Part 1: Bytecode and IR
Author: RolfRolles

The approach I took with ReWolf's x86 Virtualizer is also applicable here, although a
more sophisticated compiler is required.  What follows is some preliminary notes on the
design and implementation of such a component.  These are not complete details on breaking
the protection; I confess to having only looked at a few samples, and I am not sure which
protection options were enabled.

As before, we begin by constructing a disassembler for the interpreter.  This is immediately
problematic, since the bytecode language is polymorphic.  I have created an IDA plugin that
automatically constructs OCaml source code for a bytecode disassembler.  In a
production-quality implementation, this should be implemented as a standalone component that
returns a closure.

The generated disassembler, then, looks like this:

let disassemble bytearray index =
  match (bytearray.(index) land 0xff) with
    0x0  -> (VM__Handler0__PopIntoRegister(0),[index+1])
  | 0x1  -> (VM__Handler1__PushDwordFromRegister(0),[index+1])
  | 0x2  -> (VM__Handler2__AddWords,[index+1])
  | 0x3  -> (VM__Handler3__StoreByteIntoRegister(bytearray.(index+1)),[index+2])
  | 0x4  -> (VM__Handler0__PopIntoRegister(4),[index+1])
  | 0x5  -> (VM__Handler1__PushDwordFromRegister(4),[index+1])
  | 0x6  -> (VM__Handler4__ShrDword,[index+1])
  | 0x7  -> (VM__Handler5__ReadDword__FromStackSegment,[index+1])
  | ...  -> ...
  
Were we to work with the instructions individually in their natural granularity, depicted
above, the bookkeeping on the semantics of each would likely prove tedious.  For illustration,
compare and contrast handlers #02 and #04.  Both have the same basic pattern:  pop two values
(words vs. dwords), perform a binary operation (add vs. shr), push the result, then push the
flags.  The current representation of instructions does not express these, or any, similarities.

Handler #02:                Handler #04:
mov   ax, [ebp+0]           mov   eax, [ebp+0]   
sub   ebp, 2                mov   cl, [ebp+4]      
add   [ebp+4], ax           sub   ebp, 2         
pushf                       shr   eax, cl         
pop   dword ptr [ebp+0]     mov   [ebp+4], eax   
                            pushf                  
                            pop   dword ptr [ebp+0]

Therefore, we pull a standard compiler-writer's trick and translate the VMProtect instructions
into a simpler, "intermediate" language (hereinafter "IR") which resembles the pseudocode
snippets atop the handlers in part zero.  Below is a fragment of that language's abstract
syntax.

type size = B | W | D | Q
type temp = int * size
type seg  = Scratch | SS | FS | Regular
type irbinop  = Add | And | Shl | Shr | MakeQword
type irunop  = Neg | MakeByte | TakeHighDword | Flags
type irexpr = Reg of register
            | Temp of int
            | Const of const
            | Deref of seg * irexpr * size
            | Binop of irexpr * irbinop * irexpr
            | Unop of irexpr * irunop
            
type ir =
  DeclareTemps of temp list
| Assign of irexpr * irexpr
| Push of irexpr
| Pop of irexpr
| Return
            
A portion of the VMProtect -> IR translator follows; compare the translation for handlers #02
and #04.

let make_microcode = function
  VM__Handler0__PopIntoRegister(b)       -> [Pop(Deref(Scratch, Const(Dword(zero_extend_byte_dword(b land 0x3C))), D))]
| VM__Handler2__AddWords                 -> [DeclareTemps([(0, W);(1, W);(2, W)]);
                                             Pop(Temp(0));
                                             Pop(Temp(1));
                                             Assign(Temp(2), Binop(Temp(0), Add, Temp(1)));
                                             Push(Temp(2));
                                             Push(Unop(Temp(2), Flags))]
| VM__Handler4__ShrDword                 -> [DeclareTemps([(0, D);(1, W);(2, D)]);
                                             Pop(Temp(0));
                                             Pop(Temp(1));
                                             Assign(Temp(2), Binop(Temp(0), Shr, Temp(1)));
                                             Push(Temp(2));
                                             Push(Unop(Temp(2), Flags))]
| VM__Handler7__PushESP                  -> [Push(Reg(Esp))]
| VM__Handler23__WriteDwordIntoFSSegment -> [DeclareTemps([(0, D);(1, D)]);
                                             Pop(Temp(0));
                                             Pop(Temp(1));
                                             Assign(Deref(FS, Temp(0), D), Temp(1))]
| ...                                    -> ...

