VMUnprotect is a project engaged in hunting virtualized VMProtect methods. It makes use of Harmony to dynamically read VMP behavior. Currently only supports method administration. Works on VMProtect 3.5.1 (Latest) and few versions back.
VMUnprotect.exe <path to assembly> [args to assembly]
Note: All Supported Protections are working combined
Protection Name | Is supported |
---|---|
Memory Protection | Yes |
Import Protection | Yes |
Resource Protection | Yes |
Debugger Detection | Yes |
Virtualization Tools | Yes |
Strip Debug Information | Yes |
Pack the Output File | No |
namespace VMUnprotect
{
/// <summary>
/// Works as Middle Man to make life easier
/// </summary>
internal static class MiddleMan
{
/// <summary>
/// This function manipulate can manipulate, log actual invokes from virtualized VMP functions.
/// </summary>
public static object VmpMethodLogger(object obj, BindingFlags? bindingFlags, Binder binder, ref object[] parameters, CultureInfo culture, MethodBase methodBase)
{
// Invoke the method and get return value.
var returnValue = methodBase.Invoke(obj, parameters);
// TODO: Add option to disable this because can cause bugs and can be broken easily
var trace = new StackTrace();
var frame = trace.GetFrame(5); // <--
var method = frame.GetMethod();
if (method.IsConstructor)
ConsoleLogger.Warn($"VMP Method (Constructor) {method.FullDescription()}");
ConsoleLogger.Warn($"VMP Method: {method.FullDescription()}");
ConsoleLogger.Warn("MethodName: {0}", methodBase.Name);
ConsoleLogger.Warn("FullDescription: {0}", methodBase.FullDescription());
ConsoleLogger.Warn("MethodType: {0}", methodBase.GetType());
if (obj != null) ConsoleLogger.Warn("obj: {0}", obj.GetType());
// Loop through parameters and log them
for (var i = 0; i < parameters.Length; i++)
{
var parameter = parameters[i];
ConsoleLogger.Warn("Parameter ({1}) [{0}]: ({2})", i, parameter.GetType(), parameter);
}
ConsoleLogger.Warn("MDToken: {0}", methodBase.MetadataToken);
ConsoleLogger.Warn("Returns: {0}", returnValue);
if (returnValue != null)
ConsoleLogger.Warn("Return type: {0}\n", returnValue.GetType());
return returnValue;
}
}
}
- Tracing invokes in virtualized methods.
- Manipulating parameters and return values.
As VMProtect describes it on their's website. Code virtualization is the next step in software protection. Most protection systems encrypt the code and then decrypt it at the application’s startup. VMProtect doesn’t decrypt the code at all! Instead, the encrypted code runs on a virtual CPU that is markedly different from generic x86 and x64 CPUs as the command set is different for each protected file.
No, isn't even meant for devirtualization.
This tool uses the following (open source) software:
- dnlib by 0xd4d, licensed under the MIT license, for reading/writing assemblies.
- Harmony by Andreas Pardeike, licensed under the MIT license, for patching the stacktrace which allows for reflection invocation to be used.
- Serilog provides diagnostic logging to files, the console, and elsewhere. It is easy to set up, has a clean API.