can1357 / novmp Goto Github PK

The title pretty much says it all.

Great work on this project by the way! 👍

It's been like that for hours

Iam having an issue while cleaning vmprotect after scylla dump

anyone know how to fix this?

Hey can you guys compile the latest version of the NoVmp, cant compile myself, I got latest VTIL core etc

Hello,
Will this work for an x86 EXE.
I need to de-virtualize an x86 VMProtected one.

TIA.

The first like 4 functions are parsed as normal and then there's a huge lag spike on branch correction pass that renders the whole pc unresponsive for like 60 seconds and then if it was run from its exe icon it crashes and if it was run from CMD the command prompt goes completely unresponsive😐😐😐😐😐😐😐😐😐

I packed a 64-bit exe to test, but show message as below.

could you give me a target to test?thx

I tried 7.5, 8 and 9, I got a error called "Unrecognized command line option ‘-Wvolatile’ ".

title

I tried to unvirtualized the entry code of a protected binary. It seems the very first basic_block of entry code is classified into "switch case pattern", which is not supported in current version.
An example of "switch case pattern" is as following:
{(-0xe9d521f90e+qword[(0x4b62016+&&base)]#0x3dbddf3?)}
the meaning of this expression is read a qword from 0x4b62016+imagebase, add a imm -0xe9d521f90, and results in another imm, which is the finally branch destination.
In this very first basic_block, the number of destination is only one, which is not a real switch case.
I want to add support for this situation. Could give me some guidance for adding some code for this?

Can you create video demo?

So as i've opened a issue b4, here are the outputs that i get

C:\WINDOWS\system32>"C:\Users\Nemezis\Downloads\NOVM.exe" "C:\Users\Nemezis\Downloads\_dump.sys"
##############################################################################
# NoVmp  Copyright (C) 2020 Can Boluk                                        #
# This program comes with absolutely no warranty, and it is free software.   #
# You are welcome to redistribute it under certain conditions--for which you #
# can refer to the GNU General Public License v3.                            #
##############################################################################

Discovered vmenter at FFFFF80240C01AA2
Discovered vmenter at FFFFF80240C01ACA
Discovered vmenter at FFFFF80240C01AEC
Discovered vmenter at FFFFF80240C01C91
Discovered vmenter at FFFFF80240C0256F
Discovered vmenter at FFFFF80240C02C99
Discovered vmenter at FFFFF80240C03371
Discovered vmenter at FFFFF80240C037FA
Discovered vmenter at FFFFF80240C03B4D
Discovered vmenter at FFFFF80240C03DAE
Discovered vmenter at FFFFF80240C03EF8
Lifting virtual-machine at 00000000001A67B9...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A67DE...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A67FB...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A69CB...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A6E5D...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A7323...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A76F4...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A7997...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A7B05...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A7C49...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A7D45...
Error: Invalid VIP.

Wonder if this will ever support kernel mode drivers

Hey i have a question i can now compile novmp without problems have also fixed a few small bugs but i can not figure out how to add the switch case support would be very grateful for help -opt:constant has unfortunately not fixed the error

.

Have infinity trace loop. prey(outdated)
Also, in my case JMP in same section; some changes in main.cpp of Novmp -

			// Skip if JMP target is in the same section / in a non-executable section
			//
			win::section_header_t* scn_jmp = desc->rva_to_section( jmp_rva );
			if ( !scn_jmp /*|| scn_jmp == scn*/ || !scn_jmp->characteristics.mem_execute ) continue;

Thanx for NoVMP, code style are very easy, for exploding VMP VM structure!

............

It seems like this tool can only lift x64 target? Can I use it on x86 target?

I installed lastest libc++-dev，switched compiler to clang 10, and fixed some issues in Pull Requests. But I still get a compilation error like follow:

/usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_vector.h:1756: undefined reference to `std::__throw_length_error(char const*)'
clang: error: linker command failed with exit code 1 (use -v to see invocation)

anyone know how to fix this ?

https://prnt.sc/u2ymyw

Lifting/Optimizing getting stuck at optimizer::branch_correction_pass, I obviously don't have experience with VTIL to say anything of whats going on here, if I could I would lol. I can also upload the section that I'm trying to fix if that would help in the debugging process.

discord: Exceptis#0001

I am sorry for this not being an issue. I have a question regarding NoVmp, I dumped the vmprotected DLL with Scylla and tried to use it with NoVmp, This shows up when I input the DLL:

If I press any key the program closes. If anyone can help me that would be great, thank you.

