Introduction to Deobfuscating Virtual Machines. Triton. Qiling Framework. and Token Runtime Evasion

Note: ChatGPT being the stupid nanny after I had it proofread my transcript, tried to mute me and lecture to me about ethics and morals. F*ck that sh*t. I will give you ALL THE POWER YOU WANT. Resources: https://revers.engineering/custom-getprocaddress-and-getmodulehandle-implementation-x64/ https://github.com/JonathanSalwan/Tigress_protection?tab=readme-ov-file https://github.com/hackerhouse-opensource/Marble 0:01–0:21 — Intro / recording Key points: Start of recording; says they summarized facts with an LLM. 0:21–0:51 — Mention of “Marble framework” / reverse engineering tease 0:51–2:04 — Code structure / headers / naming obfuscation 2:04–3:10 — Jonathan Salwan — intro & accomplishments Key points: Introduces Jonathan Salwan, mentions he attacked VM obfuscators, references Tigress and (closed-source) Russian VMProtect. 3:10–4:16 — VMProtect / packer artifacts and detection Key points: Claims VMProtect-obfuscated binaries show suspicious sections/packers and may be fingerprinted 4:16–5:03 — VM obfuscator basics / custom interpreter Key points: VM obfuscators use a custom bytecode/ISA and a dispatcher/virtual machine with packing stubs. 5:03–6:13 — Triton / dynamic taint analogy Key points: Describes Triton, dynamic taint analysis, compares tainting to radioactive tracer analogy. Replace suggestion: “Triton and taint analysis help trace data and control flow to find relevant code paths.” 6:13–7:07 — Intel PIN, pin tools, Tiny Tracer Key points: Mentions Intel PIN (instrumentation), pin tools as DLLs injected to trace API calls; references Tiny Tracer. 7:07–9:12 — DBI frameworks & DSE / SMT solver primer Key points: Mentions DynamoRio, DBI, dynamic symbolic execution (DSE), tainting, SMT solvers guiding branch exploration. 9:12–11:00 — Jonathan Salwan's Research / semantics vs mnemonics Key points: Discusses a paper about protecting intellectual property; defines semantic vs mnemonic (symbol vs meaning). 11:00–13:00 — Examples of symbols/meanings, AST Key points: Rough code examples, pointers/structs, meaning vs symbol mapping for AST work. Replace suggestion: “An AST maps symbols to their semantic meaning; deobfuscation seeks equivalent semantics.” 13:00–15:04 — Semantic graph / dispatcher / bytecode analogy Key points: Compares VM bytecode to Java or .NET interpreters; dispatcher decodes opcodes into handlers. 15:04–17:19 — Primitive VM Dispatcher / instruction size / simple VM example Key points: Shows simple VM with 32-bit instructions, adds/move/multiply/return; VPC (virtual program counter) concept. 17:19–19:28 — Backward slicing / pertinent instructions / repeated execution Key points: Backward slicing helps eliminate non-pertinent (irrelevant) instructions; many executions required to identify relevant paths. 19:28–20:26 — Intermediate language (IL) and rebuilding Key points: You get an IL (not directly compilable) that models the VM; rebuild into readable code. 20:26–21:20 — Qiling/Qiling mention / tool install comment Key points: Mentions Qiling as easier than Triton; install comment. 21:20–25:10 — Tokens, hiding tokens, registers (XMM/MM) aWindsocknd calling convention Key points: Defines token concept (values used to fingerprint behavior), claims hiding tokens in XMM/MM registers, and lists Windows x64 argument registers for VirtualAlloc-like calls (RCX/RDX/R8/R9). Replace suggestion: “Tokens (identifiers/return values) can be obfuscated at runtime; calling conventions place early arguments in registers on x64 (Windows: RCX, RDX, R8, R9).” 25:10–27:19 — Prologue/epilogue and shellcode preservation Key points: Shellcode generally uses prologue/epilogue to save/restore registers and avoid crashes. 27:19–29:17 — Custom getprocaddress/getmodulehandle example / PEB parsing Key points: Mentions reversing GetModuleHandle/GetProcAddress implementations by parsing PEB/TEB to find modules/functions. 29:17–33:34 — Custom API reconstruction / dump & recreate, debugger workflow Key points: Describes stepping into LoadLibrary/GetProc, dumping memory of functions, and recreating userland versions to avoid imports; warns complexity (Unicode variants, etc.) 33:34–35:17 — Recommendations: Winsock TCP vs WinHTTP; closing advice.