VMProtect 35 Cracked Wide Open: A Revolutionary Static Devirtualizer Built on Remill and LLVM + Video

Listen to this Post

Featured Image

Introduction:

VMProtect is one of the most widely used commercial obfuscators, relying on virtualization to transform original x86 code into a custom, hard-to-analyze bytecode interpreted by a VM. Static devirtualization – reconstructing the original logic without executing the binary – has historically been complex and unscalable. Sven Rath’s newly released MogVMP changes this by lifting virtualized code to LLVM IR using Remill and then stripping the VM layer through optimization passes, offering a fresh, scalable approach that targets VMProtect 3.5.

Learning Objectives:

– Understand how VMProtect’s virtualization layer works and why static devirtualization is challenging.
– Learn to set up Remill, LLVM, and MogVMP to lift and optimize protected binaries.
– Apply optimization passes to strip the VM interpreter and recover high-level logic.

You Should Know

1. Understanding VMProtect’s Virtualization Obfuscation

VMProtect replaces original instructions with a bytecode that runs inside a software VM (a dispatcher, handlers, and a virtual CPU state). This makes reverse engineering extremely time‑consuming. Static devirtualization aims to translate the entire VM bytecode back to native instructions without executing the binary. MogVMP uses a lifting approach: it translates the x86 code of the whole VM (including handlers) into LLVM IR, then relies on LLVM’s dead code elimination and constant propagation to remove the dispatch loop, leaving only the original computation.

Step‑by‑step overview of the technique:

1. Identify the VM entry and the virtualized code block.
2. Lift the entire x86 implementation of the VM (handlers, dispatcher) to LLVM IR using Remill.
3. Run aggressive LLVM optimization passes (e.g., `-O3`, `-deadargelim`, `-simplifycfg`).
4. The VM’s dispatch logic becomes constant‑folded and eliminated, exposing the original semantics.

2. Setting Up the Environment (Linux / WSL)

MogVMP depends on Remill and LLVM. The following commands work on Ubuntu 22.04 or Windows WSL2.

 Install dependencies
sudo apt update && sudo apt install -y git cmake ninja-build g++ python3 llvm-14-dev libclang-14-dev

 Clone and build Remill (official fork)
git clone https://github.com/lifting-bits/remill.git
cd remill
mkdir build && cd build
cmake -G Ninja -DCMAKE_BUILD_TYPE=Release ..
ninja
sudo ninja install

 Verify Remill installation
remill-lift --help

For Windows (native), use WSL2 as the toolchain is Linux‑native. Ensure you have the binary you want to devirtualize accessible under `/mnt/c/`.

3. Cloning and Building MogVMP

MogVMP integrates Remill’s lifting capabilities specifically for VMProtect 3.5.

git clone https://github.com/eversinc33/MogVMP.git
cd MogVMP
mkdir build && cd build
cmake -G Ninja -DCMAKE_BUILD_TYPE=Release ..
ninja

The main executable is `mogvmp`. Run it without arguments to see usage.

4. Running the Devirtualizer on a Sample

Assume you have a VMProtect 3.5 protected binary (`target.exe` or `target.bin`). The devirtualizer requires the virtualized code address range (typically found via dynamic analysis or a VM entry scanner).

 Example: lift code from address 0x401000 to 0x401500 in target.exe
./mogvmp --bin target.exe --start 0x401000 --end 0x401500 --output lifted.ll

This produces an LLVM IR file (`lifted.ll`) containing the lifted VM code.
What happens internally: Remill decodes each x86 instruction inside the VM range, translates it to a set of LLVM IR instructions, and preserves control flow.

5. Stripping the VM Layer with LLVM Optimizations

The raw lifted IR still contains the dispatcher, handler calls, and state management. LLVM’s optimization passes simplify it dramatically.

 Run LLVM's optimizations on the lifted IR
opt -O3 -S lifted.ll -o optimized.ll

 Optionally run additional passes to remove unused VM structures
opt -deadargelim -simplifycfg -mem2reg -S optimized.ll -o final.ll

Use `llc` to compile the final IR back to native assembly or object code:

llc -filetype=obj final.ll -o recovered.o

6. Analysing the Output and Limitations

The recovered `final.ll` should show basic arithmetic, comparisons, and control flow that mirror the original program logic, without the VM dispatch loop. However, VMProtect 3.5 uses anti‑lifting tricks: opaque predicates, dynamically computed jump targets, and memory indirections. The current PoC may fail on heavily obfuscated handlers. To debug:

 Inspect the IR step by step
opt -print-after-all -O3 lifted.ll 2> opt.log

Step‑by‑step verification:

1. Compare `lifted.ll` (contains dispatcher) with `optimized.ll` (dispatcher partly removed).
2. Look for large switch‑case structures in the unoptimized IR – these are the VM handlers.
3. After optimization, these should reduce to straight‑line code if the VM entry was constant.

7. Extending MogVMP: Custom Optimization Passes

You can write your own LLVM pass to strip VM‑specific artifacts. Example skeleton:

// MyPass.cpp
include "llvm/Pass.h"
include "llvm/IR/Function.h"
using namespace llvm;

namespace {
struct StripVMHandlers : public FunctionPass {
static char ID;
StripVMHandlers() : FunctionPass(ID) {}
bool runOnFunction(Function &F) override {
// Detect and remove dispatcher functions by pattern matching
return false; // true if changed
}
};
char StripVMHandlers::ID = 0;
RegisterPass<StripVMHandlers> X("strip-vm", "Strip VMProtect handlers");
}

Compile with LLVM’s build system and load via `opt -load MyPass.so -strip-vm`.

What Undercode Say

Key Takeaway 1: Static devirtualization of VMProtect 3.5 is now feasible with a lift‑then‑optimize approach, avoiding the scalability pitfalls of previous symbolic execution or emulation‑based methods.
Key Takeaway 2: The reliance on Remill and LLVM means the same technique can potentially be adapted to other virtualization obfuscators (e.g., Themida, Enigma) by changing the lifting frontend.

Analysis (10 lines):

Sven Rath’s work demonstrates a paradigm shift: instead of emulating the VM to trace execution, he lifts the entire VM implementation into a higher‑level representation where classical compiler optimizations do the heavy lifting. This is powerful because LLVM’s passes (constant propagation, dead code elimination, inlining) were never designed to defeat obfuscation – yet they inadvertently collapse virtualized layers when the VM’s dispatch logic depends on easily propagated constants. The main limitation is that VMProtect 3.5’s anti‑analysis features (like garbage handlers or dynamically resolved jump tables) can prevent constant propagation, leaving some dispatcher remnants. Nonetheless, the PoC is a major milestone: it reduces many hours of manual reverse engineering to a few minutes of automated lifting. For defenders, this signals that pure virtualization is no longer a silver bullet; combining it with strong encryption of bytecode or runtime code generation will be necessary. For attackers (ethical researchers), MogVMP provides a foundation to build more robust deobfuscators.

Prediction

– -1 VMProtect developers will rush to patch versions 3.6+ with anti‑lifting measures, such as introducing dynamically generated handlers or using LLVM’s own obfuscation passes to break constant propagation, making the current MogVMP ineffective against future releases.
– +1 Open‑source security tooling gains a reusable LLVM‑based devirtualization framework; researchers can now fork MogVMP to target other protectors, accelerating malware analysis and vulnerability research on packed binaries.
– -1 Script kiddies may misuse the tool to bypass licensing checks in software protected by VMProtect 3.5, leading to a temporary increase in cracked releases and legal takedown requests against the GitHub repository.
– +1 Academic and industry interest in “lifting for deobfuscation” will grow, leading to new compiler‑based obfuscation‑resilience techniques and more robust verification of code integrity in high‑assurance systems.

▶️ Related Video (80% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: [Sven Rath](https://www.linkedin.com/posts/sven-rath-4212ba1b8_i-spent-the-last-2-weeks-working-on-a-devirtualizer-share-7467212276337491968-FqIk/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)

📢 Follow UndercodeTesting & Stay Tuned:

[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)