【 Reproduction】VMProtect Leaked Source Code Full
 

h-t-t-ps://www.lanzoul.com/iyzIC1h3acxc

h-t-t-ps://pixeldrain.com/u/fKn1dZqK

Just in case the link is dead I upload it here.

package includes missing intel.cc file!

leak of the year?

I think the shared zip archive is this repo:

Git is missing files and folders
 

If you need original content, then download full archive and not from GitHub.

The person who uploaded the archive content to GitHub didn't check the `.gitignore' file, so the public git repo is missing some files from the original archive.

core contain intel.cc not the right one?

included in git package, with 'processors.cc' and 'licensing_manager.cc', etc.

Could anyone get this to compile?
Details from anyone who could get it to successfully compile?

It appears to be the source files from the VMP source code leak earlier in May this year with the missing processors.cc and others added in from other sources.
Can anyone confirm that this is the source for the actual VMP 3.5.1?

The dates of file have been changed to show year 1970 but check the html files in the "help" folder.
The copyright dates in the html files show that they are all actually from around 2015. No later.

According to sh3dow's post, the very first leak already has some missing parts:

The latest leak/link contains some of those above:

i maked next steps for GIT release:
redirected projects from vs2008 to vs2010, from v141_xp to v140_xp, dotnet from 4.8 to 4.7.2 ans start compile with the vs2015.

console,
libs, dlls and utilities also is compiled.

swears on the runtime source Win32.cs
type designs
NtQueryInformationProcess(CurrentProcess, PROCESSINFOCLASS.ProcessDebugObjectHandle, out _, IntPtr.Size, out _)
but we can fix it =)

or when there is an announcement in the Win32.cs public
class IntelObfuscation : public IObject
{
public:
explicit IntelObfuscation();
void Compile(IntelFunction *func, size_t index);
...
}
and then in the body:
void IntelObfuscation::Compile(IntelFunction *func, size_t index, size_t end_index = -1, bool for_virtualization = false)
{
...
}

maybe for dotnet 4.8 is fine, but 4.7.2 give error for me.


for the GUI version you need QT headers and libs...

@FoxB Can you post compilable code with fixes as zip? Fails completely with VS 2022.

The QT 5.6 have to be installed the same way the author installed it or the GUI version will not compile.

Anyone know if this is the same as listed here? https://breachforums.is/Thread-FREE-VMProtect-Source-Code-LEAK

same sources as previous leak, no any file changed
have compared today

yes, I agree with @sendersu.
Only 1 source, only 2 more files: intel.cc and processors.cc

Well, I had called out this release to be a fake 2 days ago.. :D

The guide for vmp complie:

https://bbs.kanxue.com/thread-279803-1.htm

The point here is that the files in the release are the same ones from the May leak as confirmed by TQN and sendersu also.
The 2 missing files added are not the real ones. Code will compile though since the added files are from another very old leak of VMP.

The code for the virtualization is also highly incomplete.

Hi i got qt 5.6 but the problem is it won't compile under VS 2022 because vs 2022 tries to compile it with c++17 but qt 5.6 is c++14 max so had to compile it with higher version of qt that supports c++17.

Here the Debug version compiled and registered for test:
vmp_dbg

The ultimate version is harder to compile. You have to compile the full qt5 in order to build it.

Tested on a VM. All the MS VCRT DLLs are missing (obviously). After fixing that problem, I ran into another missing file called: VMprotectSDK64.dll

You make want to look at dependencies and re-up after those have been resolved. I will test once available.

VMprotectSDK64.dll is in the archive. Maybe your av deleted it.
This is a custom hwid version of Vmprotect. All the vmprotected files are locked to a hwid. VMprotectSDK64.dll reads data from VMProtectLicense.ini and locks the files to the hwid from the ini file.
PS.

VMProtectLicense.ini is the license file just put it in the vmprotect.exe dir and it is licensed.

Ultimate build with VS2022
 

I have mod sources and build with VS 2022, VC++ Toolset v143, .NET 8, Windows SDK v10.0.22621.0 (lastest Visual Studio 2022 v17.8.3)
1. Mod libffi source and project files, update with newest version 3.4.4
Take me a lot of times
2. mod bitmap_utils.cc, pe.h, pefile.cc, intel.cc, shellext: remove C+11, update to C++14, fix warning as errors, remove duplicates in pe.h and Windows Kits winnt.h
3. Update version of VMProtect.Netcore and VMProtect.Runtime
4. Remove all Testxxx projects
5. I hate Qt, so I remove GUI project.

Open vmprotect.sln with VS, select Ultimate, build solution.

Uploaded at Mediafire VMP.7z file is mod sourcse and binaries build in bin directory

h t t p s : / /www.mediafire.com/file/8qdjcf0xeqhbcvz/VMP.7z/file

Best regards,
HongThatCong (TQN)

@TQN
Thank you, I already attach it to ur Post, to keep a copy.

Nope, but the .DLL was still part of the archive, and I don't have an AV in my VM. I was able to extract it from the original. However, still more debug dependencies (QT5cored.dll, which I will need to locate.

