Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-12-2021, 22:02
sh3dow sh3dow is offline
Family
 
Join Date: Oct 2014
Posts: 111
Rept. Given: 100
Rept. Rcvd 77 Times in 22 Posts
Thanks Given: 322
Thanks Rcvd at 135 Times in 46 Posts
sh3dow Reputation: 77
VMProtect 2 - Detailed Analysis of the Virtual Machine Architecture

Today I found this fantastic Analysis of VMProtect 2 Virtual Machine Architecture

_https://back.engineering/17/05/2021/

The code can be found here

_https://githacks.org/vmp2


Table Of Contents
PHP Code:
Credit Links to Existing Work
Preamble Intentions and Purpose
  
Purpose
  
Intentions
Terminology
Introduction
Obfuscation DeadstoreOpaque Branching
  
Opaque Branching Obfuscation Example
  
Deadstore Obfuscation Example
Overview VMProtect 2 Virtual Machine
  
Rolling Decryption
  
Native Register Usage
    
Non-Volatile Registers Registers With Specific Usage
    
Volatile Registers Temp Registers
  
vm_entry Entering The Virtual Machine
  
calc_jmp Decryption Of Vm Handler Index
  
vm_exit Leaving The Virtual Machine
  
check_vsp relocate scratch registers
  
Virtual Instructions OpcodesOperandsSpecifications
    
Operand Decryption Transformations
  
VM Handlers Specifications
    
LCONST Load Constant Value Onto Stack
      
LCONSTQ Load Constant QWORD
      
LCONSTCDQE Load Constant DWORD Sign Extended to a QWORD
      
LCONSTCBW Load Constant Byte Convert To Word
      
LCONSTCWDE Load Constant Word Convert To DWORD
      
LCONSTDW Load Constant DWORD
    
LREG Load Scratch Register Value Onto Stack
      
LREGQ Load Scratch Register QWORD
      
LREGDW Load Scratch Register DWORD
    
SREG Set Scratch Register Value
      
SREGQ Set Scratch Register Value QWORD
      
SREGDW Set Scratch Register Value DWORD
      
SREGW Set Scratch Register Value WORD
      
SREGB Set Scratch Register Value Byte
    
ADD Add Two Values
      
ADDQ Add Two QWORD Values
      
ADDW Add Two WORDS Values
      
ADDB Add Two Bytes Values
    
MUL Unsigned Multiplication
      
MULQ Unsigned Multiplication of QWORD’s
    
DIV Unsigned Division
      
DIVQ Unsigned Division Of QWORD’s
    
READ Read Memory
      
READQ Read QWORD
      
READDW Read DWORD
      
READW Read Word
    
WRITE Write Memory
      
WRITEQ Write Memory QWORD
      
WRITEDW Write DWORD
      
WRITEW Write WORD
      
WRITEB Write Byte
    
SHL Shift Left
      
SHLCBW Shift Left Convert Result To WORD
      
SHLW Shift Left WORD
      
SHLDW Shift Left DWORD
      
SHLQ Shift Left QWORD
    
SHLD Shift Left Double Precision
      
SHLDQ Shift Left Double Precision QWORD
      
SHLDDW Shift Left Double Precision DWORD
    
SHR Shift Right
      
SHRQ Shift Right QWORD
    
SHRD Double Precision Shift Right
      
SHRDQ Double Precision Shift Right QWORD
      
SHRDDW Double Precision Shift Right DWORD
    
NAND Not Then And
      - 
NANDW Not Then And WORD’s
    
READCR3 Read Control Register Three
    
WRITECR3 Write Control Register Three
    
PUSHVSP Push Virtual Stack Pointer
      
PUSHVSPQ Push Virtual Stack Pointer QWORD
      
PUSHVSPDW Push Virtual Stack Pointer DWORD
      
PUSVSPW Push Virtual Stack Pointer WORD
    
LVSP Load Virtual Stack Pointer
      
LVSPW Load Virtual Stack Pointer Word
      
LVSPDW Load Virtual Stack Pointer DWORD
    
LRFLAGS Load RFLAGS
    
JMP Virtual Jump Instruction
    
CALL Virtual Call Instruction
Significant Virtual Machine Signatures - Static Analysis
  
Locating VM Handler Table
  
Locating VM Handler Table Entry Decryption
  
Handling Transformations Templated Lambdas and Maps
    
Extracting Transformations - Static Analysis Continued
  
- Static Analysis Dilemma - Static Analysis Conclusion
vmtracer Tracing Virtual Instructions
vmprofile-cli - Static Analysis Using Runtime Traces
Displaying Trace Information vmprofiler-qt
Virtual Machine Behavior
Demo Creating and Inspecting A Virtual Trace
Altering Virtual Instruction Results
Encoding Virtual Instructions Inverse Transformations
Conclusion - Static AnalysisDynamic Analysis 
Reply With Quote
The Following 11 Users Say Thank You to sh3dow For This Useful Post:
chants (06-23-2021), DavidXanatos (06-25-2021), elephant (07-03-2021), h8er (07-19-2021), Mendax47 (06-23-2021), niculaita (06-24-2021), nulli (06-15-2021), Stingered (06-13-2021), tonyweb (06-24-2021), TQN (06-13-2021), yoza (06-13-2021)
  #2  
Old 06-23-2021, 18:39
deepzero's Avatar
deepzero deepzero is online now
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 283
Rept. Given: 104
Rept. Rcvd 62 Times in 40 Posts
Thanks Given: 132
Thanks Rcvd at 177 Times in 83 Posts
deepzero Reputation: 63
VMProtect 2 - Part Two, Complete Static Analysis

https://back.engineering/21/06/2021/
Reply With Quote
The Following 11 Users Say Thank You to deepzero For This Useful Post:
DavidXanatos (06-25-2021), elephant (07-03-2021), h8er (07-19-2021), LordGarfio (06-26-2021), Mendax47 (06-23-2021), niculaita (06-24-2021), sh3dow (06-23-2021), Stingered (06-24-2021), tonyweb (06-24-2021), TQN (06-24-2021), yoza (06-23-2021)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 02:30.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )