├── README.md
└── Main.py


/README.md:
--------------------------------------------------------------------------------
1 | # DetectVMP3
2 | 
3 | This is a POC to detect the exist of VMProtect 3 protection by search feature watermark.
4 | 
5 | The idea comes from my friend [@66hh](https://github.com/66hh)
6 | 
7 | Technical analysis articles: https://www.52pojie.cn/thread-1869758-1-1.html
8 | 


--------------------------------------------------------------------------------
/Main.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | 
 3 | def read_file_as_hex(filepath):
 4 |     with open(filepath, 'rb') as file:
 5 |         content = file.read()
 6 |     return content.hex().upper()
 7 | 
 8 | def search_hex_pattern(hex_pattern, hex_string):
 9 |     hex_pattern = hex_pattern.replace("?", "[0-9a-f]")
10 |     return re.findall(hex_pattern, hex_string, flags=re.IGNORECASE)
11 | 
12 | filepath = input("[-] Please input the path of file you want to detect: ")
13 | 
14 | watermark = "50F01FFDFD8??7926???B4??C2???07?4?????C?C??F?D2?6??19CBF0?9912?717??3635CA8A?7?0???F?C?D7D7??9E5?1?84E4???24??D45?5?C?04B9E?D?2?15?89??6?784?????D9??1?1?E??03?????446?6???3EC941E?6A??4?5????????8?C??8???2???0C8EB?C1?D?4?"
15 | 
16 | hex_file_content = read_file_as_hex(filepath)
17 | match_results = search_hex_pattern(watermark, hex_file_content)
18 | 
19 | if match_results:
20 |     print("[+] The file maybe protected by VMP3.")
21 | else:
22 |     print("[-] The file maybe didn't protected by VMP3.")
23 | 


--------------------------------------------------------------------------------