Also, are you saying you provided an .INI file or are you seeing that I need an .INI file to test this? Because there is no included .INI file.

"VMProtectLicense.ini is the license file just put it in the vmprotect.exe dir and it is licensed."

Look inside ./core

The compiled GUI version does not work for me.

Can't look at attachments, but found it. Which GUI doesn't work for you, the retail (I have not tried to build this yet) or debug version provided? Two D/ls in the thread...

Debug version provided, NOT the original (packed) one, posted here
https://forum.exetools.com/showpost.php?p=129549&postcount=21

Error message given:
https://picr.eu/images/2023/12/10/VHekF.png

Looks like a missing Qt or MSVCRT dependency. Use the other one from TQN.

TQN? Could anyone provide a working source for VMPROTECT (compiling out of the box GUI)?

The source provided by TQN already compiles out of box. It has the modified files. You would need to install the Qt and dependencies ofc.

I have the exact same error. My VM is Win7, so I wonder if it's an OS problem?

qwindows.dll present?

Just install VS 2022 and it will run. It is Debug version built with VS 2022.
A little test made with it. Just vmprotected notepad.exe - 68kb with only EP virtualized and the output file size is 5626kb. For compare the same output with 3.09 is 2222kb. With 3.4 is 5249kb. With 3.5.1 is 6828kb and with 3.6 is 6136kb.
So conclusion this are Vmprotect 3.5 sources most likely.

I've already answered this yesterday.
Adding more details, this debug version requires debug version of the MSVCRT.
Easiest way to do this is to run this on a machine with VS 2022 installed. Or you can install the debug version of the MSVCRT.
Both ways work.

Third way: If you googled it, it's coming as the first hit for me. :D

Did someone say Citrix? You can hear VMP screaming from here.

I manually compiled one, and there is indeed a lot of content that needs to be configured

VMRotect 3.5.1 disable renaming
 

VMRotect 3.5.1 disable renaming:
\core\dotnetfile.cc
void NETArchitecture::RenameSymbols()
{
..
if (full_name == "System.Reflection.ObfuscateAssemblyAttribute") {
...

}

00B7C3D1 . 897F 04 MOV DWORD PTR DS:[EDI+0x4],EDI
00B7C3D4 . 893F MOV DWORD PTR DS:[EDI],EDI
00B7C3D6 . 897F 08 MOV DWORD PTR DS:[EDI+0x8],EDI
00B7C3D9 . C743 04 00000000 MOV DWORD PTR DS:[EBX+0x4],0x0
00B7C3E0 . 8B5D C4 MOV EBX,DWORD PTR SS:[EBP-0x3C]
00B7C3E3 . F703 00000400 TEST DWORD PTR DS:[EBX],0x40000
00B7C3E9 . 74 07 JE SHORT 00B7C3F2 ; VMProtec.00B7C3F2
00B7C3EB . 8BCE MOV ECX,ESI
00B7C3ED . E8 8EB70000 CALL 00B87B80 ; VMProtec.00B87B80
00B7C3F2 > FFB3 D8000000 PUSH DWORD PTR DS:[EBX+0xD8]
00B7C3F8 . 8B8E 94000000 MOV ECX,DWORD PTR DS:[ESI+0x94]



rename of symbols from assembly:
00BA7B80 $ 55 PUSH EBP
to be changed to ret to not rename
00B87B80 $ 55 PUSH EBP


for (i = 0; i < rename_token_list.size(); i++) {
RenameToken(rename_token_list[i]);
}
reference_list.UpdateNames();

void NETArchitecture::RenameToken(ILToken *token)
{
...
id |= 0xA0000000;
new_name = string_format("%.8X", id);

}


00D0A790 $ 55 PUSH EBP // RenameToken
Local calls from 00BAA600, 00BAF6BB, 00BCD754, 00BCDAC8, 00BDE233
The 00BAF6BB

00BAF1B4 . /74 5D JE SHORT 00BAF213 ; VMProtec.00BAF213

00BAF6AE . 85FF TEST EDI,EDI
00BAF6B0 . 74 19 JE SHORT 00BAF6CB ; to jump
00BAF6B2 > FF34B2 PUSH DWORD PTR DS:[EDX+ESI*4]
00BAF6B5 . 8B8D 4CFEFFFF MOV ECX,DWORD PTR SS:[EBP-0x1B4]
00BAF6BB . E8 D0B0FFFF CALL 00BAA790 ; VMProtec.00BAA790
00BAF6C0 . 8B95 38FEFFFF MOV EDX,DWORD PTR SS:[EBP-0x1C8]
00BAF6C6 . 46 INC ESI
00BAF6C7 . 3BF7 CMP ESI,EDI
00BAF6C9 .^ 72 E7 JB SHORT 00BAF6B2 ; VMProtec.00BAF6B2




if (!HWID.IsCorrect(value))
{
ShowMessage("This application cannot be executed on this computer.");
return false;
}






loader_string_list[FACE_UNREGISTERED_VERSION] = AddCommand(EncryptString(
#ifdef DEMO
true
#else
(ctx.options.flags & cpUnregisteredVersion)
#endif
? os::FromUTF8(VMProtectDecryptStringA("This application is protected with unregistered version of VMProtect.")).c_str() : os::unicode_string().c_str(), string_key));
VMProtectEnd();