To summarize the process, below is a listing of VMProtect instructions, followed by the assembly
code that is executed for each, and to the right is the IR translation.

VM__Handler1__PushDwordFromRegister 32

and   al, 3Ch ; al = 32
mov   edx, [edi+eax]
sub   ebp, 4
mov   [ebp+0], edx        Push (Deref (Scratch, Const (Dword 32l), D));

VM__Handler7__PushESP

mov   eax, ebp
sub   ebp, 4
mov   [ebp+0], eax        Push (Reg Esp);

VM__Handler0__PopIntoRegister 40

and   al, 3Ch
mov   edx, [ebp+0]
add   ebp, 4
mov   [edi+eax], edx      Pop (Deref (Scratch, Const (Dword 40l), D));

VM__Handler19__PushSignedByteAsDword (-1l)

movzx eax, byte ptr [esi] ; *esi = -1
sub   esi, 0FFFFFFFFh
cbw
cwde
sub   ebp, 4
mov   [ebp+0], eax        Push (Const (Dword (-1l)));

VM__Handler9__PushDword 4525664l

mov   eax, [esi] ; *esi = 4525664l
add   esi, 4
sub   ebp, 4
mov   [ebp+0], eax        Push (Const (Dword 4525664l));

VM__Handler9__PushDword 4362952l};

mov   eax, [esi] ; *esi = 4362952l
add   esi, 4
sub   ebp, 4
mov   [ebp+0], eax        Push (Const (Dword 4362952l));

VM__Handler19__PushSignedByteAsDword 0l};

movzx eax, byte ptr [esi] ; *esi = 0
sub   esi, 0FFFFFFFFh
cbw
cwde
sub   ebp, 4
mov   [ebp+0], eax        Push (Const (Dword (0l)));

VM__Handler42__ReadDwordFromFSSegment};

mov   eax, [ebp+0]        DeclareTemps([(0,D)]);  Pop (Temp 0);
mov   eax, fs:[eax]
mov   [ebp+0], eax        Push (Deref (FS, Temp 0, D));

Part 2: Introduction to Optimization
Author: RolfRolles

Basically, VMProtect bytecode and the IR differ from x86 assembly language in four ways:

1)  It's a stack machine;
2)  The IR contains "temporary variables";
3)  It contains what I've called a "scratch" area, upon which computations are performed
rather than in the registers;
4)  In the case of VMProtect Ultra, it's obfuscated (or rather, "de-optimized") in certain
ways.

It turns out that removing these four aspects from the IR is sufficient preparation for
compilation into sensible x86 code.  We accomplish this via standard compiler optimizations
applied locally to each basic block.  In general, there are a few main compiler optimizations
used in this process.  The first one is "constant propagation".  Consider the following C code.

int x = 1;
function(x);

Clearly x will always be 1 when function is invoked:  it is defined on the first line,
and is not re-defined before it is used in the following line (the definition in line one
"reaches" the use in line two; alternatively, the path between the two is "definition-clear"
with respect to x).  Thus, the code can be safely transformed into "function(1)".  
If the first line is the only definition of the variable x, then we can replace all uses of
x with the integer 1.  If the second line is the only use of the variable x, then we can
eliminate the variable.

