首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 资源下载
    3. 发新帖
[推荐] VMPImportFixer
发表于: 2021-8-13 05:12 5938

[推荐] VMPImportFixer

Alfik 活跃值
2021-8-13 05:12
5938

VMPImportFixer
https://github.com/mike1k/VMPImportFixer/releases/download/1.0/VMPImportFixer.exe
https://github.com/mike1k/VMPImportFixer/archive/refs/heads/master.zip
https://github.com/mike1k/VMPImportFixer

 

VMPImportFixer is a tool aimed to resolve import calls in a VMProtect'd (3.x) binary.
Information

 

VMPImportFixer attempts to resolve all obfuscated API calls in a VMProtect'd binary. A binary which has VMProtect's "Import Protection" option enabled will have all it's CALL NEAR instructions replaced with near relative call instructions (see ImportCallObfuscator for a similar method of obfuscating imports).

 

VMProtect usually has two different variations of import calls which seem to be chosen at random once the binary is protected. The first, being push reg; call func, and the other being call func; ret/int3.

 

call/int3 push/call

 

Following these calls lead into the VMProtect section, which, by default is named .vmp0. Each stub can vary in complexity and size, however the concept is generally the same. Through a series of arithmetic which is used to calculate the real import address, the final operation usually sets [rsp]/[esp] to the import address before the final RET instruction.

 

Based on the variant of the call (push reg; call func or call func; int3/ret), the stub may increment the return address. This use of the extra byte and return address incrementing is used to break various decompilers from properly analyzing a function due to the decompiler not recognizing that the byte will be skipped over in runtime.

 

With this information combined, I decided to write a tool over the day that solves these calls. I was not happy with public implementations due to various reasons. One was closed-source, and seemed to be limited to a debugger, and the other lifts these stubs into a IL which seems impractical. I decided to go the emulation route as this trivially tackles the problem and supports both X86 and X86-64 flawlessly.

 

VMPImportFixer is an all-in-one tool; it will support X86 processes regardless of being in a X64 context. This means that there is no need for architecture dependent versions of the binary.
Usage

 

Usage: VMPImportFixer
-p (required) process name/process id
-mod: (optional) name of module to dump.
-section: (optional) VMP section name to use if changed from default (VMP allows custom names)


[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法

收藏
免费 1
支持
分享
最新回复 (5)
chixiaojie
雪    币: 3202
活跃值: (1917)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
good tool
2021-8-13 10:01
0
pxhb
雪    币: 6366
活跃值: (4336)
能力值: ( LV7,RANK:110 )
在线值:
发帖
回帖
粉丝
私信
3

测试了一下,对于类似

 mov eax,[address] 

 call eax这种修复不了


----

加壳前

    mov esi,dword ptr ds:[地址]
    call esi


加壳后变成了

    push    edx
    call    00F79BCA
    call    esi

修复的时候就错误了

最后于 2021-8-13 10:59 被pxhb编辑 ,原因:
2021-8-13 10:56
0
wuxiwudi
雪    币: 927
活跃值: (1750)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
私信
4
之前写过一个ida脚本来识别,会更简单
2021-8-13 10:59
0
pxhb
雪    币: 6366
活跃值: (4336)
能力值: ( LV7,RANK:110 )
在线值:
发帖
回帖
粉丝
私信
5
wuxiwudi 之前写过一个ida脚本来识别,会更简单
求分享
2021-8-13 11:00
0
wuxiwudi
雪    币: 927
活跃值: (1750)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
私信
6
pxhb [em_13]求分享
不用求....你发的这个例子我也解不出来,间接调用无解,肯定过vhandle,剩下的和他说的一样,他用符号执行我用调试器,大概思路都一致
2021-8-13 11:21
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//