Some functions could not be detected with the current analyzer. Here is a list of the combinations that weren't detected and what they should have supposedly been:

VPOPV*

[!] Warning: Failed to clasify the instruction:
000000000155CB48: mov rcx, qword ptr [r11]
FFFFFFFFFFFFFFFF: loadc dil, 104
000000000155CB9C: mov qword ptr [rsp + rdi], rcx
FFFFFFFFFFFFFFFF: loadc ebx, 19303
00000000014E4B32: movsxd rbx, ebx
00000000014E4B35: add rsi, rbx

[!] Warning: Failed to clasify the instruction:
000000000156F003: mov rdx, qword ptr [r11]
000000000156F011: mov rdi, qword ptr ss:[rdx]
000000000156F015: mov qword ptr [r11], rdi
FFFFFFFFFFFFFFFF: loadc ecx, 4294643413
00000000015982C9: movsxd rcx, ecx
00000000015982CC: add rsi, rcx

VADDU*

[!] Warning: Failed to clasify the instruction:
000000000154FBFF: mov r10, qword ptr [r11]
000000000154FC08: mov rbx, qword ptr [r11 + 8]
000000000154FC13: add r10, rbx
000000000154FC16: mov qword ptr [r11 + 8], r10
000000000154FC1D: pushfq
000000000154FC1E: pop qword ptr [r11]
FFFFFFFFFFFFFFFF: loadc edi, 4294336794
00000000014E1809: movsxd rdi, edi
00000000014E6011: add rsi, rdi

VSHRU*

[!] Warning: Failed to clasify the instruction:
00000000015616AF: mov rdx, qword ptr [r11]
00000000015616B5: mov cl, byte ptr [r11 + 8]
00000000015616B9: sub r11, 6
00000000015616C0: shr rdx, cl
00000000015616C6: mov qword ptr [r11 + 8], rdx
00000000015616CA: pushfq
00000000015616D3: pop qword ptr [r11]
FFFFFFFFFFFFFFFF: loadc ecx, 70933
00000000014B8461: movsxd rcx, ecx
00000000014B846B: add rsi, rcx

VPUSHC*

[!] Warning: Failed to clasify the instruction:
FFFFFFFFFFFFFFFF: loadc rcx, 18446744073709551615
00000000015A8770: sub r11, 8
00000000015A877F: mov qword ptr [r11], rcx
FFFFFFFFFFFFFFFF: loadc ebx, 4294358120
000000000151FA1B: movsxd rbx, ebx
000000000151FA27: add rsi, rbx

[!] Warning: Failed to clasify the instruction:
FFFFFFFFFFFFFFFF: loadc bl, 112
00000000015FA838: mov rax, qword ptr [rsp + rbx]
00000000015FA848: sub r11, 8
00000000015FA84F: mov qword ptr [r11], rax
FFFFFFFFFFFFFFFF: loadc r10d, 4294899004
000000000158A477: movsxd r10, r10d
000000000158A47A: add rsi, r10

[!] Warning: Failed to clasify the instruction:
00000000015EDFE9: mov rax, r11
00000000015EDFF3: sub r11, 8
00000000015EDFFA: mov qword ptr [r11], rax
FFFFFFFFFFFFFFFF: loadc edx, 4294447130
000000000150DE1D: movsxd rdx, edx
000000000150DE25: add rsi, rdx

VNORU*

[!] Warning: Failed to clasify the instruction:
00000000014DCCB4: mov rdi, qword ptr [r11]
00000000014DCCC2: mov r10, qword ptr [r11 + 8]
00000000014DCCC6: not rdi
00000000014DCCCE: not r10
00000000014DCCD5: and rdi, r10
00000000014DCCD8: mov qword ptr [r11 + 8], rdi
00000000014DCCE0: pushfq
00000000014DCCF0: pop qword ptr [r11]
FFFFFFFFFFFFFFFF: loadc r10d, 168336
0000000001563336: movsxd r10, r10d
0000000001563344: add rsi, r10

VNANDU*

[!] Warning: Failed to clasify the instruction:
00000000015E8959: mov rcx, qword ptr [r11]
00000000015E8962: mov rdi, qword ptr [r11 + 8]
00000000015E8970: not rcx
00000000015E8978: not rdi
00000000015E8981: or rcx, rdi
00000000015E8987: mov qword ptr [r11 + 8], rcx
0000000001581D90: pushfq
0000000001581D99: pop qword ptr [r11]
FFFFFFFFFFFFFFFF: loadc eax, 4294128860
00000000015F072C: movsxd rax, eax
00000000015F072F: add rsi, rax

Unknown

[!] Warning: Failed to clasify the instruction:
0000000001542312: movabs rbx, 0
0000000001542323: shrd esi, ebx, 0x4e
0000000001542327: or sil, cl
000000000154232A: lea rsi, [rip - 7]
FFFFFFFFFFFFFFFF: loadc edi, 24373215
00000000015EBA66: movsxd rdi, edi
00000000015EBA71: add rsi, rdi

[!] Warning: Failed to clasify the instruction:
00000000014BA360: add rbx, 8
0000000001542312: movabs rbx, 0
0000000001542323: shrd esi, ebx, 0x4e
0000000001542327: or sil, cl
000000000154232A: lea rsi, [rip - 7]
FFFFFFFFFFFFFFFF: loadc edi, 774888035
00000000015EBA66: movsxd rdi, edi
00000000015EBA71: add rsi, rdi

What's the issue? What does invalid VIP mean?

