279 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
VMProtect Source Code Potentially Leaked

Posted on Twitter by gmhzxy:
https://twitter.com/gmhzxy/status/1563608617169096708

Someone has shared screenshots of the source code to VMP opened within Visual Studio. Possible public leak incoming, but wouldn't be surprised if whoever has it tries to profit via Bitcoin first.
__________________
Personal Projects Site: https://atom0s.com
Reply With Quote
The Following 2 Users Say Thank You to atom0s For This Useful Post:
tonyweb (08-28-2022)
  #2  
Old 08-28-2022, 16:09
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 409
Rept. Given: 10
Rept. Rcvd 16 Times in 14 Posts
Thanks Given: 41
Thanks Rcvd at 155 Times in 61 Posts
WhoCares Reputation: 17
wait and see
__________________
AKA Solomon/blowfish.
Reply With Quote
  #3  
Old 08-28-2022, 19:01
Vosiyons Vosiyons is offline
Friend
 
Join Date: Jan 2022
Posts: 26
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 94
Thanks Rcvd at 50 Times in 12 Posts
Vosiyons Reputation: 0
https://ieeexplore.ieee.org/document/9139515

I seriously wonder when this tool will get in the hands of public, its gonna be the doomsday for vmpsoft.

Can we say that the VMProtect era is coming to an end?
Attached Images
File Type: gif x64Unpack.gif (64.3 KB, 49 views)
Reply With Quote
  #4  
Old 08-29-2022, 00:32
JMP-JECXZ JMP-JECXZ is offline
Friend
 
Join Date: Mar 2017
Posts: 86
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 14
Thanks Rcvd at 102 Times in 48 Posts
JMP-JECXZ Reputation: 1
I expect nothing, and i'm still let down.
Reply With Quote
  #5  
Old 08-29-2022, 03:02
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 256
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 296
Thanks Rcvd at 179 Times in 89 Posts
Stingered Reputation: 2
Quote:
Originally Posted by Vosiyons View Post
https://ieeexplore.ieee.org/document/9139515

I seriously wonder when this tool will get in the hands of public, its gonna be the doomsday for vmpsoft.

Can we say that the VMProtect era is coming to an end?
Never gonna happen. At least not this tool.
Reply With Quote
  #6  
Old 08-29-2022, 04:12
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 724
Rept. Given: 35
Rept. Rcvd 48 Times in 30 Posts
Thanks Given: 666
Thanks Rcvd at 1,050 Times in 475 Posts
chants Reputation: 48
Quote:
Originally Posted by Vosiyons View Post
https://ieeexplore.ieee.org/document/9139515

I seriously wonder when this tool will get in the hands of public, its gonna be the doomsday for vmpsoft.

Can we say that the VMProtect era is coming to an end?
Their tool claims to use hybrid execution using a mix of native code and emulation. There are potential practical issues here that academic tools probably aren't designed to scale to. Some like code coverage is just a general problem of dynamic analysis, since it's not easy to execute every code path leaving some parts unpacked.

But also how this hybrid mode works. I didn't see the details but I imagine the first execution is emulated and later execution are natively run. But different codepaths leasing to that point could change the unpacked result. Making certain targets likely impossibly slow if you require too much emulation. Further some targets are connected to a server with things like latency monitored e.g. games. Emulation would cause disconnects and make it very difficult in any time sensitive environment.

Such a tool is not so difficult to code a prototype of either. So I suspect it won't be easy to go from the academic prototype sufficient for research to state of the art targets.
Reply With Quote
The Following 3 Users Say Thank You to chants For This Useful Post:
nulli (08-31-2022), sh3dow (11-06-2022)
  #7  
Old 08-29-2022, 18:27
schrodyn schrodyn is offline
Friend
 
Join Date: Dec 2016
Posts: 23
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 160
Thanks Rcvd at 27 Times in 11 Posts
schrodyn Reputation: 0
For what it's worth, I haven't found it uploaded to VT either. Presumed someone would upload to VT to make sure it's not "backdoored".
Reply With Quote
  #8  
Old 08-30-2022, 21:45
MrScotc MrScotc is offline
Banned User
 
