Showing posts from August, 2018

Playing with VMProtect - Sample devirtualizeme32_vmp_3.0.9_v2

Update: this blog post has an error, I have mistakenly labeled NOR instruction as NAND, fornication with broken condom ...

Proof courtesy of wolframalpha:
They are the representing the same thing, stay tuned for an update.

In this blog post, I'm going to show you the manual approach I used to generate a text based representation of the executed instructions of VMProtect (I've only studied devirtualizeme32_vmp_3.0.9_v2) for a specific function (or code portion?).
The first step was to manually create a file containing all yara rules for all handlers, this will allow us to automatically detect a specific handler and classify it. The automatic handler detection step is essential because it will allow you to save some time when you are dealing with targets, but that approach is not guaranteed to work for every target, because of the (unique?) algorithm used to decrypt the bytecode (that …