VMUnprotect is a project engaged in hunting virtualized VMProtect methods. It makes use of Harmony to dynamically read VMP behavior. Currently only supports method administration. Works on VMProtect 3.6.0 (Latest) and few versions back.
VMUnprotect.exe
-f, --file Required. Path to file.
--enableharmonylogs (Default: false) Disable or Enable logs from Harmony.
--bypassantidebug (Default: false) Bypass VMProtect Anti Debug.
--help Display this help screen.
--version Display version information.Note: All Supported Protections are working combined
| Protection Name | Is supported |
|---|---|
| Memory Protection | ✓ |
| Import Protection | ✓ |
| Resource Protection | ✓ |
| Debugger Detection | ✓ |
| Virtualization Tools | ✓ |
| Strip Debug Information | ✓ |
| Pack the Output File | ✓ |
- Tracing invokes in virtualized methods.
- Manipulating parameters and return values.
- Bypass NtQueryInformationProcess, IsLogging, get_IsAttached
/// <summary>
/// A prefix is a method that is executed before the original method
/// </summary>
public bool Prefix(ref object __result, ref object __instance, ref object obj, ref object[] parameters, ref object[] arguments) {
var virtualizedMethodName = new StackTrace().GetFrame(7).GetMethod();
var method = (MethodBase) __instance;
Logger.Print("VMP MethodName: {0} (MDToken 0x{1:X4})", virtualizedMethodName.FullDescription(),
virtualizedMethodName.MetadataToken.ToString());
Logger.Print("MethodName: {0}", method.Name);
Logger.Print("FullDescription: {0}", method.FullDescription());
Logger.Print("MethodType: {0}", method.GetType());
// ReSharper disable once ConditionIsAlwaysTrueOrFalse
if (obj is not null)
Logger.Print("Obj: {0}", Formatter.FormatObject(obj));
// Loop through parameters and log them
for (var i = 0; i < parameters.Length; i++) {
var parameter = parameters[i];
Logger.Print("Parameter ({1}) [{0}]: ({2})", i, parameter.GetType(), Formatter.FormatObject(parameter));
}
var returnType = method is MethodInfo info ? info.ReturnType.FullName : "System.Object";
Logger.Print("MDToken: 0x{0:X4}", method.MetadataToken);
Logger.Print("Return Type: {0}", returnType ?? "null");
return true;
}
/// <summary>
/// A postfix is a method that is executed after the original method
/// </summary>
public void Postfix(ref object __instance, ref object __result, ref object obj, ref object[] parameters, ref object[] arguments) {
Logger.Print("Returns: {0}", __result);
}As VMProtect describes it on their's website. Code virtualization is the next step in software protection. Most protection systems encrypt the code and then decrypt it at the application’s startup. VMProtect doesn’t decrypt the code at all! Instead, the encrypted code runs on a virtual CPU that is markedly different from generic x86 and x64 CPUs as the command set is different for each protected file.
No, isn't even meant for devirtualization.
| Todo | Done |
|---|---|
| Change this to support more VM's | X |
| VMP Stack tracing | X |
| Bypass VMP Debugger Detection | ✓ |
| Bypass VMP CRC Check | X |
| WPF GUI | X |
Credits, checkout my blog about VMUnprotect
- Washi Overall credits for the project and inspiration with UnsafeInvokeInternal, thanks <3
This tool uses the following (open source) software:
- dnlib by 0xd4d, licensed under the MIT license, for reading/writing assemblies.
- Harmony by Andreas Pardeike, licensed under the MIT license
- Serilog provides diagnostic logging to files, the console, and elsewhere. It is easy to set up, has a clean API.
- commandline offers CLR applications a clean and concise API for manipulating command line arguments and related tasks
- Autofac Autofac is an IoC container for Microsoft .NET. It manages the dependencies between classes so that applications stay easy to change as they grow in size and complexity. This is achieved by treating regular .NET classes as components.
- Donate BTC at `bc1q048wrqztka5x2syt9mtj68uuf73vqry60s38vf`
- Donate ETH at `0x86b2C17C94A1E6f35d498d17a37dc1f8A715139b`