VMP Unpacking
Methodology used to achieve the File posted Here.
1. I have chosen the Target which comes with Anti-Debug Check. So Activating Anti-Debug or Virtualization while Protecting the Assembly generates its signature. They trigger the WinAPi function which can be seen easily like
[DllImport("kernel32", EntryPoint = "FlushViewOfFile", SetLastError = true)]
2. Anti-Tamper is not present in our Target.
3. Find .Invoke Method with (method, parameters). This can be found in Module.cctor. You need to go to IL and put breakpoint on first num or Invoke itself to clean the Mutations. (If You execute after this, You will see arguments or methods in local variable) only numbers which need to be cleaned.
4. Go to dnSpy Debugger Settings and Enable these (IsAttached, IsLogging, IsDebuggerPresent, CheckRemoteDebuggerPresent) So the Target can not detect Debugger. The Only NtQueryInformationProcess can not be bypassed by dnSpy.
5. CRC Checking of VMPotect (.NET) upto 3.5 as well is easy and not so hard. It use WinApi to CreateFile and map it So You can change the First Argument to our Hollow File named as same to target to bypass it.
* If our Target is packed, then nothing of this will work. So make Sure our Target is not Packed and by using all these, We can not actually de-virtualize VM of VMProtect. We can do rest of the stuff but VM will be still there. You can edit file in decompiler and patch or crack it.
Cleaning Mutations of VMProtect -->
- When You Open Target with dnSpy, You can find that there are many loops, these loops are generated by the VMProtect.
- We can see that the confusion is relatively single, the variable num can be called Context (Context), execute an instruction, the context will update itself once. The target chosen is with a switch statement to pack, because we need to know whether the context is the same when entering a different basic block and then moving to the same basic block. You can debug it directly to understand it better. Each case block in the sample corresponds to the different basic block just mentioned, and will eventually be transferred to the same basic block, which is the basic block starting with "Console.WriteLine("input completed")". So we breakpoint on this basic block.
- We input different numbers, let the switch statement jump to different case blocks, and see if the final execution reaches "Console.WriteLine("input completed")", the value of num is the same.
- Now We understand the macro structure of Mutation and we can proceed to the next analysis. We need to formulate the solution to clean up Mutation, so switch dnSpy decompilation mode back to IL and observe what the num update statement looks like. The entry point of this method is a br jump, so look directly at the basic block to which br jumps.
- Since this basic block is the entry point of the entire method, this basic block must also be the place where Mutation is initialized, and it will also be the entry point for our simulation using the simulator.
The first arrow points
ldc.i4 1149763845 stloc.0
It is the initialization of the context num, and the following code will be used to update num later
ldc.i4 1099382934 ldloc.0 sub stloc.0
If there are constants in the code, the decryption of the constants is similar to this.
ldloc
Such code is directly replaced with
ldc.i4
This can be applied to all situations.
VMP.NET's mutation will encrypt constants and add obfuscated branch code, so we have to restore them all after the simulation ends.
- So Now We have cleaned Mutations & Now need to Fix CRC.
- Open File in CFF Explorer and untick IL only in .NET Directory and use de4dot Original to clean the File.
- Fix any Broken method which do not actually use Mutations but you may have cleaned thinking of Mutations. Once It all Done,
- Now fix Invoke and make sure to have original VMP protected file in the same folder.
- After this Crack or Patch the File and Save it. It will run.
* Keep in mind We haven't touched the VM of VMProtect. We just cleared rest of the stuff.
Special Thanks to - https://forum.tuts4you.com/profile/97708-wwh1004/ for explaining in-depth details of VMP Mutations, Russian & Chinese Forums, Dark Bull & Other
This whole process explained above is not my work originally. It is based on the work of other Users who shared their info in RCE community and made this possible.
I hope soon there will be something out by which We can actually devirtualize the VMProtect completely.
P.S. - If I forget to someone to mention, Kindly Let Me Know, I will edit My Comment.
P.P.S. - I am not a good Explainer may be Very Bad still I try to write. Pardon me for all this.