#ifndef DEMO
if (VMProtectGetSerialNumberState() == SERIAL_STATE_SUCCESS) {
options.flags |= cpEncryptBytecode;
if ((options.flags & cpMemoryProtection) == 0)
options.flags |= cpLoaderCRC;
} else
options.flags |= cpUnregisteredVersion;
#endif

int VMP_API VMProtectGetSerialNumberState()
{
#ifdef WIN_DRIVER
return SERIAL_STATE_FLAG_INVALID;
#else
if (!g_serial_is_correct)
return SERIAL_STATE_FLAG_INVALID;
if (g_serial_is_blacklisted)
return SERIAL_STATE_FLAG_BLACKLISTED;

int res = 0;

char buf[256];
if (GetIniValue("TimeLimit", buf, sizeof(buf))) {
int running_time = atoi(buf);
if (running_time >= 0 && running_time <= 255) {
uint32_t dw = GetTickCount();
int d = (dw - g_time_of_start) / 1000 / 60; // minutes
if (running_time <= d)
res |= SERIAL_STATE_FLAG_RUNNING_TIME_OVER;
}
}

if (GetIniValue("ExpDate", buf, sizeof(buf))) {
int y, m, d;
if (sscanf_s(buf, "%04d%02d%02d", &y, &m, &d) == 3) {
uint32_t ini_date = (y << 16) + (static_cast<uint8_t>(m) << 8) + static_cast<uint8_t>(d);
uint32_t cur_date;
#ifdef VMP_GNU
time_t rawtime;
time(&rawtime);
struct tm local_tm;
tm *timeinfo = localtime_r(&rawtime, &local_tm);
cur_date = ((timeinfo->tm_year + 1900) << 16) + (static_cast<uint8_t>(timeinfo->tm_mon + 1) << 8) + static_cast<uint8_t>(timeinfo->tm_mday);
#else
SYSTEMTIME st;
GetLocalTime(&st);
cur_date = (st.wYear << 16) + (static_cast<uint8_t>(st.wMonth) << 8) + static_cast<uint8_t>(st.wDay);
#endif
if (cur_date > ini_date)
res |= SERIAL_STATE_FLAG_DATE_EXPIRED;
}
}

if (GetIniValue("MaxBuildDate", buf, sizeof(buf))) {
int y, m, d;
if (sscanf_s(buf, "%04d%02d%02d", &y, &m, &d) == 3) {
uint32_t ini_date = (y << 16) + (static_cast<uint8_t>(m) << 8) + static_cast<uint8_t>(d);
uint32_t cur_date;
#ifdef VMP_GNU
time_t rawtime;
time(&rawtime);
struct tm local_tm;
tm *timeinfo = localtime_r(&rawtime, &local_tm);
cur_date = ((timeinfo->tm_year + 1900) << 16) + (static_cast<uint8_t>(timeinfo->tm_mon + 1) << 8) + static_cast<uint8_t>(timeinfo->tm_mday);
#else
SYSTEMTIME st;
GetLocalTime(&st);
cur_date = (st.wYear << 16) + (static_cast<uint8_t>(st.wMonth) << 8) + static_cast<uint8_t>(st.wDay);
#endif
if (cur_date > ini_date)
res |= SERIAL_STATE_FLAG_MAX_BUILD_EXPIRED;
}
}

if (GetIniValue("KeyHWID", buf, sizeof(buf))) {
char buf2[256];
GetIniValue("MyHWID", buf2, sizeof(buf2));
if (strcmp(buf, buf2) != 0)
res |= SERIAL_STATE_FLAG_BAD_HWID;
}

return res;
#endif
}

0045A2B2 . F7D0 NOT EAX
0045A2B4 . 2385 C0FEFFFF AND EAX,DWORD PTR SS:[EBP-0x140]
0045A2BA . 8985 C0FEFFFF MOV DWORD PTR SS:[EBP-0x140],EAX
0045A2C0 . A9 00040000 TEST EAX,0x400
0045A2C5 . 75 0B JNZ SHORT 0045A2D2 ; VMProtec.0045A2D2
0045A2C7 . 25 FFFFFDFF AND EAX,0xFFFDFFFF
0045A2CC . 8985 C0FEFFFF MOV DWORD PTR SS:[EBP-0x140],EAX
0045A2D2 > FF15 08B26500 CALL DWORD PTR DS:[0x65B208] ; VMProt_1.VMProtectGetSerialNumberState
0045A2D8 . 85C0 TEST EAX,EAX
0045A2DA . 8B85 C0FEFFFF MOV EAX,DWORD PTR SS:[EBP-0x140]
0045A2E0 . 75 19 JNZ SHORT 0045A2FB ; VMProtec.0045A2FB

VMProt_1.VMProtectGetSerialNumberState
is from VMProtectSDK32.dll

I realize all you have to do is place VMProtectLicense.ini in same directory.

@CodeCracker
why do you need to patch smth on binary level if you have got full VMP sources?