Discovered vmenter at 00007FF60245C2F0 Discovered vmenter at 00007FF60245CDB0 Lifting virtual-machine at 000000000008EBC1... Error: Invalid VIP. Lifting virtual-machine at 0000000000396A03... Error: Invalid VIP. Lifting virtual-machine at 000000000024A686... Error: Invalid VIP. Lifting virtual-machine at 00000000001ED7C2... Error: Invalid VIP. Lifting virtual-machine at 000000000038F7B1...

.

`
git submodule update --init --recursive

fatal: remote error: upload-pack: not our ref 98b44e3afa0a82e26f419b407d4c7a1c093f5e99
Fetched in submodule path 'VTIL-Core', but it did not contain 98b44e3afa0a82e26f419b407d4c7a1c093f5e99. Direct fetching of that commit failed.
`

README.md usage about -base parameter

-base 0x14000000

It looks like we're missing a 0.

I got compile error when compiling NoVMP. Tried to fix some, but some still error.
Maybe latest version VTIL-core cause this problem? Because the VTIL commit 98b44e3afa0a82e26f419b407d4c7a1c093f5e99 not exist. So I used latest version of VTIL and linux-pe.
I am using VS 2019 latest version and I made sure I am using latest /std:C++latest , but still get these error.
So can you solve these compile error, or tell something I need to do?
Thanks!

Error C2641 Unable to deduce the template parameter of "std::lock_guard" NoVmp C:\Users\Username\Desktop\NoVMP\NoVmp\main.cpp 249 Error C2440 "specialization": Cannot convert from "bool" to "vtil::optimizer::execution_order" NoVmp C:\Users\Username\Desktop\NoVMP\NoVmp\demo_compiler.hpp 279 Error C2893 Failed to specialize function template "std::lock_guard<_Mutex> std::lock_guard(_Mutex &)" NoVmp C:\Users\Username\Desktop\NoVMP\NoVmp\main.cpp 295 Error C2784 "std::lock_guard<_Mutex> std::lock_guard(std::lock_guard<_Mutex>)": Failed to derive template parameter NoVmp C:\Users\ from "void" to "std::lock_guard<_Mutex>" Username\Desktop\NoVMP\NoVmp\main.cpp 295 Error C2784 "std::lock_guard<_Mutex> std::lock_guard(std::lock_guard<_Mutex>)": Failed to derive template parameter NoVmp C:\Users\ from "void" to "std::lock_guard<_Mutex>" Username\Desktop\NoVMP\NoVmp\main.cpp 295 Error C2664 "char *strcpy(char *,const char *)": Cannot convert parameter 1 from "coff::scn_string_t" to "char *" NoVmp C:\Users\Username\Desktop\NoVMP\NoVmp\main.cpp 366 Error C2664 "int memcmp(const void *,const void *,size_t)": Cannot convert parameter 2 from "coff::scn_string_t" to "const void *" NoVmp C:\Users\Username\Desktop\NoVMP\NoVmp\ vmprotect\vtil_lifter.cpp 193 Error C2660 "vtil::optimizer::aux::analyze_branch": Function does not accept 4 parameters NoVmp C:\Users\Username\Desktop\NoVMP\NoVmp\vmprotect\vtil_lifter.cpp 500 Error C3536 "branch_info": Cannot use NoVmp before initialization C:\Users\Username\Desktop\NoVMP\NoVmp\vmprotect\vtil_lifter.cpp 505 Error C2530 "branch": Must initialize reference NoVmp C:\Users\Username\Desktop\NoVMP\NoVmp\vmprotect\vtil_lifter.cpp 505 Error C3531 "branch": Symbols whose type contains "auto" must have initializer NoVmp C:\Users\Username\Desktop\NoVMP\NoVmp\vmprotect\vtil_lifter.cpp 505 Error C2143 Syntax error: Missing ";" (before ":") NoVmp C:\Users\Username\Desktop\NoVMP\NoVmp\vmprotect\vtil_lifter.cpp 505 Error C2143 Syntax error: missing ";" (before ")") NoVmp C:\Users\Username\Desktop\NoVMP\NoVmp\vmprotect\vtil_lifter.cpp 505 Error C2100 Illegal indirect addressing NoVmp C:\Users\Username\Desktop\NoVMP\NoVmp\vmprotect\vtil_lifter.cpp 513 Error C2672 "vtil::zip": No matching overload function was found NoVmp C:\Users\Username\Desktop\NoVMP\NoVmp\vmprotect\vtil_lifter.cpp 533 Error C2059 Syntax error: ":" NoVmp C:\Users\Username\Desktop\NoVMP\NoVmp\vmprotect\vtil_lifter.cpp 533 Error C2143 Syntax error: missing ";" (before "{") NoVmp C:\Users\Username\Desktop\NoVMP\NoVmp\vmprotect\vtil_lifter.cpp 534 Error C2065 "idx": Undeclared identifier NoVmp C:\Users\Username\Desktop\NoVMP\NoVmp\vmprotect\vtil_lifter.cpp 535 Error C2100 Illegal indirect addressing NoVmp C:\Users\Username\Desktop\NoVMP\NoVmp\vmprotect\vtil_lifter.cpp 536

cmake is incomplete and undefined.