This repository is a collection of legacy tools for working with VMProtect 2-protected binaries.
These tools enable unpacking, analysis, and experimental devirtualization of software protected with VMProtect 2. At the core of this collection is vmprofiler, a utility library that provides the foundational logic used by all other tools. It is responsible for identifying key VMProtect 2 components such as VM handlers, the handler table, transforms, and more.
The lessons learned from this 4+ year old project should be passed on to those interested in devirtualization.
This project attempts to identify individual VM handlers. This approach is brittle, does not scale, and can be defeated by changes to the virtual machine architecture (interlinking multiple handlers, complex handlers, etc). Instead, i advocate for an incremental lifting and control‑flow recovery strategy with minimal VM‑specific deobfuscation logic. Tools such as Saturn, Triton, and Mergen have successfully deobfuscated VMProtect with little or no VM‑specific handler identification. This repository documents the architecture of VMProtect 2 and serves as a cautionary note: avoid building devirtualization tooling that heavily depend on identifying virtual‑machine‑specific handlers.
-
vmemu
A Unicorn Engine–based virtual machine exploration tool. It allows you to unpack protected programs and analyze control flow within a specifiedvmenter.
This tool generates a.vmp2file containing the control flow graph of the given VM entry.
The resulting.vmp2file can then be passed to vmdevirt to recompile the function back into native x86 and reintegrate it into the original binary. Please note that this is NOT just a simple tracer which will only discover a single path through a function, it actually identifies virtual jccs and will explore all virtualized control flow. -
vmdevirt
An experimental LLVM-based recompiler for.vmp2files.
While functional, it is considered highly experimental and unstable, and this approach is generally not recommended. -
vmassembler
An experimental assembler for encoding user-defined virtual machine operations.
This project demonstrates a deep technical understanding of the VMProtect 2 virtual machine architecture. -
vmhook
A tool designed to hook into the VMProtect 2 virtual machine at runtime, enabling detailed introspection of individual VM handlers. -
vmprofiler
The core utility library that powers all other tools.
It includes VM handler pattern matching, handler table extraction, dead code elimination (DCE), and other essential analysis routines. -
vmprofiler-cli
A command-line interface forvmprofiler, allowing users to display and inspect extracted information in a textual format. -
vmprofiler-qt
A Qt-based graphical disassembler for VMProtect 2 bytecode, providing an interactive and visual exploration of virtualized code.
Please follow the instructions on this page.
- CMake ≥ 3.11
- C++ compiler
- Visual Studios 2022 for
vmhook - At least 50GB free space for LLVM and other build artifacts
Configuration for vmassembler, vmemu, vmprofiler, and vmprofiler-cli:
cmake -B build
cmake --build buildWith vmdevirt (will download and build LLVM!):
cmake -B build -DBUILD_VMDEVIRT=ON -DLLVM_BUILD_TYPE=Release
cmake --build buildWith vmprofiler-qt:
cmake -B build -DBUILD_VMPROFILER_QT=ON
cmake --build buildBoth optional modules:
cmake -B build -DBUILD_VMDEVIRT=ON -DBUILD_VMPROFILER_QT=ON -DLLVM_BUILD_TYPE=Release
cmake --build buildThese tools are provided for educational and research purposes only. They are not to be used for any illegal activities, unauthorized access, or violations of the DMCA or other laws. The tools themselves do not violate any DMCA regulations. All work is my original creation, and any actions taken by users of these tools are solely the responsibility of those users and do not reflect the actions or intentions of the author.