Showing posts from August, 2018

Playing with VMProtect - Sample devirtualizeme32_vmp_3.0.9_v2

In this blog post, I'm going to show you the manual approach I used to generate a text based representation of the executed instructions of VMProtect (I've only studied devirtualizeme32_vmp_3.0.9_v2) for a specific function (or code portion?).
The first step was to manually create a file containing all yara rules for all handlers, this will allow us to automatically detect a specific handler and classify it. The automatic handler detection step is essential because it will allow you to save some time when you are dealing with targets, but that approach is not guaranteed to work for every target, because of the (unique?) algorithm used to decrypt the bytecode (that bytecode which is itself no more no less than an encrypted relative addresses that is used to jump to the next correspondent handler, given the current handler address, and also there is other algorithms that is responsible, for instance, to decrypt constants of types 32bits, 16bits, 8bits, every constant has a decryp…