Added support for vmp 3.7.0

void-stack · void-stack · commit 06aacf3f2c66 · 2022-08-29T17:51:00.000+02:00
diff --git a/.gitignore b/.gitignore
@@ -4,3 +4,4 @@ obj/
 /packages/
 riderModule.iml
 /_ReSharper.Caches/
+.vs/VMUnprotect/v17/.suo
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
   <img width="256" heigth="256" src="docs\vmup.png">
 <h1 align="center">VMUnprotect.Dumper</h1>
 <p align="center">
-  <strong>VMUnprotect.Dumper</strong> is a project engaged in hunting tampered <strong>VMProtect assemblies</strong>. It makes use of <a href="https://github.com/pardeike/Harmony">AsmResolver</a> to dynamically unpack <strong>VMP</strong> protected assembly. Works on <a href="https://vmpsoft.com/20210919/vmprotect-3-5-1/">VMProtect 3.5.1</a> (Latest) and few versions back.
+  <strong>VMUnprotect.Dumper</strong> is a project engaged in hunting tampered <strong>VMProtect assemblies</strong>. It makes use of <a href="https://github.com/pardeike/Harmony">AsmResolver</a> to dynamically unpack <strong>VMP</strong> protected assembly. Works on <a href="https://vmpsoft.com/20220827/vmprotect-3-7/">VMProtect 3.7.0</a> (Latest) and few versions back.
 </p>
 </p>
 <p align="center">
diff --git a/VMUnprotect.Dumper/Program.cs b/VMUnprotect.Dumper/Program.cs
@@ -1,11 +1,12 @@
 ﻿// See https://aka.ms/new-console-template for more information
-using AsmResolver.IO;
-using AsmResolver.PE.File;
-using System;
-using System.IO;
+
 using System.Reflection;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
+using AsmResolver.DotNet;
+using AsmResolver.IO;
+using AsmResolver.PE.File;
+using Sharprompt;
 
 const string asciiArt = @"
 _________                __                 
@@ -18,34 +19,68 @@ _________                __
           https://github.com/void-stack
             Credits: wwh1004, MrToms
 ";
-                
+
 Console.Title = "VMUnprotect.Dumper";
 Console.WriteLine(asciiArt);
 
-if (args.Length > 0 && File.Exists(args[0])) {
-    var target = args[0];
+string? target;
+
+if (args.Length > 0 && File.Exists(args[0]))
+    target = Prompt.Input<string>("Enter file path", args[0]);
+else
+    target = Prompt.Input<string>("Enter file path");
+
+if (File.Exists(target))
+{
     var output = $"{Path.GetFileNameWithoutExtension(target)}-decrypted.exe";
-    var assembly = Assembly.LoadFile(target);
-    var moduleHandle = assembly.ManifestModule.ModuleHandle;
+    Assembly? assembly = null;
+
+    try
+    {
+        assembly = Assembly.LoadFile(target);
+    }
+    catch (BadImageFormatException)
+    {
+        Console.WriteLine("Target app probably has a different framework.");
+    }
 
-    Console.WriteLine("[+] Decrypting methods");
-    RuntimeHelpers.RunModuleConstructor(moduleHandle);
-    var hInstanceFixed = Marshal.GetHINSTANCE(assembly.ManifestModule);
+    var manifestModule = assembly.ManifestModule;
 
-    Console.WriteLine("[+] Reading decrypted module");
-    var decryptedPeFile = PEFile.FromModuleBaseAddress(hInstanceFixed);
+    var module = ModuleDefinition.FromFile(target);
 
-    foreach (var section in decryptedPeFile.Sections)
-        Console.WriteLine("[+] Sections: " + section.Name);
+    var cctor =
+        assembly.ManifestModule.ResolveMethod(module.TopLevelTypes[0].GetStaticConstructor()!.MetadataToken.ToInt32());
 
-    Console.WriteLine("[+] Writing file");
-    using (var fs = File.Create(output)) {
-        decryptedPeFile.Write(new BinaryStreamWriter(fs));
-    }
+    var hInstance = Marshal.GetHINSTANCE(manifestModule);
+
+    if (cctor != null)
+    {
+        RuntimeHelpers.PrepareMethod(cctor.MethodHandle);
+
+        var diskImage = PEFile.FromFile(target);
+
+        var epFromDisk = diskImage.OptionalHeader.AddressOfEntrypoint;
+        var runtimeImage = PEFile.FromModuleBaseAddress(hInstance, PEMappingMode.Mapped);
+        var optionalHeader = runtimeImage.OptionalHeader;
 
-    Console.WriteLine("[+] Decrypted all methods!");
+        optionalHeader.Magic = diskImage.OptionalHeader.Magic;
+        optionalHeader.AddressOfEntrypoint = epFromDisk;
+
+        using (var fs = File.Create(output))
+        {
+            runtimeImage.Write(new BinaryStreamWriter(fs));
+        }
+
+        Console.WriteLine($"Saved as: {Path.GetFullPath(output)}");
+    }
+    else
+    {
+        Console.WriteLine("Failed to prepare .cctor");
+    }
 }
-else 
+else
+{
     Console.WriteLine("File either doesn't exist or you didn't provide it (VMProtect.Dumper File.exe)");
+}
 
 Console.ReadKey();
diff --git a/VMUnprotect.Dumper/VMUnprotect.Dumper.csproj b/VMUnprotect.Dumper/VMUnprotect.Dumper.csproj
@@ -12,6 +12,7 @@
       <PackageReference Include="AsmResolver" Version="4.8.0" />
       <PackageReference Include="AsmResolver.DotNet" Version="4.8.0" />
       <PackageReference Include="AsmResolver.PE" Version="4.8.0" />
+      <PackageReference Include="Sharprompt" Version="2.4.4" />
     </ItemGroup>
 
 </Project>