The next is "constant folding".  Consider the following C code.

int x = 1024;
function(x*1024);

By the above remarks, we know we can transform the second line into "function(1024*1024);".  
It would be silly to generate code that actually performed this multiplication at
run-time:  the value is known at compile-time, and should be computed then.  
We can replace the second line with "function(1048576);", and in general we can replace any
binary operation performed upon constant values with the computed result of that operation.

Similar to constant propagation is "copy propagation", as in the below.

void f(int i)
{
  int j = i;
  g(j);
}

The variable j is merely a copy of the variable i, and so the variable i can be substituted
in for j until the point where either is redefined.  Lacking redefinitions,
j can be eliminated entirely.

The next optimization is "dead-store elimination".  Consider the following C code.

int y = 2;
y = 1;

The definition of the variable y on line one is immediately un-done by the one on line two.  
Therefore, there is no reason to actually assign the value 2 to the variable;
the first store to y is a "dead store", and can be eliminated by the standard liveness-based
compiler optimization known as "dead-store elimination", or more generally
"dead-code elimination".  Here's an example from the VMProtect IR.

ecx = DWORD Scratch:[Dword(44)]
ecx = DWORD Scratch:[Dword(20)]

After dead-store-eliminating the first instruction, it turns out no other instructions use
Scratch:[Dword(44)], and so its previous definition can be eliminated as well.

Part 3: Optimizing and Compiling
Author: RolfRolles

The reader should inspect this unoptimized IR listing before continuing.  In an attempt to
keep this entry from becoming unnecessarily long, the example snippets will be small, but
for completeness a more thorough running example is linked throughout the text.

We begin by removing the stack machine features of the IR.  Since VMProtect operates on
disassembled x86 code, and x86 itself is not a stack machine, this aspect of the protection
is unnatural and easily removed.  Here is a 15-line fragment of VMProtect IR.

push Dword(-88)
push esp
push Dword(4)
pop t3
pop t4
t5 = t3 + t4
push t5
push flags t5
pop DWORD Scratch:[Dword(52)]
pop t6
pop t7
t8 = t6 + t7
push t8
push flags t8
pop DWORD Scratch:[Dword(12)]
pop esp

All but two instructions are pushes or pops, and the pushes can be easily matched up with
the pops.  Tracking the stack pointer, we see that, for example, t3 = Dword(4).  
A simple analysis allows us to "optimize away" the push/pop pairs into assignment statements.  
Simply iterate through each instruction in a basic block and keep a stack describing the
source of each push.  For every pop, ensure that the sizes match and record the location
of the corresponding push.  We wish to replace the pop with an assignment to the popped
expression from the pushed expression, as in

t3 = Dword(4)
t4 = esp
t7 = Dword(-88)

With the stack aspects removed, we are left with a more conventional listing containing many
assignment statements.  This optimization substantially reduces the number of instructions
in a given basic block (~40% for the linked example) and opens the door for other optimizations.  
The newly optimized code is eight lines, roughly half of the original:

t3 = Dword(4)
t4 = esp
t5 = t3 + t4
DWORD Scratch:[Dword(52)] = flags t5
t6 = t5
t7 = Dword(-88)
t8 = t6 + t7
DWORD Scratch:[Dword(12)] = flags t8
esp = t8

A complete listing of the unoptimized IR versus the one with the stack machine features removed
is here, which should be perused before proceeding.

Now we turn our attention to the temporary variables and the scratch area.  Recall that the
former were not part of the pre-protected x86 code, nor the VMProtect bytecode -- they were
introduced in order to ease the IR translation.  The latter is part of the VMProtect bytecode,
but was not part of the original pre-protected x86 code.  Since these are not part of the
languages we are modelling, we shall eliminate them wholesale.  On a high level, we treat
each temporary variable, each byte of the scratch space, and each register as being a variable
defined within a basic block, and then eliminate the former two via the compiler optimizations
previously discussed.

Looking again at the last snippet of IR, we can see several areas for improvement.  First,
consider the variable t6.  It is clearly just a copy of t5, neither of which are redefined
before the next use in the assignment to t8.  Copy propagation will replace variable t6
with t5 and eliminate the former.  More generally, t3, t4, and t7 contain either constants
or values that are not modified between their uses.  Constant and copy propagation will
substitute the assignments to these variables in for their uses and eliminate them.

