A general solution to simulate execution of virtualized instructions (vmprotect/themida, etc.).

Overview

vmp_runner

A general solution to simulate execution of virtualized instructions (vmprotect/themida, etc.) based on Unicorn.

一个基于Unicorn模拟执行虚拟化指令(vmprotect/themida 等)的通用解决方案。

Information

有些时候,我们拿到一个二进制文件,需要其中的某个算法,我们不关心算法实现,只关心输入和输出,但是二进制文件被加了某些强壳(vmp/tmd etc.)。

众所周知,vm代码还原是一个艰巨的工程,需要大量的时间和精力,由于我们只关心得到算法结果,所以如果有某种方式能跳过算法还原过程而直接模拟执行整个的虚拟代码将是一个很好的解决方案,QEMU 与基于其上的Unicorn使这个想法变的可行。

这里提供一个上面想法的成功演示:

“mfc_algo_demo” 是用于测试vmp_runner的工程,其内部包含一个算法(接收一个输入字符串,产生一个输出字符串)。

“mfc_algo_demo\bin “内有编译好的文件,包括vmp配置文件以及被加壳后的文件。

在过去的2年中,我成功使用vmp_runner搞定过几个商业算法,为了让人知道我做了什么所以开了这个repo,所以如果你有这方面的需求或者对vmp_runner感兴趣且愿意付费,可以联系我。

最后附上针对mfc_algo_demo工程的vmp_runner效果图:

result_1

result_2

Issues
  • I can help you

    I can help you

    Hello, I can offer some advice or help for this project because last month, I developed a base for emulating windows PE files through unicorn. I can give you my discord tag if you use discord.

    I want to let you know that unicorn emulation is extremely slow, it could take up to 5 minutes just to finish emulating the VMP'ed entry point. There some other methods of creating a sandbox type environment that I'd like to share with you, such as using HyperV's API to isolate an exe in a guest address space.

    opened by MellowNight 2
Owner
kakasasa
Like C++/Asm/Java/E/Python...Reverse Engineering.
kakasasa
Is this hardware solution the ultimate in switch bounce elimination? Simple PCB, cheap components = final solution!

#230 Ultimate Switch Bounce Eliminator Direct link to video: https://youtu.be/b2uUYiGrS5Y It's time to try a final, alternative approach to the ubiqui

Ralph Bacon 5 Mar 25, 2022
Sharpmake is an open-source C#-based solution for generating project definition files, such as Visual Studio projects and solutions, GNU makefiles, Xcode projects, etc.

Sharpmake Introduction Sharpmake is a generator for Visual Studio projects and solutions. It is similar to CMake and Premake, but it is designed for s

Ubisoft 745 Jun 27, 2022
General repository for all code (games, BIOS, etc) that runs within the Vircon32 console itself

Vircon32: Console software This is a general repository containing all Vircon32 sources for any software running on the console itself. This includes:

Vircon32 12 Jun 14, 2022
General repository for all software (emulators, dev tools, etc) related to Vircon32 but not running on console itself

Vircon32: Computer software This is a general repository containing source code related to Vircon32 implementation, this is, software that does NOT ru

Vircon32 5 Jun 14, 2022
multi-sdr-gps-sim generates a IQ data stream on-the-fly to simulate a GPS L1 baseband signal using a SDR platform like HackRF or ADLAM-Pluto.

multi-sdr-gps-sim generates a GPS L1 baseband signal IQ data stream, which is then transmitted by a software-defined radio (SDR) platform. Supported at the moment are HackRF, ADLAM-Pluto and binary IQ file output. The software interacts with the user through a curses based text user interface (TUI) in terminal.

null 57 Jun 20, 2022
Simulate Linux Completely Fair Scheduler (CFS) using POSIX Threads

Linux CFS Simulator Simulate Linux Completely Fair Scheduler (CFS) using POSIX Threads. Build and Run $ make $ ./cfs-sim Note: The process status tabl

null 19 May 4, 2022
Harsh Badwaik 1 Dec 19, 2021
Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.

SysmonSimulator SysmonSimulator is an Open source Windows event simulation utility created in C language, that can be used to simulate most of the att

Scarred Monk 599 Jun 26, 2022
Learn how to connect your Flexispot (LoctekMotion) desk to the internet. This repository contains a collection of scripts to get your started, combined with research and instructions.

(image source: Windows Central) Turn your LoctekMotion/FlexiSpot desk into a smart desk Recently I acquired a new standing desk from FlexiSpot. During

Mick Vleeshouwer 151 Jun 30, 2022
Automatic adds AFIX instructions for hydrogen atoms to SHELX input file based on geometry and residual desity

autoHFIX Adds AFIX instructions for hydrogen atoms to SHELX input files based on geometry and residual desity automatically Usage: autoHFIX.exe [-opti

Christian Hübschle 2 Oct 7, 2021
A program for converting instructions from Ben Eater's 8 Bit computer design to binary.

8Bit-Assembler A program for converting instructions from Ben Eater's 8 Bit computer design to binary. We used C because is used for it's mid-level-ne

Marek Borik 2 Nov 21, 2021
Mystikos is a set of tools for running applications in a hardware trusted execution environment (TEE)

Mystikos is a set of tools for running applications in a hardware trusted execution environment (TEE). The current release supports Intel ® SGX while other TEEs may be supported in future releases. Linux is also a supported target, though only suitable for testing purposes as it provides no additional protection.

null 98 Jun 27, 2022
PoC for CVE-2021-28476 a guest-to-host "Hyper-V Remote Code Execution Vulnerability" in vmswitch.sys.

CVE-2021-28476: a guest-to-host "Microsoft Hyper-V Remote Code Execution Vulnerability" in vmswitch.sys. This is a proof of concept for CVE-2021-28476

Axel Souchet 204 Jun 15, 2022
A refactored Proof-of-concept originally developed in 2017 to print all function calls with their arguments data types and values using Ptrace during program execution.

print-function-args-debugger A refactored Proof-of-concept originally developed in 2017 to print all function calls with their arguments data types an

*finixbit 15 Jun 17, 2022
x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

anycall x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration Read: https://www.godeye.club/2021/05/14/0

Kento Oki 134 Jun 17, 2022
anthemtotheego 330 Jul 1, 2022
New lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.

BOF - Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking ServiceMove is a POC code for an interestin

Chris Au 170 Jun 20, 2022
Elven relativism -- relocation and execution of aarch64 ELF relocatable objects (REL)

elvenrel Elven Relativism -- relocation and execution of aarch64 ELF relocatable objects (REL) on Linux and macOS. Program loads a multitude of ELF RE

Martin Krastev 13 Nov 28, 2021
🎻 Automatic Exploit Generation using symbolic execution

S2E Library This repository contains all the necessary components to build libs2e.so. This shared library is preloaded in QEMU to enable symbolic exec

ᴀᴇꜱᴏᴘʜᴏʀ 29 Jan 10, 2022