Vmpfix - Universal x86/x64 VMProtect 2.0-3.X Import fixer

Overview

vmpfix

VMPfix is a dynamic x86/x64 VMProtect 2.0-3.x import fixer. The main goal of this project was to build correct and reliable tool to fix imports in x86/x64 applications.

Note: this tool does not dump and rebuild import directory. You can do this from your favorite debugger.

Before

After

Usage

vmpfix.exe
-p: required.
Usage: Universal VMProtect Import fixer [options]

Optional arguments:
-h --help       shows help message and exits [default: false]
-v --version    prints version information and exits [default: false]
-p --pid        Target process id [required]
-s --sections   VMProtect sections in target module [default: {".vmp0" ".vmp1" ".be1" ".be0"}]
-i --iat        New IAT section name [default: ".vmp0"]
-m --module     VMProtected module name (default: main executable) [default: ""]

Example commands:

vmpfix.exe -p 3336 -m beservice_x64.exe -s .be0 -s .be1 -i .be0
vmpfix.exe -p 11250

VMProtect unpacking must be complete before running VMPfix.

Details

There are 3 types of IAT accesses that VMProtect patches: call, jmp and mov. Every stub resolves protected import with only 3 instructions:

lea reg, [imm]
mov reg, [reg + imm]
lea reg, [reg + imm]

Although stubs are obfuscated, there are only handful of instructions that matters:

push
pop
lea
mov
xchg
ret

Call stubs

Every call stub ends with xchg instruction:

call [IAT] -> call .vmp1; int3:

[!] push        rax
[!] mov         rax,qword ptr [rsp+8]
[!] lea         rax,[rax+1]
[!] mov         qword ptr [rsp+8],rax
[!] lea         rax,[1401269B2h]
[!] mov         rax,qword ptr [rax+0FE1D0h]
[!] lea         rax,[rax+445A4C4Eh]
[!] xchg        rax,qword ptr [rsp]
[!] ret

call [IAT] -> push rcx; call .vmp1:

[!] pop         rsi
[!] xchg        rsi,qword ptr [rsp]
[!] push        rsi
[!] lea         rsi,[1401832EDh]
[!] mov         rsi,qword ptr [rsi+0A7558h]
[!] lea         rsi,[rsi+49C80AACh]
[!] xchg        rsi,qword ptr [rsp]
[!] ret

Jmp stubs

Every jmp stub ends with ret 4/8 instruction:

jmp [IAT] -> push rcx; call .vmp1:

[!] pop         rcx
[!] xchg        rcx,qword ptr [rsp]
[!] push        rcx
[!] lea         rcx,[1400EE9C4h]
[!] mov         rcx,qword ptr [rcx+14F6B2h]
[!] lea         rcx,[rcx+36F801BAh]
[!] xchg        rcx,qword ptr [rsp]
[!] ret         8

Mov stubs

Every other stub can be considered as mov stub. There are some patterns as well. E.g. there is no ret 8 or xchg at the end.

mov rsi, [IAT] -> push rsi; call .vmp1:

[!] pop         rsi
[!] xchg        rsi,qword ptr [rsp]
[!] pop         rsi
[!] lea         rsi,[rsi+1]
[!] push        rsi
[!] lea         rsi,[14015634Fh]
[!] mov         rsi,qword ptr [rsi+0EF63Ch]
[!] lea         rsi,[rsi+0C2B009Ah]
[!] ret

Build

git clone --recurse-submodules https://github.com/archercreat/vmpfix.git
cd vmpfix
cmake -B build
cmake --build build

Tests

Successfully unpacked, dumped and ran:

steam.exe x86 752ac6ab6ec58c14bcbae0409ac732e4846a37838919806d1cf1b4cd19095f82

vncviewer.exe x64 4158a5e55cbd6a5a8f4ed38befe2a8c9fa0c7a7fbc91709a31592dda95110517

Credits

https://github.com/build-cpp/cmkr

https://github.com/can1357/linux-pe

https://github.com/DarthTon/Blackbone

TODO

  • kernel support
You might also like...
Easily hook WIN32 x64 functions

About Library for easy hooking of arbitrary functions in WIN32 x64 executables. Only requires target function address. Disassembles the function prolo

A Linux x64 tool to trace registers and memory regions.
A Linux x64 tool to trace registers and memory regions.

HellTracer Description A Linux x64 tool to trace registers and memory regions. Build the tool Clone the repository. Compile the tool with make. Add th

Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!
Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!

Ninja UUID Shellcode Runner Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10! Now supports running Cobalt

very basic and minimalistic hooking "library" for windows (x64 support soon)

IceHook very basic and minimalistic hooking "library" for windows (x64 support soon) Example how to use: typedef void(__stdcall* twglSwapBuffers)(HDC

Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!
Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!