The newly optimized code is a slender three lines compared to the original 15; we have removed
80% of the IR for the running example.

DWORD Scratch:[Dword(52)] = flags Dword(4) + esp
esp = Dword(4) + esp + Dword(-88)
DWORD Scratch:[Dword(12)] = flags Dword(4) + esp + Dword(-88)

The side-by-side comparison can be found here.

The IR now looks closer to x86, with the exception that the results of computations are being
stored in the scratch area, not into registers.  As before, we apply dead-store elimination,
copy and constant propagation to the scratch area, removing dependence upon it entirely in the
process.  See here for a comparison with the last phase.

Here is a comparison of the final, optimized code against the original x86:

push ebp                               push    ebp                    
ebp = esp                              mov     ebp, esp              
push Dword(-1)                         push    0FFFFFFFFh            
push Dword(4525664)                    push    450E60h               
push Dword(4362952)                    push    offset sub_4292C8      
eax = DWORD FS:[Dword(0)]              mov     eax, large fs:0
push eax                               push    eax                    
DWORD FS:[Dword(0)] = esp              mov     large fs:0, esp        
eflags = flags esp + Dword(-88)                           
esp = esp + Dword(-88)                 add     esp, 0FFFFFFA8h        
push ebx                               push    ebx                    
push esi                               push    esi                    
push edi                               push    edi                    
DWORD SS:[Dword(-24) + ebp] = esp      mov     [ebp-18h], esp        
call DWORD [Dword(4590300)]            call    dword ptr ds:unk_460ADC
vmreturn Dword(0) + Dword(4638392)

Code generation is an afterthought.

vmp这次要蛋疼了

谢，收下，。。。。。。。。。。。。。。。。

比发哥的挫啊

佔楼将来再看。

广告位出租!

虽然很详细，但这也不是新东西了。
类似的工作我们已经做到了,opcode我们也已经全部解开了，块结构和RISC指令集也基本搞清楚。代码还原也手工做到了。
虽然我们之前的分析只是1.2x，但和1.5的demo也区别不大。这里好像是demo版，对release版如此分析不是这么容易了。
这还是白盒分析法，费体力和精力，除非有完美工具。以前用白盒分析，很辛苦，而vm多样，如何和机器对抗?
对vm,目前我觉得黑盒分析是最好的方法。
不知fg的工具是何样的。

我只是觉得RolfRolles的文章写的比之前出现的文章都更容易懂一点，这是我转帖的目的。
既然你对vmp分析得如此透彻，你也可以做出来，不必指望fg的工具

看样子再过个一年半载工具就会公开了。

文章不错，只是我期望过高，看后有点小失望。
工具一是没时间，每天能有2个小时让我搞crack就不错；二是没水平，如果有这水平，我会先考虑写个vm。
vm千变万化，如果写修复工具只能针对某一特定vm或某一特定版本，还未必完美，是个费力且收效小的活。
即使出了成品，随即该vmprotect过时(有了破解工具，就没人用了），vm立即升级，工具也会立即消亡，昙花一现。
对fg的工具，是有点好奇和怀疑，会有人写如此工具吗？会完美吗？会通用吗？
另如我是fg，即使有此工具，我也不会公布出来，那样该版本vmprotect随即死亡，该工具也立刻无用。

我一直认为如果vmprotect的作者应该来中国接某些业务，可能比他卖vmp还要赚钱

呵呵  深入人心！

占楼看看~~

VMP并不能有效的阻止软件破解。

广告位出租!

强大……19楼广告位招租……

高级逆向
虚拟打人
七夕膜拜七次

a basic introduction to stack machine

插入先,最近想搞VMP

研究研究~~上次没mark

没有什么能阻止强大的蛋蛋

看来VMP确实很利害了。