【 Reproduction】VMProtect Leaked Source Code Full

[CodeCracker]

VMRotect 3.5.1 disable renaming:
\core\dotnetfile.cc
void NETArchitecture::RenameSymbols()
{
..
if (full_name == "System.Reflection.ObfuscateAssemblyAttribute") {
...

}

00B7C3D1 . 897F 04 MOV DWORD PTR DS:[EDI+0x4],EDI
00B7C3D4 . 893F MOV DWORD PTR DS:[EDI],EDI
00B7C3D6 . 897F 08 MOV DWORD PTR DS:[EDI+0x8],EDI
00B7C3D9 . C743 04 00000000 MOV DWORD PTR DS:[EBX+0x4],0x0
00B7C3E0 . 8B5D C4 MOV EBX,DWORD PTR SS:[EBP-0x3C]
00B7C3E3 . F703 00000400 TEST DWORD PTR DS:[EBX],0x40000
00B7C3E9 . 74 07 JE SHORT 00B7C3F2 ; VMProtec.00B7C3F2
00B7C3EB . 8BCE MOV ECX,ESI
00B7C3ED . E8 8EB70000 CALL 00B87B80 ; VMProtec.00B87B80
00B7C3F2 > FFB3 D8000000 PUSH DWORD PTR DS:[EBX+0xD8]
00B7C3F8 . 8B8E 94000000 MOV ECX,DWORD PTR DS:[ESI+0x94]



rename of symbols from assembly:
00BA7B80 $ 55 PUSH EBP
to be changed to ret to not rename
00B87B80 $ 55 PUSH EBP


for (i = 0; i < rename_token_list.size(); i++) {
RenameToken(rename_token_list[i]);
}
reference_list.UpdateNames();

void NETArchitecture::RenameToken(ILToken *token)
{
...
id |= 0xA0000000;
new_name = string_format("%.8X", id);

}


00D0A790 $ 55 PUSH EBP // RenameToken
Local calls from 00BAA600, 00BAF6BB, 00BCD754, 00BCDAC8, 00BDE233
The 00BAF6BB

00BAF1B4 . /74 5D JE SHORT 00BAF213 ; VMProtec.00BAF213

00BAF6AE . 85FF TEST EDI,EDI
00BAF6B0 . 74 19 JE SHORT 00BAF6CB ; to jump
00BAF6B2 > FF34B2 PUSH DWORD PTR DS:[EDX+ESI*4]
00BAF6B5 . 8B8D 4CFEFFFF MOV ECX,DWORD PTR SS:[EBP-0x1B4]
00BAF6BB . E8 D0B0FFFF CALL 00BAA790 ; VMProtec.00BAA790
00BAF6C0 . 8B95 38FEFFFF MOV EDX,DWORD PTR SS:[EBP-0x1C8]
00BAF6C6 . 46 INC ESI
00BAF6C7 . 3BF7 CMP ESI,EDI
00BAF6C9 .^ 72 E7 JB SHORT 00BAF6B2 ; VMProtec.00BAF6B2




if (!HWID.IsCorrect(value))
{
ShowMessage("This application cannot be executed on this computer.");
return false;
}






loader_string_list[FACE_UNREGISTERED_VERSION] = AddCommand(EncryptString(
#ifdef DEMO
true
#else
(ctx.options.flags & cpUnregisteredVersion)
#endif
? os::FromUTF8(VMProtectDecryptStringA("This application is protected with unregistered version of VMProtect.")).c_str() : os::unicode_string().c_str(), string_key));
VMProtectEnd();



