Suggestions on how i would go about using this to remove delegates?

[mastercodeon314]

Hi, i have an exe that was obfuscated with VM protect.
I have used your dumper as well as KsDumper to dump the app from memory. Now i am faced with the task of devitalizing the code and removing all the delegate calls.
Do you have any suggestions as to how i would go about using this project as a starting point for achieving such?
To date, this is the only project that ive found that can even see whats going on with this app, because it can successfully hook any delegate call that is made when i run the tool; with the exe. I'm pretty sure the exe was protected with version 3.6 of VMProtect, hence why the old 2020 projects ive found wont work.
Any help would be seriously appreciated, this project could turn into a way to fully deobfuscate these kinds of protected assemblies.

[void-stack]

Hello, sorry for my super late response... I'm working on VMProtect 3.6.0 unpacker and patcher. Instead of hooking UnsafeInvokeInternal, it injects middleman runtime code onto the assembly inserting proxy calls straight to VM Handler and redirecting parameters, return value, etc. This approach is generally better since we can generate a patched program being significantly faster and written cleverly.

Once it comes to resolving all the delegate calls. My approach is similar to https://github.com/DarkBullNull/VMP.NET-Kill/blob/main/VMPKiller/RestoreMetadatas.cs.

You get the value of object[] delegatesArray containing all delegates from VMProtect Runtime. Then you start resolving by grabbing the index number from the "proxy" delegate call (it's obfuscated by mutation always). Now you know the function index, get the delegate (delegatesArray[X]) that should be invoked. With a dirty trick by the reflection, you can access the method it points to.

var importedFunction = (Delegate) _importTable[ImportIndex];
var owner = ReadField<object>(importedFunction.Method, "m_owner");

if (owner is null)
	return importedFunction.Method;

object resolver = ReadField<object>(owner, "m_resolver")!;
object scope = ReadField<object>(resolver, "m_scope")!;
var tokenList = ReadField<List<object>>(scope, "m_tokens")!;

switch (tokenList[tokenList.Count - 1])
{
	case RuntimeMethodHandle handle:
		var calledMethodMInfo = ReadField<dynamic>(handle, "m_value");
		return calledMethodMInfo;
		//return MethodBase.GetMethodFromHandle(handle);
	case RuntimeFieldHandle field:
		var calledFieldFInfo = ReadField<dynamic>(field, "m_ptr");
                return calledFieldFInfo;
                //return FieldInfo.GetFieldFromHandle(field);
	default:
	        return null;
}

public static T? ReadField<T>(object instance, string fieldName) =>
            (T?) instance.GetType().GetField(fieldName, (BindingFlags) (-1))?.GetValue(instance);

[mastercodeon314]

That's very clever! Tbh this sort of thing is way over my head, so I'm going to wait until a public release is available to clean 3.6 assemblies. Any idea when yours is going to be ready? As far as I know, there's no public methods to clean a 3.6 protected assembly, but there are people who have the tools and charge others for usage of them. I'm very excited to see 3.6 deobfuscators for the public!
Huge thank you for all the work you are doing on this, for me personally on the project I'm working on, this is absolutely crucial, and very helpful!

[void-stack]

I'm doing it in my free time, which I don't have much. I'll keep it clean and write a blog explaining some things. To be totally clean with VMProtect I don't want to blatantly break their protection and let people just crack things left and right with the drag-drop application. They work hard creating their software which I totally respect. My motivation is toward malicious protected applications, so malware specialists can speed up their study and not worry about researching on their own. There aren't a lot of publicly written research blogs about VMProtect in the .NET version, so I'm coming with the help.

VMP is fantastic protection. Most of the stuff like anti debug and CRC checksum is happening in virtualized cctor that you cannot just nop it. Removing wouldn't help much since it will break the future functions and the application is going to fault.

From version to version, it's accomplishing more wise protection. Recommend using it.

[mastercodeon314]

I've noticed there isn't much coverage on the .net version of VMProtect, so its nice to see someone taking interest in this side of the protection. Makes sense as to not totally break their protection, that's what makes them good, because there aren't tools that you can just drag n drop and crack protected apps.