Join Date: Dec 2017
Posts: 33
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 29
Thanks Rcvd at 34 Times in 12 Posts
MrScotc Reputation: 1
The news was spread on Wednesday, but there is no evidence.
Reply With Quote
  #9  
Old 08-31-2022, 17:31
Jupiter's Avatar
Jupiter Jupiter is offline
Lo*eXeTools*rd
 
Join Date: Jan 2005
Location: Moscow, Russia
Posts: 214
Rept. Given: 36
Rept. Rcvd 61 Times in 36 Posts
Thanks Given: 20
Thanks Rcvd at 149 Times in 42 Posts
Jupiter Reputation: 61
Cool VMProtect != DeVMProtect

Potential VMProtect code leak could offer a possibility to easily build something like "MyVMProtect", but not a possibility to quickly develop something like "DeVMProtect".

The reason is very simple: VMProtect contains a code to virtualise, but it contains no code to devirtualise.

One could check existing researches about virtual machines and VMProtect to explore existing possibilities to devirtualise VMProtect'ed code. Some tools (like based on VTIL, for example) provide enough details about structure of VM internals, so VMProtect source code will just prove some assumptions and reveal additional details about these VMProtect internals, but basic information is already available in VMProtect research papers and articles, accomplished by source code (see VTIL project and its tools).

This means that researchers already have enough information to devirtualise at least some blocks of virtualised code.

The only missing thing is a 'one click solution for dummies' to quickly unpack and devirtualise VMProtect.

But leakage of actual VMProtect sources, with greater probability, it will lead to the appearance of VMProtect clones rather than appearance of DeVMProtect (VMProtect devirtualiser) for dummies.
__________________
EnJoy!
Reply With Quote
The Following 2 Users Gave Reputation+1 to Jupiter For This Useful Post:
papi (09-01-2022), user1 (08-31-2022)
The Following 9 Users Say Thank You to Jupiter For This Useful Post:
Artic (09-02-2022), bolo2002 (08-31-2022), Kurapica (08-31-2022), Mendax47 (08-31-2022), niculaita (09-01-2022), nulli (08-31-2022), tonyweb (09-02-2022), user1 (08-31-2022), Vosiyons (09-01-2022)
  #10  
Old 08-31-2022, 18:09
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: OUT
Posts: 1,041
Rept. Given: 547
Rept. Rcvd 120 Times in 67 Posts
Thanks Given: 695
Thanks Rcvd at 566 Times in 337 Posts
user1 Reputation: 41
can upload please link not working for me.
Reply With Quote
  #11  
Old 08-31-2022, 20:04
nulli nulli is offline
VIP
 
Join Date: Nov 2003
Posts: 172
Rept. Given: 41
Rept. Rcvd 22 Times in 12 Posts
Thanks Given: 53
Thanks Rcvd at 73 Times in 53 Posts
nulli Reputation: 22
Quote:
Originally Posted by user1 View Post
can upload please link not working for me.
There is no known link to the source code at this time afaik.
Reply With Quote
The Following User Says Thank You to nulli For This Useful Post:
tonyweb (09-02-2022)
  #12  
Old 09-01-2022, 17:11
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 300
Rept. Given: 111
Rept. Rcvd 64 Times in 42 Posts
Thanks Given: 178
Thanks Rcvd at 215 Times in 92 Posts
deepzero Reputation: 64
It's true that the VMP VM is well documented and wont give much insight, i would actually be more interested in obtaining a full list of their normal obfuscation actions ... but would be spectacular in any case.


x64unpack can switch between emulation and native execution, and their results are excellent, including fairly real-world examples. Of course there will always be cases where it doesnt work, + countermeasures.
But I have used standard DBI the past for tracing and unpacking, and if done correctly and with some tuning they yield excellent results.
Reply With Quote
The Following 4 Users Say Thank You to deepzero For This Useful Post:
p4r4d0x (11-23-2022), sh3dow (09-03-2022), tonyweb (09-02-2022), Vosiyons (09-02-2022)
  #13  
Old 11-23-2022, 04:21
tofu-sensei tofu-sensei is offline
Friend
 
Join Date: Jul 2004
Posts: 113
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 1
Thanks Rcvd at 24 Times in 13 Posts
tofu-sensei Reputation: 15
https://twitter.com/ESETresearch/status/1594937054303236096

huh
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 17:11.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )