Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plugin for integration with VTIL (Virtual-machine Translation Intermediate Language) #265

Open
XVilka opened this issue Jul 8, 2020 · 0 comments
Open

Plugin for integration with VTIL (Virtual-machine Translation Intermediate Language) #265

XVilka opened this issue Jul 8, 2020 · 0 comments
Labels
RAnal

Comments

@XVilka
Copy link
Contributor

XVilka commented Jul 8, 2020

VTIL

VTIL Project, standing for Virtual-machine Translation Intermediate Language, is a set of tools designed around an optimizing compiler to be used for binary de-obfuscation and de-virtualization.

The main difference between VTIL and other optimizing compilers such as LLVM is that it has an extremely versatile IL that makes it trivial to lift from any architecture including stack machines. Since it is built for translation, VTIL does not abstract away the native ISA and keeps the concept of the stack, physical registers, and the non-SSA architecture of a general-purpose CPU as is. Native instructions can be emitted in the middle of the IL stream and the physical registers can be addressed from VTIL instructions freely.

VTIL also makes it trivial to emit code back into the native format at any virtual address requested without being constrained to a specific file format.

Radare2/Cutter

VTIL shown to be successful for deobfuscating VMProtect and similar code protectors. It might be beneficial to provide the integration with radare2

There is existing plugin for Binary Ninja, might be useful to see it as an example: https://github.com/vtil-project/VTIL-BinaryNinja

Example

From the "Devirtualization Intro" article:

#include <vtil/vtil>

int main()
{
	// https://0xnobody.github.io/devirtualization-intro/

	constexpr auto block_vip = 0x1234;
	constexpr auto reg_size = 64;
	constexpr auto reg_offs = 0;

	// block_vip is just something to identify the block.
	// you can use the relative or absolute VIP of the block's first instruction.
	//
	auto block = vtil::basic_block::begin(block_vip);

	// the following instruction defines a register. In VTIL, we can define as many registers as we want.
	//
	// - vtil::register_virtual means that the register is virtual ie. it is only existent in the VM context
	// - we get the register id via reg_offs / 8, as in our example VM all registers are 8-byte aligned. This
	// won't always be the case.
	// - 64 specifies the register's size. For our example, the register is always 64 bits.
	// - next, we get the bit offst by getting the modulus of our register offset
	//
	vtil::register_desc reg(vtil::register_virtual, 64, reg_size, (reg_offs % 8) * 8);

	// quite self explanatory :^)
	// note that in VTIL, we can chain these calls for that super clean look!
	//
	block->push(reg);

	// And finally let's use dump our precious little routine:
	vtil::debug::dump(block->owner);
}

Articles
@XVilka XVilka added the RAnal label Jul 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
RAnal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@XVilka