VMPDump – A Dynamic VMP Dumper And Import Fixer
A dynamic VMP dumper and import fixer, run by VTIL. Works for VMProtect 3.X x64.
Use
VMPDump.exe "" [-ep=<Entry Point RVA>] [-disable-reloc]
Arguments:
: The ID of the goal approach, in decimal or hex sort.: The name of the module which really should be dumped and set. This can be an vacant string (“”) if the system graphic module is ideal.[-ep=<Entry Point RVA>]: An optionally-furnished entry-position RVA, in hex form. VMPDump only overwrites the Entry Point in the optional header with this price.[-disable-reloc]: An optional location to instruct VMPDump to mark that relocs have been stripped in the ouput image, forcing the image to load at the dumped ImageBase. This is handy if runnable dumps are desired.
VMProtect initialization and unpacking should be finish in the concentrate on approach in advance of running VMPDump. This usually means it must be at or previous the OEP (Unique Entry Position). The dumped and preset image will appear in the module directory, under the title .VMPDump..
How It Operates
VMProtect injects stubs for each import get in touch with or jmp. These stubs resolve the ‘obfuscated’ thunk in the .vmpX section, and incorporate a fastened constant to ‘deobfuscate’ it. The phone calls or jumps themselves are then dispatched with a ret instruction.
VMPDump scans all executable sections for these stubs, and lifts them to VTIL applying the VTIL x64 lifter. Assessment is then executed on these stubs, in order to establish what sort of phone have to be changed and what bytes should be overwritten.
At the time all calls have been retrieved, VMPDump then makes a new import table and appends thunks to the present IAT. The calls to the VMP import stubs are changed with direct calls to these thunks.
Observe that in mutated routines, there are circumstances when there are not more than enough bytes to replace the VMP import stub phone with a immediate thunk contact, as the latter is 1 byte greater. In these circumstances, the part is prolonged and a stub that jumps to the import thunk is injected. The VMP import stub call is then changed with a 5-byte relative call or jmp to stated injected stub.
Constructing
Making in VS is as uncomplicated as changing the consist of/library directories to VTIL-NativeLifers/VTIL-Main/Keystone/Capstone in the vcxproj.
The challenge requires C++20.
Issues and Constraints
Due to the point that code sections are linearly scanned, particularily in intensely mutated and obfuscated code, some import stub calls can be skipped and consequently not settled. However, VMPDump incorporates workarounds for the majority of VMProtect mutation inconsistencies, so it ought to make respectable benefits even in seriously mutated code.
If you come across this, be sure to make an problem with the related facts and I’ll choose a glance at it.