Ninja UUID Shellcode Runner Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10! Now supports running Cobalt

An open-source x64/x32 debugger for windows.
An open-source x64/x32 debugger for windows.

x64dbg An open-source binary debugger for Windows, aimed at malware analysis and reverse engineering of executables you do not have the source code fo

CredBandit - Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel

CredBandit CredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process a

A C++ expression - x64 JIT

NativeJIT NativeJIT is an open-source cross-platform library for high-performance just-in-time compilation of expressions involving C data structures.

x64 PE-COFF virtualization driven obfuscation engine

Singularity Prerequisite To use and build this library you will have to have the following installed: Python version 2.7 / 3.4 or higher Git msbuild (

Comments
  • updated some minor things, good code though overall

    updated some minor things, good code though overall

    good clean code, some small changes i made, there are some other changes that can also be done like:

    • making a global ZydisDecoder so you only have 1, same with a ZydisFormatter
    • either use git submodules or cmkr submodules

    I also fixed a small thing in the readme where the cmkr link is broken/not complete.

    opened by invlpg 1
  • Refactor cmake.toml and include bootstrapper

    Refactor cmake.toml and include bootstrapper

    Also feel free to add the cmkr topic to your repository to be included in this list: https://github.com/topics/cmkr

    This makes it so people who want to compile you library don't need cmkr installed, see: https://github.com/build-cpp/cmkr#getting-started for more information.

    opened by mrexodia 1
  • Some difficult with protected 32-bit DLL

    Some difficult with protected 32-bit DLL

    Can you help me to understand how to use vmpfix application with some protected 32-bit dll?

    Here is the link to download it. 32-bit protected DLL. Written on Delphi. Sections' names are standard.

    Found OEP: 001413FC

    Used x32dbg to load target. HW break at OEP, then trying to use vmpfix with the next parameter:

    vmpfix.exe -p 14964 (PID of DLLLoader32 process) -m interweb.dll

    Then I got the next result:

    Collecting stubs on interweb.dll Failed to resolve api at 0x28a2425 [*] 0x2a65296 mov edx, [esp+0x24] [*] 0x2a6529a push 0x5F254182 [*] 0x2a6529f xchg [esp+0x2C], edx [*] 0x2a72562 xchg [esp+0x28], edx [*] 0x2a7256d mov edx, 0x28DAF27 [*] 0x2a72574 mov edx, [edx+0x13FD6B]

    Is there some unsupported VM version or I make something wrong? I read the next remark:

    VMProtect unpacking must be complete before running VMPfix.

    I'm right that it's enough to break at correct OEP then use vmpfix or i'm wrong?

    Thanks in advance.

    bug enhancement 
    opened by MrPavlik 5
Releases(v1.0)
Owner
Pavel
Pavel
A D++ Discord Bot template for Visual Studio 2019 (x64 and x86)

D++ Windows Bot Template A D++ Discord Bot template for Visual Studio 2019 (x64 and x86, release and debug). The result of this tutorial. This templat

brainbox.cc 24 Nov 6, 2022
A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.

manual-syscall-detect A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks. Description A full write-up of this to

Conor Richard 71 Nov 17, 2022
A FREE Windows C development course where we will learn the Win32API and reverse engineer each step utilizing IDA Free in both an x86 and x64 environment.

FREE Reverse Engineering Self-Study Course HERE Hacking Windows The book and code repo for the FREE Hacking Windows book by Kevin Thomas. FREE Book Do

Kevin Thomas 1.1k Nov 19, 2022
A general solution to simulate execution of virtualized instructions (vmprotect/themida, etc.).

vmp_runner A general solution to simulate execution of virtualized instructions (vmprotect/themida, etc.) based on Unicorn. 一个基于Unicorn模拟执行虚拟化指令(vmpro

kakasasa 50 Nov 7, 2022
A port of the Linux x86 IOLI crackme challenges to x86-64

This is a port of the original Linux x86 IOLI crackme binaries to x86-64. The original set of IOLI crackmes can be found here: https://github.com/Maij

Julian Daeumer 4 Mar 19, 2022
Import of the DIY Dynamic Template v2, retrieved from the Internet Archive

Dynamic Templates This is a copy of the D*I*Y Planner Dynamic Template application that was posted to diyplanner.com/node/6210 back in 2009,

Trammell Hudson 21 Aug 7, 2022
api & source menu base import imgui from imgui-js

onetap v4 crack https://discord.gg/AXCtxVH4PB people asking me for otv4 source "bin2h" (meaning binary to hex) large hexadecimal array deleted all the

h4xr0x#1337 9 Sep 6, 2022
A blender import/export system for Defold

defold-blender-export A blender import/export system for Defold Setup Notes There are no exhaustive documents for this tool yet. Its just not complete

David Lannan 24 Nov 2, 2022
x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

anycall x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration Read: https://www.godeye.club/2021/05/14/0

Kento Oki 155 Nov 19, 2022
x64 Windows kernel driver mapper, inject unsigned driver using anycall

anymapper x64 Windows kernel driver mapper, inject unsigned driver using anycall This project is WIP. Todo Fix: Can't make API calls from IAT nor func

Kento Oki 71 Nov 26, 2022