pandora is a PoC VM inspector for certain games protected by Denuvo.
At the moment it's only able to find relocated functions and VM entry points via pattern scanning.
The original code is moved from .text to the VM section (some will be virtualized as well), then Denuvo adds a jmp to the new location and fills the rest of the original function bytes with junk as you can see in the following example
0000000140D9A7C0 | E9 2B6BAC0B | jmp 14C8612F0
0000000140D9A7C5 | 0F81 3A3C8C00 | jno 14165E405
0000000140D9A7CB | 45:E5 F6 | in eax, F6
0000000140D9A7CE | 8CA3 4823E92E | mov word ptr ds:[rbx + 2EE92348], fs
0000000140D9A7D4 | EA | ???
0000000140D9A7D5 | B4 00 | mov ah, 0
0000000140D9A7D7 | 20FA | and dl, bh
0000000140D9A7D9 | 0E | ???
0000000140D9A7DA | DC0F | fmul qword ptr ds:[rdi]
0000000140D9A7DC | 863B | xchg byte ptr ds:[rbx], bh
0000000140D9A7DE | 94 | xchg esp, eax
0000000140D9A7DF | BF 0052C345 | mov edi, 45C35200
0000000140D9A7E4 | 84E9 | test cl, ch
Some binaries use the following pattern for them
48 8D 24 24 | lea rsp, qword ptr ss:[rsp]
E9 ?? ?? ?? ?? | jmp 0x12345678
...which we can easily scan
- Refactor the main code
- Support all VM entry points
- Fix high memory usage on analysis
- VM exits?