gal2xy

gal2xy / VMLifter

Public

VMLifter 是一个基于指令执行轨迹的语义提升工具,专注于值依赖驱动的程序语义重建。

44
13
69% credibility
Found Mar 10, 2026 at 44 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Python
AI Summary

VMLifter analyzes execution logs from ARM programs to reconstruct simplified mathematical expressions from virtualized and obfuscated code sections.

How It Works

1
🕵️ Discover VMLifter

You stumble upon this handy tool while digging into how apps hide their inner workings.

2
📁 Gather your log

Collect the record of steps your app took during a test run.

3
📍 Note the memory spot

Spot and write down the main area's starting address from your notes.

4
🚀 Run the analyzer

Simply tell the tool your log file and memory spot, and let it crunch the hidden patterns.

5
🔍 Watch it slice and lift

The tool breaks down the mess into neat math expressions showing what really happened.

6
🤖 Feed to smart helper

Share those expressions with an AI buddy to reveal the original recipe.

🎉 Unlock the secret

You now see the plain logic behind the protected code, like recovering a hashed string builder.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 44 to 44 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is VMLifter?

VMLifter is a Python tool that takes instruction execution traces from unidbg (ARM/ARM64) and lifts them into compact, value-dependent expressions, reconstructing the semantics of obfuscated code. It slices traces at load-store boundaries, compresses operations, and outputs symbolic math with concrete values—perfect for decoding VM-protected logic like VMP without manual disassembly. Run it via CLI: `python main.py -v VM_ADDR -f TRACE_FILE [-d]` to get expressions ready for LLMs or manual review.

Why is it gaining traction?

It stands out by automating semantic recovery from raw traces, turning opaque VM bytecode into readable formulas that reveal algorithms like string hashing in seconds. Developers dig the LLM integration hook: feed outputs to models for instant Python recreations, skipping hours of RE drudgery. No bloat—just targeted slicing for memory-heavy architectures.

Who should use this?

Reverse engineers unpacking Android apps with VMP-style VM obfuscation, malware analysts tracing protected natives, or security researchers deobfuscating mobile binaries. Ideal if you're feeding unidbg traces into workflows but hate staring at raw instructions.

Verdict

Try VMLifter if VM RE is your jam—it's a clever niche Python lift for traces, with solid examples and CLI ease. At 44 stars and 0.7% credibility score, it's early-stage with basic docs but shows real promise; test on your traces before committing.

(178 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.