eversinc33

eversinc33 / MogVMP

Public

Static devirtualizer for VMProtect 3.5. Lifts virtualized code to LLVM using Remill and strips the VM layer through optimization.

62
12
69% credibility
Found Jun 01, 2026 at 62 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
C++
AI Summary

MogVMP is a research tool that takes Windows programs protected by VMProtect 3.5 and automatically reverses the virtualization protection to produce readable code, helping security researchers understand how protected software works.

How It Works

1
๐Ÿ” Discover the tool

You find MogVMP while researching how to analyze programs protected with VMProtect, a popular code protection system.

2
๐Ÿ“ Have a protected program ready

You obtain a Windows program that uses VMProtect 3.5 protection and want to understand what its protected functions actually do.

3
๐ŸŽฏ Find where protected code starts

You use a tracing tool to run your program and discover the exact memory addresses where the protected code begins executing.

4
โšก Run the devirtualizer

You point the tool at your program and the discovered starting address, and watch as it automatically lifts each protected instruction handler.

5
๐Ÿงน Watch the cleanup happen

The tool removes confusing junk instructions and virtualization layers, then optimizes everything down to its true meaning.

โœจ Get readable code output

You receive clean, understandable code that reveals exactly what the original protected function was doing, now easy to read and analyze.

Sign up to see the full architecture

4 more

Sign Up Free

Star Growth

See how this repo grew from 62 to 62 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is MogVMP?

MogVMP is a static devirtualizer that reverses VMProtect 3.5 virtualization, lifting protected x86 code back to readable LLVM IR. Instead of manually modeling each VM handler, it lifts the entire handler assembly and lets LLVM's optimization passes strip away the virtualization layer automatically. The tool takes a VMENTER address and a PE file, then outputs clean LLVM bitcode you can compile or analyze further. It includes a PIN-based tracer to locate virtualized functions and an IDA Pro script for cleaning up junk instructions.

Why is it gaining traction?

The key differentiator is fully static CFG recovery. Most devirtualizers require opcode traces or multiple execution runs to reconstruct control flow, but MogVMP discovers handlers incrementally by detecting when the next handler address materializes as a constant. This approach is slower but eliminates the need for runtime instrumentation. The custom constant propagation pass handles VM-specific memory patterns that generic LLVM passes miss, making the output actually readable rather than full of opaque state loads.

Who should use this?

Binary security researchers analyzing VMProtect-obfuscated malware, reverse engineers documenting protected software behavior, and tool developers building deobfuscation pipelines. Academic researchers studying VM-based code protection would also find the approach interesting. This is not production tooling for routine deobfuscation workflows.

Verdict

MogVMP is a proof of concept with 62 stars and a credibility score of 0.699999988079071%. The author explicitly warns against expecting production quality, and that honesty shows. The codebase lacks comprehensive tests, and the IDA/PIN dependencies add friction. That said, for researchers willing to dig in, it demonstrates a genuinely novel approach to static VM deobfuscation that could seed more robust tooling.

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.