VMP VMProtect Windows API Address Decoder (IDA Pro - Python)

mak

Соломенные сандалии
Администратор
Сообщения
861
Реакции
654
VMProtect Windows API Address Decoder

IDA script for vmprotect Windows Api address decoder



Usage
Load the vmpr.py file from IDA.
instance = vwaad()
When loaded, it automatically outputs decoding information.
Use the patchOllyScript() method to print the OllyScript that can be patched.
API Decoder anaysis post https://sfkino.tistory.com/74

В приложении АВТО перевод с корейского в пдф формате.

https://github.com/saweol/vwaad/archive/master.zip
 

Прикрепленные файлы:

mak

Соломенные сандалии
Администратор
Сообщения
861
Реакции
654
В продолжение по API -
FixVmpDump https://github.com/YanStar/FixVmpDump
use python script to fix vmp dump api in ida. support x86 and x64.
details in my blog: https://blog.csdn.net/yan_star/article/details/112798262

Vm2Import - https://github.com/nblog/Vm2Import
fix vmprotect import function used unicorn-engine.

it can repair functions such as call [module.function] or jmp [module.function] or reg(mov) [module.function] that are statically imported by the VM.

it is effective in vmp2 and vmp3.

Use
  1. copy to x64dbg
x64dbg\release\x32\plugins\unicorn.dll
x64dbg\release\x32\plugins\Vm2Import.dp32

x64dbg\release\x64\plugins\unicorn.dll
x64dbg\release\x64\plugins\Vm2Import.dp64
  1. select "VM_Start" call vmp0.xxxxxxxx, right click menu "Vm2Import"->"Fix Import Call Address"
 
Последнее редактирование:
Верх Низ