VMProtect Source Code Potentially Leaked

atom0s · #1 08-28-2022, 12:25

Posted on Twitter by gmhzxy:
https://twitter.com/gmhzxy/status/1563608617169096708

Someone has shared screenshots of the source code to VMP opened within Visual Studio. Possible public leak incoming, but wouldn't be surprised if whoever has it tries to profit via Bitcoin first.

WhoCares · #2 08-28-2022, 16:09

wait and see

Vosiyons · #3 08-28-2022, 19:01

https://ieeexplore.ieee.org/document/9139515

I seriously wonder when this tool will get in the hands of public, its gonna be the doomsday for vmpsoft.

Can we say that the VMProtect era is coming to an end?

JMP-JECXZ · #4 08-29-2022, 00:32

I expect nothing, and i'm still let down.

Stingered · #5 08-29-2022, 03:02

Quote:

Originally Posted by Vosiyons

https://ieeexplore.ieee.org/document/9139515

I seriously wonder when this tool will get in the hands of public, its gonna be the doomsday for vmpsoft.

Can we say that the VMProtect era is coming to an end?

Never gonna happen. At least not this tool.

chants · #6 08-29-2022, 04:12

Quote:

Originally Posted by Vosiyons

https://ieeexplore.ieee.org/document/9139515

I seriously wonder when this tool will get in the hands of public, its gonna be the doomsday for vmpsoft.

Can we say that the VMProtect era is coming to an end?

Their tool claims to use hybrid execution using a mix of native code and emulation. There are potential practical issues here that academic tools probably aren't designed to scale to. Some like code coverage is just a general problem of dynamic analysis, since it's not easy to execute every code path leaving some parts unpacked.

But also how this hybrid mode works. I didn't see the details but I imagine the first execution is emulated and later execution are natively run. But different codepaths leasing to that point could change the unpacked result. Making certain targets likely impossibly slow if you require too much emulation. Further some targets are connected to a server with things like latency monitored e.g. games. Emulation would cause disconnects and make it very difficult in any time sensitive environment.

Such a tool is not so difficult to code a prototype of either. So I suspect it won't be easy to go from the academic prototype sufficient for research to state of the art targets.

schrodyn · #7 08-29-2022, 18:27

For what it's worth, I haven't found it uploaded to VT either. Presumed someone would upload to VT to make sure it's not "backdoored".

MrScotc · #8 08-30-2022, 21:45

The news was spread on Wednesday, but there is no evidence.

Jupiter · #9 08-31-2022, 17:31

Potential VMProtect code leak could offer a possibility to easily build something like "MyVMProtect", but not a possibility to quickly develop something like "DeVMProtect".

The reason is very simple: VMProtect contains a code to virtualise, but it contains no code to devirtualise.

One could check existing researches about virtual machines and VMProtect to explore existing possibilities to devirtualise VMProtect'ed code. Some tools (like based on VTIL, for example) provide enough details about structure of VM internals, so VMProtect source code will just prove some assumptions and reveal additional details about these VMProtect internals, but basic information is already available in VMProtect research papers and articles, accomplished by source code (see VTIL project and its tools).

This means that researchers already have enough information to devirtualise at least some blocks of virtualised code.

The only missing thing is a 'one click solution for dummies' to quickly unpack and devirtualise VMProtect.

But leakage of actual VMProtect sources, with greater probability, it will lead to the appearance of VMProtect clones rather than appearance of DeVMProtect (VMProtect devirtualiser) for dummies.

user1 · #10 08-31-2022, 18:09

can upload please link not working for me.

nulli · #11 08-31-2022, 20:04

Quote:

Originally Posted by user1

can upload please link not working for me.

There is no known link to the source code at this time afaik.

deepzero · #12 09-01-2022, 17:11

It's true that the VMP VM is well documented and wont give much insight, i would actually be more interested in obtaining a full list of their normal obfuscation actions ... but would be spectacular in any case.

x64unpack can switch between emulation and native execution, and their results are excellent, including fairly real-world examples. Of course there will always be cases where it doesnt work, + countermeasures.
But I have used standard DBI the past for tracing and unpacking, and if done correctly and with some tuning they yield excellent results.

tofu-sensei · #13 11-23-2022, 04:21

https://twitter.com/ESETresearch/status/1594937054303236096

huh

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

The Following 2 Users Say Thank You to atom0s For This Useful Post:
tonyweb (08-28-2022)

The Following 3 Users Say Thank You to chants For This Useful Post:
nulli (08-31-2022), sh3dow (11-06-2022)

The Following 2 Users Gave Reputation+1 to Jupiter For This Useful Post:
papi (09-01-2022), user1 (08-31-2022)

The Following 9 Users Say Thank You to Jupiter For This Useful Post:
Artic (09-02-2022), bolo2002 (08-31-2022), Kurapica (08-31-2022), Mendax47 (08-31-2022), niculaita (09-01-2022), nulli (08-31-2022), tonyweb (09-02-2022), user1 (08-31-2022), Vosiyons (09-01-2022)

The Following User Says Thank You to nulli For This Useful Post:
tonyweb (09-02-2022)

The Following 4 Users Say Thank You to deepzero For This Useful Post:
p4r4d0x (11-23-2022), sh3dow (09-03-2022), tonyweb (09-02-2022), Vosiyons (09-02-2022)