.ran across the following signature the other day wondering if anyone recgonizes it. Looks like a packer that supports a virtual machine and has an SDK where you can embed markers in your code to protect specific sections instead of the whole binary.
EB 08 56 4D 5F 53 54 41 52 54 d.VM_START
themida has a very similar macro for this use but it didnt seem to recgonize the above signature (if it was an old one)
the current themida VM_START macro is defined as
__emit__ (0xEB, 0x10, 0x57, 0x4C, 0x20, 0x20, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x4C, 0x20, 0x20);
Other markers found were
OC_END
VM_START
DY_DYEND
R1_START
ST_STEND
RD_RDEND
VmProtect SDK uses calls to a vmp dll exports to mark the code sections to protect.
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}