VmProtectDumperUnsafeInvoke Update

Added VmProtectDumperUnsafeInvoke method, prepare for future updates.
Thanks, https://github.com/Washi1337

Author: void-stack

VMUP/media/desktop.ini Images/desktop.iniVMUP/media/desktop.ini renamed to Images/desktop.ini

@@ -1,5 +1,5 @@
 <p align="center">
-  <img width="256" heigth="256" src="VMUP/media/vmup.png">
+  <img width="256" heigth="256" src="Images/vmup.png">
 <h1 align="center">VMUnprotect.NET</h1>
 <p align="center">
   <strong>VMUnprotect</strong> is a project engaged in hunting virtualized <a href="https://vmpsoft.com">VMProtect</a> methods. It makes use of <a href="https://github.com/pardeike/Harmony">Harmony</a> to dynamically read <strong>VMP</strong> behavior. Currently only supports method administration. Works on <a href="https://vmpsoft.com/20210919/vmprotect-3-5-1/">VMProtect 3.5.1</a> (Latest) and few versions back.
@@ -12,11 +12,15 @@
 </p>
 
 ## Showcase
-<img src="VMUP/media/gif.gif">
+<img src="Images/showcase.gif">
 
 # Usage
 ```sh
-VMUnprotect.exe <path to assembly> [args to assembly]
+VMUnprotect.exe 
+  -f, --file         Required. Path to file.
+  --usetranspiler    (Default: false) Use an older method that makes use of Transpiler (not recommended).
+  --help             Display this help screen.
+  --version          Display version information.
 ```
 
 # Supported Protections
@@ -32,61 +36,51 @@ Virtualization Tools | Yes
 Strip Debug Information | Yes 
 Pack the Output File | No
 
-# Usage can be found in ```MiddleMan.cs```
+# Usage can be found in ```Methods\MiddleMan.cs```
 ```csharp
-namespace VMUnprotect
-{
-    /// <summary>
-    ///     Works as Middle Man to make life easier
-    /// </summary>
-    internal static class MiddleMan
+ internal static class MiddleMan
     {
-        /// <summary>
-        ///     This function manipulate can manipulate, log actual invokes from virtualized VMP functions.
-        /// </summary>
-        public static object VmpMethodLogger(object obj, BindingFlags? bindingFlags, Binder binder, ref object[] parameters, CultureInfo culture, MethodBase methodBase)
+        public static void Prefix(ref object __instance, ref object obj, ref object[] parameters, ref object[] arguments)
         {
-            // Invoke the method and get return value.
-            var returnValue = methodBase.Invoke(obj, parameters);
+            var virtualizedMethodName = new StackTrace().GetFrame(7).GetMethod();
+            var method = (MethodBase) __instance;
 
-            // TODO: Add option to disable this because can cause bugs and can be broken easily
-            var trace = new StackTrace();
-            var frame = trace.GetFrame(5); // <--
-            var method = frame.GetMethod();
-
-            if (method.IsConstructor)
-                ConsoleLogger.Warn($"VMP Method (Constructor) {method.FullDescription()}");
-
-            ConsoleLogger.Warn($"VMP Method: {method.FullDescription()}");
-
-            ConsoleLogger.Warn("MethodName: {0}", methodBase.Name);
-            ConsoleLogger.Warn("FullDescription: {0}", methodBase.FullDescription());
-            ConsoleLogger.Warn("MethodType: {0}", methodBase.GetType());
-            if (obj != null) ConsoleLogger.Warn("obj: {0}", obj.GetType());
+            ConsoleLogger.Warn("\tVMP MethodName: {0} (MDToken {1:X4})", virtualizedMethodName.FullDescription(), virtualizedMethodName.MetadataToken.ToString());
+            ConsoleLogger.Warn("\tMethodName: {0}", method.Name);
+            ConsoleLogger.Warn("\tFullDescription: {0}", method.FullDescription());
+            ConsoleLogger.Warn("\tMethodType: {0}", method.GetType());
+            if (obj != null) ConsoleLogger.Warn("\nObj: {0}", obj.GetType());
 
             // Loop through parameters and log them
             for (var i = 0; i < parameters.Length; i++)
             {
-                var parameter = parameters[i];
-                ConsoleLogger.Warn("Parameter ({1}) [{0}]: ({2})", i, parameter.GetType(), parameter);
+                var parameter = parameters[i] ?? "null";
+                ConsoleLogger.Warn("\tParameter ({1}) [{0}]: ({2})", i, parameter.GetType(), parameter);
             }
 
-            ConsoleLogger.Warn("MDToken: {0}", methodBase.MetadataToken);
-            ConsoleLogger.Warn("Returns: {0}", returnValue);
-
-            if (returnValue != null)
-                ConsoleLogger.Warn("Return type: {0}\n", returnValue.GetType());
+            var returnType = method is MethodInfo info ? info.ReturnType.FullName : "System.Object";
+            ConsoleLogger.Warn("\tMDToken: 0x{0:X4}", method.MetadataToken);
+            ConsoleLogger.Warn("\tReturn Type: {0}", returnType);
+        }
 
-            return returnValue;
+        public static void Postfix(ref object __instance, ref object __result, ref object obj, ref object[] parameters, ref object[] arguments)
+        {
+            ConsoleLogger.Warn("\tReturns: {0}", __result);
         }
     }
-}
 ```
 
 ## Current Features
 - Tracing invokes in virtualized methods.
 - Manipulating parameters and return values.
 
+## Todo
+- Change this to support more VM's
+- VMP Stack tracing
+- Bypass VMP Debugger Detection
+- Bypass VMP CRC Check
+- Nice WPF GUI
+
 # FAQ
 ### What is code virtualization? 
 As VMProtect describes it on their's website. Code virtualization is the next step in software protection. Most protection systems encrypt the code and then decrypt it at the application’s startup. VMProtect doesn’t decrypt the code at all! Instead, the encrypted code runs on a virtual CPU that is markedly different from generic x86 and x64 CPUs as the command set is different for each protected file.
@@ -95,7 +89,13 @@ As VMProtect describes it on their's website. Code virtualization is the next st
 No, isn't even meant for devirtualization.
 
 # Credits
+* [Washi](https://github.com/Washi1337) Overall credits for the project and inspiration with UnsafeInvokeInternal, thanks <3
+
 This tool uses the following (open source) software:
 * [dnlib](https://github.com/0xd4d/dnlib) by [0xd4d](https://github.com/0xd4d), licensed under the MIT license, for reading/writing assemblies.
-* [Harmony](https://github.com/pardeike/Harmony) by [Andreas Pardeike](https://github.com/pardeike), licensed under the MIT license, for patching the stacktrace which allows for reflection invocation to be used.
+* [Harmony](https://github.com/pardeike/Harmony) by [Andreas Pardeike](https://github.com/pardeike), licensed under the MIT license
 * [Serilog](https://github.com/serilog/serilog) provides diagnostic logging to files, the console, and elsewhere. It is easy to set up, has a clean API.
+
+
+## Want to support this project?
+BTC: bc1q048wrqztka5x2syt9mtj68uuf73vqry60s38vf

VMUP/media/gif.gif Images/gif.gifVMUP/media/gif.gif renamed to Images/gif.gif

@@ -0,0 +1,13 @@
+using CommandLine;
+
+namespace VMUnprotect
+{
+    public class CommandLineOptions
+    {
+        [Option('f', "file", HelpText = "Path to file.", Required = true)]
+        public string FilePath { get; set; }
+
+        [Option(Default = false, HelpText = "Use an older method that makes use of Transpiler (not recommended).", Required = false)]
+        public bool UseTranspiler { get; set; }
+    }
+}

VMUP/media/screen2.png Images/screen2.pngVMUP/media/screen2.png renamed to Images/screen2.png

@@ -1,7 +1,9 @@
-using HarmonyLib;
+using dnlib.DotNet;
+using HarmonyLib;
 using System;
 using System.Reflection;
 using VMUnprotect.Hooks.Methods;
+using VMUnprotect.Init;
 using VMUnprotect.Utils;
 
 namespace VMUnprotect.Hooks
@@ -14,31 +16,61 @@ public static class HooksManager
         // Harmony instance
         private static Harmony Harmony { get; set; }
 
+        public static MDToken FunctionHandlerToken
+        {
+            get;
+            private set;
+        }
+
         /// <summary>
         ///     Applies Harmony patches to VMP functions.
         /// </summary>
         /// <param name="runtimeStructure">Structure of VMP Runtime</param>
-        internal static void HooksApply(VmRuntimeStructure runtimeStructure)
+        /// <param name="options">Options</param>
+        internal static void HooksApply(VmRuntimeStructure runtimeStructure, CommandLineOptions options)
         {
             // Enable Harmony Debug file.
             Harmony.DEBUG = true;
 
             Harmony = new Harmony("com.hussaryyn.vmup");
-            Harmony.PatchAll(typeof(Loader).Assembly);
+            Harmony.PatchAll();
 
             // Check if functionHandler was found.
             if (runtimeStructure.FunctionHandler is null)
                 throw new ArgumentException("Could not locate Function Handler.");
 
+            // Save VMP Function Handler MDToken for check
+            FunctionHandlerToken = runtimeStructure.FunctionHandler.MDToken;
+
             // resolve method.
-            var mdToken = runtimeStructure.FunctionHandler.MDToken.ToInt32();
-            var resolvedVmpHandler = Loader.VmpAssembly.ManifestModule.ResolveMethod(mdToken);
+            ConsoleLogger.Debug("Found VMPFunctionHandler, MDToken 0x{0:X4}", FunctionHandlerToken.ToInt32());
+
+            if (options.UseTranspiler)
+            {
+                // Resolve VMP Method Handler
+                var resolvedVmpHandler = Loader.VmpAssembly.ManifestModule.ResolveMethod(FunctionHandlerToken.ToInt32());
+
+                // Prepare Transpiler
+                var transpiler = typeof(VmProtectDumperTranspiler).GetMethod(nameof(VmProtectDumperTranspiler.Transpiler));
+                ConsoleLogger.Debug("Applying Transpiler and replacing Invokes.");
+
+                // Apply transpiler to the function handler (This is old method not recommended)
+                Harmony.Patch(resolvedVmpHandler, transpiler: new HarmonyMethod(transpiler));
+            }
+            else
+            {
+                // Get method for patch
+                var invokeMethod = typeof(object).Assembly.GetType("System.Reflection.RuntimeMethodInfo")
+                    .GetMethod("UnsafeInvokeInternal", BindingFlags.NonPublic | BindingFlags.Instance);
 
-            ConsoleLogger.Debug("Found VMPFunctionHandler, MDToken {0}", mdToken);
-            ConsoleLogger.Debug("Applying Transpiler and replacing Invokes.");
+                // Prepare prefix and postfix
+                var prefix = typeof(VmProtectDumperUnsafeInvoke).GetMethod(nameof(VmProtectDumperUnsafeInvoke.InvokePrefix));
+                var postfix = typeof(VmProtectDumperUnsafeInvoke).GetMethod(nameof(VmProtectDumperUnsafeInvoke.InvokePostfix));
 
-            // Apply transpiler to the function handler.
-            Harmony.Patch(resolvedVmpHandler, transpiler: new HarmonyMethod(typeof(VmProtectDumper).GetMethod(nameof(VmProtectDumper.Transpiler), (BindingFlags) (-1))));
+                // Patch
+                Harmony.Patch(invokeMethod, new HarmonyMethod(prefix));
+                Harmony.Patch(invokeMethod, postfix: new HarmonyMethod(postfix));
+            }
         }
     }
 }

Images/showcase.gif

@@ -1,5 +1,6 @@
 using HarmonyLib;
 using System.Reflection;
+using VMUnprotect.Init;
 using VMUnprotect.Utils;
 
 namespace VMUnprotect.Hooks.Methods
@@ -8,7 +9,7 @@ namespace VMUnprotect.Hooks.Methods
     ///     Harmony Patch for GetCallingAssembly
     /// </summary>
     [HarmonyPatch(typeof(Assembly))]
-    [HarmonyPatch("GetCallingAssembly")]
+    [HarmonyPatch(nameof(Assembly.GetCallingAssembly))]
     public class GetCallingAssemblyPatch
     {
         public static void Postfix(ref Assembly __result)

VMUP/media/vmup.png Images/vmup.pngVMUP/media/vmup.png renamed to Images/vmup.png

@@ -1,5 +1,6 @@
 using HarmonyLib;
 using System.Reflection;
+using VMUnprotect.Init;
 using VMUnprotect.Utils;
 
 namespace VMUnprotect.Hooks.Methods
@@ -8,7 +9,7 @@ namespace VMUnprotect.Hooks.Methods
     ///     Harmony Patch for GetEntryAssembly
     /// </summary>
     [HarmonyPatch(typeof(Assembly))]
-    [HarmonyPatch("GetEntryAssembly")]
+    [HarmonyPatch(nameof(Assembly.GetEntryAssembly))]
     public class GetEntryAssemblyPatch
     {
         public static void Postfix(ref Assembly __result)