Today I found this fantastic Analysis of VMProtect 2 Virtual Machine Architecture
_https://back.engineering/17/05/2021/
The code can be found here
_https://githacks.org/vmp2
Table Of Contents
PHP Code:
- Credit - Links to Existing Work
- Preamble - Intentions and Purpose
- Purpose
- Intentions
- Terminology
- Introduction
- Obfuscation - Deadstore, Opaque Branching
- Opaque Branching Obfuscation Example
- Deadstore Obfuscation Example
- Overview - VMProtect 2 Virtual Machine
- Rolling Decryption
- Native Register Usage
- Non-Volatile Registers - Registers With Specific Usage
- Volatile Registers - Temp Registers
- vm_entry - Entering The Virtual Machine
- calc_jmp - Decryption Of Vm Handler Index
- vm_exit - Leaving The Virtual Machine
- check_vsp - relocate scratch registers
- Virtual Instructions - Opcodes, Operands, Specifications
- Operand Decryption - Transformations
- VM Handlers - Specifications
- LCONST - Load Constant Value Onto Stack
- LCONSTQ - Load Constant QWORD
- LCONSTCDQE - Load Constant DWORD Sign Extended to a QWORD
- LCONSTCBW - Load Constant Byte Convert To Word
- LCONSTCWDE - Load Constant Word Convert To DWORD
- LCONSTDW - Load Constant DWORD
- LREG - Load Scratch Register Value Onto Stack
- LREGQ - Load Scratch Register QWORD
- LREGDW - Load Scratch Register DWORD
- SREG - Set Scratch Register Value
- SREGQ - Set Scratch Register Value QWORD
- SREGDW - Set Scratch Register Value DWORD
- SREGW - Set Scratch Register Value WORD
- SREGB - Set Scratch Register Value Byte
- ADD - Add Two Values
- ADDQ - Add Two QWORD Values
- ADDW - Add Two WORDS Values
- ADDB - Add Two Bytes Values
- MUL - Unsigned Multiplication
- MULQ - Unsigned Multiplication of QWORD’s
- DIV - Unsigned Division
- DIVQ - Unsigned Division Of QWORD’s
- READ - Read Memory
- READQ - Read QWORD
- READDW - Read DWORD
- READW - Read Word
- WRITE - Write Memory
- WRITEQ - Write Memory QWORD
- WRITEDW - Write DWORD
- WRITEW - Write WORD
- WRITEB - Write Byte
- SHL - Shift Left
- SHLCBW - Shift Left Convert Result To WORD
- SHLW - Shift Left WORD
- SHLDW - Shift Left DWORD
- SHLQ - Shift Left QWORD
- SHLD - Shift Left Double Precision
- SHLDQ - Shift Left Double Precision QWORD
- SHLDDW - Shift Left Double Precision DWORD
- SHR - Shift Right
- SHRQ - Shift Right QWORD
- SHRD - Double Precision Shift Right
- SHRDQ - Double Precision Shift Right QWORD
- SHRDDW - Double Precision Shift Right DWORD
- NAND - Not Then And
- NANDW - Not Then And WORD’s
- READCR3 - Read Control Register Three
- WRITECR3 - Write Control Register Three
- PUSHVSP - Push Virtual Stack Pointer
- PUSHVSPQ - Push Virtual Stack Pointer QWORD
- PUSHVSPDW - Push Virtual Stack Pointer DWORD
- PUSVSPW - Push Virtual Stack Pointer WORD
- LVSP - Load Virtual Stack Pointer
- LVSPW - Load Virtual Stack Pointer Word
- LVSPDW - Load Virtual Stack Pointer DWORD
- LRFLAGS - Load RFLAGS
- JMP - Virtual Jump Instruction
- CALL - Virtual Call Instruction
- Significant Virtual Machine Signatures - Static Analysis
- Locating VM Handler Table
- Locating VM Handler Table Entry Decryption
- Handling Transformations - Templated Lambdas and Maps
- Extracting Transformations - Static Analysis Continued
- Static Analysis Dilemma - Static Analysis Conclusion
- vmtracer - Tracing Virtual Instructions
- vmprofile-cli - Static Analysis Using Runtime Traces
- Displaying Trace Information - vmprofiler-qt
- Virtual Machine Behavior
- Demo - Creating and Inspecting A Virtual Trace
- Altering Virtual Instruction Results
- Encoding Virtual Instructions - Inverse Transformations
- Conclusion - Static Analysis, Dynamic Analysis