Skip to content

chramiq/de4vmp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
de4vmp.Core
de4vmp.Core
 
 
de4vmp
de4vmp
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
de4vmp.sln
de4vmp.sln
 
 
global.json
global.json
 
 

Repository files navigation

de4vmp

A fully static devirtualizer for VMProtect .NET (versions 3.4 and 3.5).

image

How to build

Clone and build it yourself:

dotnet build -c Release

How to use

  1. Dump target via KsDumper if anti-tamper is present.
  2. Demutate with DeMutation.
  3. In CFF Explorer, ensure that the ILOnly flag is not set.
  4. Clean it with de4dot so pattern detection actually works.
  5. Drag and drop the cleaned file into the devirtualizer.
  6. Clean the file with de4dot to remove junk.

How it works

It runs a 3-stage pipeline:

  1. Function resolution: Scans the .NET module for VM entry calls by matching specific CIL patterns.
  2. Handler resolution: Locates the VM's handler table and maps the virtual opcodes to known CIL templates.
  3. Transformation: Translates the virtual bytecode back into valid CIL and recompiles the method bodies.

Troubleshooting

  • Demutation fails: Anti-tamper is probably still active.
  • Devirtualization fails: You are either targeting an unsupported version of VMProtect or the target is corrupted.

Disclaimer

I made this a long time ago and left zero comments. Don't ask me how it works, because I honestly don't know either. Huge thanks to @Washi1337 for putting up with my never-ending stupid questions.

About

vmp .net devirtualizer

Topics

dotnet unpacker vmp recompiler vmprotect devirtualization vmpsoft

Resources

Readme

License

MIT license
Activity

Stars

64 stars

Watchers

8 watching

Forks

23 forks
Report repository

Contributors

Languages