Skip to content

Rasetsuu/vmprotect-research

BranchesTags

Repository files navigation

VMP Devirtualizer - Production Release

Generalized VMProtect devirtualizer supporting versions 1.x, 2.x, and 3.x. Standalone CLI tool + Ghidra plugin.

Status: ✅ Production Ready | Validation: 22/22 samples (100%) | Scope: VMP ≤3.6 (3.7+ requires reverse engineering)

Features

  • Multi-Version Support: VMP 1.x, 2.x, 3.x (1.1 → 3.10.5)
  • Version Detection: Automatic identification via heuristics
  • Dispatch Table Extraction: Unicorn XOR key capture for encrypted tables
  • Handler Classification: 256 handler types across all versions
  • Bytecode Decoding: VM ops → x86-64 instruction reconstruction
  • Platform Support: Windows PE + Linux ELF binaries
  • Decompiler Integration: VM bytecode → pseudocode
  • Ghidra Plugin: Interactive handler analysis + annotation

Quick Start

Build

cd /home/ciupix/vmp_devirt_prod
cargo build --release

Binary: target/release/vmp_devirt

Usage

# Analyze binary
./target/release/vmp_devirt <binary_path>

# Export handlers
./target/release/vmp_devirt <binary_path> --export-handlers handlers.json

# Export bytecode
./target/release/vmp_devirt <binary_path> --export-bytecode bytecode.json

Validation Results

Summary

  • Total Samples: 22
  • Success Rate: 22/22 (100%)
  • Avg Processing Time: 229ms
  • Total Time: 5.0 seconds

By Version

Version Samples Success Avg Time
VMP 1.x 4 4/4 38ms
VMP 2.x 6 6/6 734ms
VMP 3.x 12 12/12 39ms

Tested Samples:

  • VMP 1.x: HiVmp.vmp.1.1.exe, HiVmp.vmp.1.4.exe, HiVmp.vmp.1.54.exe, HiVmp.vmp.1.70.4.exe
  • VMP 2.x: Branch0.vmp.exe, HiVmp.exe, mfc_algo_demo.vmp.exe, Project1.vmp.exe, Project2.vmp.exe, Project4.vmp.exe
  • VMP 3.x: add_control_flow.vmp.exe, adder.vmp.exe, bitwise.vmp.exe, control_flow_test.vmp.exe, cpuid_test.vmp.exe, fac_fib.vmp.exe, globals.vmp.exe, hello_world.vmp.exe, multiadder.vmp.exe, nested_virt_funccall.vmp.exe, ptr_drf.vmp.exe, switch.vmp.exe

See VALIDATION_REPORT.md for detailed results.

Architecture

Input Binary
    ↓
PE/ELF Loader (src/pe_loader.rs)
    ↓
Version Detector (src/version.rs)
    ↓
Dispatch Table Extractor (src/dispatch_table.rs)
    ├─ Unicorn XOR Key Capture (src/unicorn_emulator.rs)
    └─ Pattern Matching Fallback
    ↓
Handler Classifier (src/handler_classifier.rs)
    ↓
Bytecode Decoder (src/bytecode.rs)
    ├─ Operand Decryption (src/decrypt.rs)
    └─ ALU Reconstruction (src/alu.rs)
    ↓
Output (JSON/Pseudo-asm)

Core Modules

Module Purpose Lines
src/lib.rs Main library interface 150
src/version.rs VMP version detection 200
src/pe_loader.rs PE/ELF binary loading 350
src/dispatch_table.rs Dispatch table extraction 400
src/unicorn_emulator.rs XOR key capture 308
src/handler_classifier.rs Handler type identification 280
src/bytecode.rs Bytecode reading/decoding 320
src/decrypt.rs ValueCryptor chains 250
src/alu.rs ALU operation reconstruction 200
src/opcode_table.rs Opcode management 180
src/bin/cli.rs CLI tool 400

Total: ~2,800 lines of production Rust code

Implementation Details

Version Detection

Heuristics based on:

  • Handler entry patterns (POP/PUSH opcodes)
  • Dispatch mechanism (jumptable vs. encrypted chain vs. handler chain)
  • PE section layout (.vmp0, .vmp1, .text)
  • Entry stub pattern (PUSH encrypted + CALL/JMP)

Dispatch Table Extraction

VMP 1.x/2.x: XOR key extraction via pattern matching in .text section

  • Scans for XOR instruction patterns
  • Derives keys from opcode sequences
  • Validates against image base range

VMP 3.x: Handler chain dispatch

  • Locates dispatch points (DP0-DP5)
  • Traces handler chains
  • Extracts 256 dispatch entries

Handler Classification

Pattern matching on:

  • Entry pattern (49 8b 2a = POP for VMP 3.x)
  • Core operation (SUB, ADD, XOR, etc.)
  • Operand types (slot, offset, immediate)
  • Dispatch mechanism (push/ret, direct jmp)

Bytecode Decoding

  1. Read opcode from bytecode section
  2. Lookup handler semantics
  3. Extract operands (slot, offset)
  4. Decrypt operands via ValueCryptor chains
  5. Reconstruct x86-64 instruction
  6. Handle VM context (register file, flags, stack)

Known Limitations

  1. VMP 3.7+ (Merged Handlers) - Not supported. VMP 3.7+ introduced merged handlers (multiple ops per handler entry) which breaks current classifier. Requires reverse engineering with actual 3.7+ sample. See FUTURE_WORK.md for details.
  2. XOR Key Validation Warnings - Expected for VMP 1.x/2.x (non-critical)
  3. VMP 3.x Dispatch Detection - Uses fallback strategy for newer obfuscation
  4. Linux Samples - Not included in current test set (ELF support implemented)

Performance

  • Throughput: ~4.4 samples/second
  • Memory: <50MB per sample
  • Latency: 5ms-3.25s depending on binary size

Documentation

  • VALIDATION_REPORT.md - Comprehensive test results
  • IMPLEMENTATION_COMPLETE.md - Implementation status
  • UNICORN_IMPLEMENTATION_REPORT.md - XOR key capture details

Source References

Architecture based on VMP 3.5.1 source leak analysis:

  • Handler structure and dispatch mechanism
  • ValueCryptor chain implementation
  • ALU operation patterns
  • VM context management

License

Research/Educational Use

Contact

For issues or questions, refer to validation reports or implementation documentation.

Last Updated: 2026-06-01 Status: Production Ready

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

20 stars

Watchers

0 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages