VMProtect code Restoration Technology

I found that everyone was afraid of the VMProtect shell. So I found a new version and analyzed it. I found that he had a lot of junk commands and also used virtual machine protection, in addition, the virtual machine code for each program after being shelled does not seem to be the same. If you want to use a VMProtect automatic shell removal machine, you should first remove the spam command, then reorganize the command, then automatically identify the meaning of the VM command, and finally reorganize the VM code to restore the EXE before shelling.
After reading the spam instruction of VMProtect, it is actually quite regular. The main reason is to add multiple invalid commands before a certain command, for example, the following command:
Mov eax, ebx
VMProtect may add these invalid commands before this command:
Mov al, cl
Sete eax
Therefore, it is easy to identify the preceding spam command based on the last command.

After one afternoon, I wrote a flower command to remove the program (it is still far away from automatic shelling, but it should be easy to debug it ).
The basic principles are as follows:

1. Read BB blocks from the specified location or the current eip address (if e8 is encountered, e9 jumps to the target address to continue reading) and generate a command description table
2. 1st scan command description table identifying invalid clc, stc, and cmc commands
3. 2nd scan command description table recognition test and cmp invalid commands
4. Scan the instruction description table for 3rd Times to identify invalid instructions such as assignment and operation.
5. Scan push and pop commands


Let's take a look at the running effect:
Code for getting VM commands:

 

 

 

Effect after restoration:





Find another VM command to process the Code:



Effect after restoration: