VMP Анализ VMProtect c Triton (dynamic binary analysis (DBA) framework)

mak

Соломенные сандалии
Администратор
Сообщения
1 000
Реакции
1 316
Вероятная цель - https://forum.tuts4you.com/topic/39481-devirtualizeme-vmprotect-309/

Отдельно 4 девиртми
Для просмотра содержимого вам необходимо Войти в систему.
Analyze vmprotect with Triton (dynamic binary analysis (DBA) framework)
Outout:
https://github.com/Mahorori/VMProtectTest/blob/master/output
https://github.com/Mahorori/VMProtectTest/blob/master/output2

Triton - A DBA Framework
https://triton.quarkslab.com/

todo: make cfg of IR, IR optimization, IR->x86, mul handler

Архив - https://github.com/Mahorori/VMProtectTest/archive/master.zip
Ссылка - https://github.com/Mahorori/VMProtectTest
 

Прикрепленные файлы:

Bronco

Мудрец
Сообщения
102
Реакции
346
Analyze vmprotect with Triton (dynamic binary analysis (DBA) framework)
Outout
хз исходник не смотрел, но если это выхлоп, хотя без трассировки и котекста сам код ни о чём, то всё равно очень даже не плохо
 

plutos

_Вечный_Студент_
Мудрец
Сообщения
200
Реакции
715
Dead code elimination with Triton is now available.

Introduction
We have recently added the concept of basic block (#1121) in Triton and we are now able to disassemble and process a block. How this new feature can improve Triton regarding binary deobfuscation? With the concept of block, we are now able to provide a dead store elimination simplification on a given block. Thus, the method simplify can now take a BasicBlock as input.

Example
Let's take as an example a VMProtect sample (thanks to @_xeroxz for giving us such sample). How it works? We will symbolically execute the block and thus create for each instruction their SSA symbolic expressions. With the SSA form, and on a single block, it's then easy to remove expressions that have no more reference. For example:

Код:
mov rdi, 1 ; <-- dead code
mov rdi, 2 ; previous rdi expression can be removed
Full example here.
 
Верх Низ