Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-28-2022, 12:25
atom0s's Avatar
atom0s atom0s is offline
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 371
Rept. Given: 26
Rept. Rcvd 114 Times in 58 Posts
Thanks Given: 54
Thanks Rcvd at 656 Times in 259 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
VMProtect Source Code Potentially Leaked

Posted on Twitter by gmhzxy:
https://twitter.com/gmhzxy/status/1563608617169096708

Someone has shared screenshots of the source code to VMP opened within Visual Studio. Possible public leak incoming, but wouldn't be surprised if whoever has it tries to profit via Bitcoin first.
__________________
Personal Projects Site: https://atom0s.com
Reply With Quote
The Following 2 Users Say Thank You to atom0s For This Useful Post:
R333T (08-29-2022), tonyweb (08-28-2022)
  #2  
Old 08-28-2022, 16:09
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 395
Rept. Given: 10
Rept. Rcvd 15 Times in 13 Posts
Thanks Given: 28
Thanks Rcvd at 129 Times in 55 Posts
WhoCares Reputation: 15
wait and see
__________________
AKA Solomon/blowfish.
Reply With Quote
  #3  
Old 08-28-2022, 19:01
Vosiyons Vosiyons is offline
Friend
 
Join Date: Jan 2022
Posts: 16
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 29
Thanks Rcvd at 20 Times in 7 Posts
Vosiyons Reputation: 0
https://ieeexplore.ieee.org/document/9139515

I seriously wonder when this tool will get in the hands of public, its gonna be the doomsday for vmpsoft.

Can we say that the VMProtect era is coming to an end?
Attached Images
File Type: gif x64Unpack.gif (64.3 KB, 38 views)
Reply With Quote
  #4  
Old 08-29-2022, 00:32
JMP-JECXZ JMP-JECXZ is offline
Friend
 
Join Date: Mar 2017
Posts: 51
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 4
Thanks Rcvd at 57 Times in 28 Posts
JMP-JECXZ Reputation: 0
I expect nothing, and i'm still let down.
Reply With Quote
  #5  
Old 08-29-2022, 03:02
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 196
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 247
Thanks Rcvd at 138 Times in 67 Posts
Stingered Reputation: 2
Quote:
Originally Posted by Vosiyons View Post
https://ieeexplore.ieee.org/document/9139515

I seriously wonder when this tool will get in the hands of public, its gonna be the doomsday for vmpsoft.

Can we say that the VMProtect era is coming to an end?
Never gonna happen. At least not this tool.
Reply With Quote
  #6  
Old 08-29-2022, 04:12
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 637
Rept. Given: 21
Rept. Rcvd 43 Times in 26 Posts
Thanks Given: 591
Thanks Rcvd at 961 Times in 434 Posts
chants Reputation: 43
Quote:
Originally Posted by Vosiyons View Post
https://ieeexplore.ieee.org/document/9139515

I seriously wonder when this tool will get in the hands of public, its gonna be the doomsday for vmpsoft.

Can we say that the VMProtect era is coming to an end?
Their tool claims to use hybrid execution using a mix of native code and emulation. There are potential practical issues here that academic tools probably aren't designed to scale to. Some like code coverage is just a general problem of dynamic analysis, since it's not easy to execute every code path leaving some parts unpacked.

But also how this hybrid mode works. I didn't see the details but I imagine the first execution is emulated and later execution are natively run. But different codepaths leasing to that point could change the unpacked result. Making certain targets likely impossibly slow if you require too much emulation. Further some targets are connected to a server with things like latency monitored e.g. games. Emulation would cause disconnects and make it very difficult in any time sensitive environment.

