从俄文网页在线翻译的。
http://www.polytech.ural.ru/vmprotect.htm

VMProtect - the new tool for protection of the software

In given clause we shall consider the theory and practice of work with program VMProtect on an example of the elementary program on Delphi.

What is the protectors

The programs intended for protection of programs from breaking refer to as protectors. Now in the market the set of protectors is presented, but practically all have one essential lack - they do not modify an initial code (protection of programs represents usual packing all file, thus "is protected" itself raspakovshchik which as a result unpacks a file). After the termination of work raspakovshchika the program it is possible simply "sdampit" and as a result without special difficulties to receive an initial (unpacked) file. Hackers develop set of tools on automatic removal of the most popular protectors. Practically on all protectors many clauses on their removal are written, therefore before purchase of a commercial protector be not too lazy to esteem, that about it representatives angegraunda in clauses write.

It is a little theory

VMProtect represents absolutely new tool on protection of the software. Unlike the majority of existing protectors VMProtect modifies an initial code of the program. During work of VMProtect sites of a code of a protected file are translated in the program (further bajtkod), carried out on the virtual machine (further VM). VM also it is possible to name the virtual processor with system of commands very strongly differing from that which is presented in processors Intel 8086. For example: in VM there are no the commands which are responsible for comparison of two operands, there are no conditional and unconditional transitions, etc.
As you have already understood, to hackers will have to develop absolutely specific tools for the analysis and decompiling bajtkoda, that will borrow a lot of time. Unfortunately it is possible to ascertain, that not broken protection do not happen, therefore it is necessary to achieve such level of protection, that expenses for its breaking would be comparable (or even surpassed!!!) expenses for legal purchase of the protected program. In any case it is not necessary to forget, that VMProtect is only the tool, helping "to hide" mechanisms of protection of the program.

Preparation of the protected program

For the beginning we shall create in Delphi the elementary project consisting of the form (Form1), an element of input of the text (Edit1) and buttons (Button1):

Rice 1.

After pressing by the user button Button1 correctness of input of the password will be checked and to stand out the corresponding message (correctly or the password is incorrectly entered):

procedure TForm1. Button1Click (Sender: TObject);
begin
  if StrToIntDef (Edit1. Text, 0) mod 17=13 then
   MessageDlg (' the Password correct ', mtInformation, [mbOK], 0)
  else
   MessageDlg (' the Password wrong ', mtError, [mbOK], 0);
end;  

The algorithm of correctness of input of the password is very simple - the password is translated in number, further this number the password wrong shares on 17 and if the rest from äåëåíèÿ=13, the password correct, differently.
Before compilation of our project we shall come into options of the project and we shall include generation MAP of a file:

Rice 2.

MAP the file is necessary that in the further VMProtect named procedures has defined its address. Further we do " Build Project1 " and it is received otkompilirovannyj the test project and MAP a file.

Multiline appendices

Before compilation VMProtect checks presence of function GetCurrentProcessId in the list of imported functions from kernel32.dll (if the given function is found the protected appendix is multiline). For multiline appendices executor VM is calculated on simultaneous performance up to 256 streams. If your appendix is the driver or works with a lot of streams in the appendix it is necessary to realize procedure of allocation of memory for needs VM.
Function of allocation of memory should support 2 operating modes (allocation and vysvobodzhenie memories).
Mode of allocation of memory:
- Entrance parameters: register ECX - the size of the allocated block.
- Target parameters: register EAX - the index on the allocated block of memory.
Mode of liberation of memory:
- Entrance parameters: register ECX = 0; EDX - the index on earlier allocated block.

Work with VMProtect

We load our project through item of the menu "File" - "To open". We add in our project the procedure which is responsible for check of correctness of input of the password:

Rice 3.

After addition in our project of all necessary procedures we pass to a bookmark of "Option":
- Mode of debugging (definition of external addresses). As a rule it is applied at protection of programs on Visual Basic .
- To hide constants. At the included option in bajtkode it will be impossible to find addresses of variables or addresses of caused functions in an obvious kind.
- Dynamic creation online of commands. Executor VM can executes not all commands Intel 8086 - therefore such commands are carried out in that kind in which they have met in a code of a protected site. Dynamic creation online of commands also complicates breaking bajtkoda.
- Encoding bajtkoda. Bajtkod it will be written down in a file in the ciphered kind.
- The control of integrity of the executor. At performance of the program executor VM automatically considers the control sum of casual sites of the executor which is used at performance of commands. The control of integrity of the executor is protected by the executor from its change.
- The name sektsy VM. You can specify the name new sektsy in which will be written down executor VM and bajtkod for the executor.
- To delete adjusted elements. Compilers (in particular Delphi) create for EXE files spiok adjusted elements which are not used by operational system at loading EXE of files. At the included option the area borrowed under the list of adjusted elements, will be used under are necessary VM.

After installation of all necessary options we start compilation of the project. After compilation near to a protected file (for example TEST.EXE) the new file (for example TEST.VMP.EXE) in which the specified procedures will work by the virtual machine will be created.

(c) PolyTech

[课程]Android-CTF解题方法汇总！