#ifndef DEMO
if (VMProtectGetSerialNumberState() == SERIAL_STATE_SUCCESS) {
options.flags |= cpEncryptBytecode;
if ((options.flags & cpMemoryProtection) == 0)
options.flags |= cpLoaderCRC;
} else
options.flags |= cpUnregisteredVersion;
#endif

int VMP_API VMProtectGetSerialNumberState()
{
#ifdef WIN_DRIVER
return SERIAL_STATE_FLAG_INVALID;
#else
if (!g_serial_is_correct)
return SERIAL_STATE_FLAG_INVALID;
if (g_serial_is_blacklisted)
return SERIAL_STATE_FLAG_BLACKLISTED;

int res = 0;

char buf[256];
if (GetIniValue("TimeLimit", buf, sizeof(buf))) {
int running_time = atoi(buf);
if (running_time >= 0 && running_time <= 255) {
uint32_t dw = GetTickCount();
int d = (dw - g_time_of_start) / 1000 / 60; // minutes
if (running_time <= d)
res |= SERIAL_STATE_FLAG_RUNNING_TIME_OVER;
}
}

if (GetIniValue("ExpDate", buf, sizeof(buf))) {
int y, m, d;
if (sscanf_s(buf, "%04d%02d%02d", &y, &m, &d) == 3) {
uint32_t ini_date = (y << 16) + (static_cast(m) << 8) + static_cast(d);
uint32_t cur_date;
#ifdef VMP_GNU
time_t rawtime;
time(&rawtime);
struct tm local_tm;
tm *timeinfo = localtime_r(&rawtime, &local_tm);
cur_date = ((timeinfo->tm_year + 1900) << 16) + (static_cast(timeinfo->tm_mon + 1) << 8) + static_cast(timeinfo->tm_mday);
#else
SYSTEMTIME st;
GetLocalTime(&st);
cur_date = (st.wYear << 16) + (static_cast(st.wMonth) << 8) + static_cast(st.wDay);
#endif
if (cur_date > ini_date)
res |= SERIAL_STATE_FLAG_DATE_EXPIRED;
}
}

if (GetIniValue("MaxBuildDate", buf, sizeof(buf))) {
int y, m, d;
if (sscanf_s(buf, "%04d%02d%02d", &y, &m, &d) == 3) {
uint32_t ini_date = (y << 16) + (static_cast(m) << 8) + static_cast(d);
uint32_t cur_date;
#ifdef VMP_GNU
time_t rawtime;
time(&rawtime);
struct tm local_tm;
tm *timeinfo = localtime_r(&rawtime, &local_tm);
cur_date = ((timeinfo->tm_year + 1900) << 16) + (static_cast(timeinfo->tm_mon + 1) << 8) + static_cast(timeinfo->tm_mday);
#else
SYSTEMTIME st;
GetLocalTime(&st);
cur_date = (st.wYear << 16) + (static_cast(st.wMonth) << 8) + static_cast(st.wDay);
#endif
if (cur_date > ini_date)
res |= SERIAL_STATE_FLAG_MAX_BUILD_EXPIRED;
}
}

if (GetIniValue("KeyHWID", buf, sizeof(buf))) {
char buf2[256];
GetIniValue("MyHWID", buf2, sizeof(buf2));
if (strcmp(buf, buf2) != 0)
res |= SERIAL_STATE_FLAG_BAD_HWID;
}

return res;
#endif
}

0045A2B2 . F7D0 NOT EAX
0045A2B4 . 2385 C0FEFFFF AND EAX,DWORD PTR SS:[EBP-0x140]
0045A2BA . 8985 C0FEFFFF MOV DWORD PTR SS:[EBP-0x140],EAX
0045A2C0 . A9 00040000 TEST EAX,0x400
0045A2C5 . 75 0B JNZ SHORT 0045A2D2 ; VMProtec.0045A2D2
0045A2C7 . 25 FFFFFDFF AND EAX,0xFFFDFFFF
0045A2CC . 8985 C0FEFFFF MOV DWORD PTR SS:[EBP-0x140],EAX
0045A2D2 > FF15 08B26500 CALL DWORD PTR DS:[0x65B208] ; VMProt_1.VMProtectGetSerialNumberState
0045A2D8 . 85C0 TEST EAX,EAX
0045A2DA . 8B85 C0FEFFFF MOV EAX,DWORD PTR SS:[EBP-0x140]
0045A2E0 . 75 19 JNZ SHORT 0045A2FB ; VMProtec.0045A2FB

VMProt_1.VMProtectGetSerialNumberState
is from VMProtectSDK32.dll

I realize all you have to do is place VMProtectLicense.ini in same directory.

[sendersu]

@CodeCracker
why do you need to patch smth on binary level if you have got full VMP sources?