Such a tool is not so difficult to code a prototype of either. So I suspect it won't be easy to go from the academic prototype sufficient for research to state of the art targets.
Reply With Quote
The Following 2 Users Say Thank You to chants For This Useful Post:
nulli (08-31-2022), R333T (08-29-2022)
  #7  
Old 08-29-2022, 18:27
schrodyn schrodyn is offline
Friend
 
Join Date: Dec 2016
Posts: 22
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 154
Thanks Rcvd at 27 Times in 11 Posts
schrodyn Reputation: 0
For what it's worth, I haven't found it uploaded to VT either. Presumed someone would upload to VT to make sure it's not "backdoored".
Reply With Quote
  #8  
Old 08-30-2022, 21:45
MrScotc MrScotc is offline
Friend
 
Join Date: Dec 2017
Posts: 29
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 22
Thanks Rcvd at 32 Times in 10 Posts
MrScotc Reputation: 1
The news was spread on Wednesday, but there is no evidence.
Reply With Quote
  #9  
Old 08-31-2022, 17:31
Jupiter's Avatar
Jupiter Jupiter is online now
Lo*eXeTools*rd
 
Join Date: Jan 2005
Location: Moscow, Russia
Posts: 194
Rept. Given: 24
Rept. Rcvd 58 Times in 34 Posts
Thanks Given: 7
Thanks Rcvd at 119 Times in 30 Posts
Jupiter Reputation: 58
Cool VMProtect != DeVMProtect

Potential VMProtect code leak could offer a possibility to easily build something like "MyVMProtect", but not a possibility to quickly develop something like "DeVMProtect".

The reason is very simple: VMProtect contains a code to virtualise, but it contains no code to devirtualise.

One could check existing researches about virtual machines and VMProtect to explore existing possibilities to devirtualise VMProtect'ed code. Some tools (like based on VTIL, for example) provide enough details about structure of VM internals, so VMProtect source code will just prove some assumptions and reveal additional details about these VMProtect internals, but basic information is already available in VMProtect research papers and articles, accomplished by source code (see VTIL project and its tools).

This means that researchers already have enough information to devirtualise at least some blocks of virtualised code.

The only missing thing is a 'one click solution for dummies' to quickly unpack and devirtualise VMProtect.

But leakage of actual VMProtect sources, with greater probability, it will lead to the appearance of VMProtect clones rather than appearance of DeVMProtect (VMProtect devirtualiser) for dummies.
__________________
EnJoy!
Reply With Quote
The Following 2 Users Gave Reputation+1 to Jupiter For This Useful Post:
papi (09-01-2022), user1 (08-31-2022)
The Following 9 Users Say Thank You to Jupiter For This Useful Post:
Artic (09-02-2022), bolo2002 (08-31-2022), Kurapica (08-31-2022), Mendax47 (08-31-2022), niculaita (09-01-2022), nulli (08-31-2022), tonyweb (09-02-2022), user1 (08-31-2022), Vosiyons (09-01-2022)
  #10  
Old 08-31-2022, 18:09
user1's Avatar
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: OUT
Posts: 946
Rept. Given: 486
Rept. Rcvd 115 Times in 63 Posts
Thanks Given: 596
Thanks Rcvd at 502 Times in 303 Posts
user1 Reputation: 36
can upload please link not working for me.
Reply With Quote
  #11  
Old 08-31-2022, 20:04
nulli nulli is offline
VIP
 
Join Date: Nov 2003
Posts: 167
Rept. Given: 41
Rept. Rcvd 22 Times in 12 Posts
Thanks Given: 45
Thanks Rcvd at 71 Times in 51 Posts
nulli Reputation: 22
Quote:
Originally Posted by user1 View Post
can upload please link not working for me.
There is no known link to the source code at this time afaik.
Reply With Quote
The Following User Says Thank You to nulli For This Useful Post:
tonyweb (09-02-2022)
  #12  
Old 09-01-2022, 17:11
deepzero's Avatar
deepzero deepzero is online now
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 293
Rept. Given: 106
Rept. Rcvd 63 Times in 41 Posts
Thanks Given: 146
Thanks Rcvd at 189 Times in 88 Posts
deepzero Reputation: 63
It's true that the VMP VM is well documented and wont give much insight, i would actually be more interested in obtaining a full list of their normal obfuscation actions ... but would be spectacular in any case.


x64unpack can switch between emulation and native execution, and their results are excellent, including fairly real-world examples. Of course there will always be cases where it doesnt work, + countermeasures.
But I have used standard DBI the past for tracing and unpacking, and if done correctly and with some tuning they yield excellent results.
Reply With Quote
The Following 3 Users Say Thank You to deepzero For This Useful Post:
sh3dow (09-03-2022), tonyweb (09-02-2022), Vosiyons (09-02-2022)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 06:28.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2022 )