git404hub

what is ida-zvm-disassembler fr?

duntss/ida-zvm-disassembler — explained in plain English

Analysis updated 2026-05-18

16PythonAudience · researcherComplexity · 4/5Setup · moderate

tl;dr

An IDA Pro plugin that decodes Zeus VM malware bytecode into readable assembly-style instructions for security analysis.

vibe map

mindmap
  root((repo))
    What it does
      Decodes Zeus VM bytecode
      IDA Pro loader and processor
      Auto generated comments
    Tech stack
      Python
      IDA Pro plugin
    Use cases
      Malware bytecode analysis
      Trace control flow
      Decrypt XOR keys
    Audience
      Security researchers
      Malware analysts

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

what do people make with this?

VIBE 1

Open a .zvm bytecode file in IDA Pro and have it automatically decoded into readable instructions.

VIBE 2

Trace malware control flow using the plugin's auto-generated cross-references between loop branches.

VIBE 3

Decrypt XOR key chains embedded in Zeus VM samples during malware analysis.

what's the stack?

PythonIDA Pro

how it stacks up fr

duntss/ida-zvm-disassembler920linjerry-stack/capital-studioadya84/ha-world-cup-2026
Stars161616
LanguagePythonPythonPython
Setup difficultymoderateeasyeasy
Complexity4/53/52/5
Audienceresearcherresearchergeneral

Figures from each repo's GitHub metadata at analysis time.

how do i run it?

Difficulty · moderate time til it works · 30min

Requires an existing IDA Pro installation to copy the plugin files into.

in plain english

IDA-ZVM-Disassembler is a plugin for IDA Pro, a professional tool security researchers use to read and analyze compiled binary programs. When malware authors want to make their code harder to analyze, they sometimes build a custom virtual machine, a mini interpreter with its own made-up instruction set, and compile their malicious logic into that private bytecode instead of normal machine code. Zeus VM is one such custom virtual machine found in the wild, and its bytecode cannot be read by standard disassembly tools. This plugin teaches IDA Pro how to read Zeus VM bytecode. It adds both a loader (which recognizes .zvm files when you open them) and a processor module (which translates the raw bytes into readable assembly-style instructions). Once installed, you open a .zvm file and IDA automatically decodes the format and presents the disassembly. The plugin handles 69 instructions covering arithmetic, bitwise operations, memory access, control flow, RC4 (an encryption algorithm), and shuffle operations. It also transparently decrypts XOR key chains that would otherwise obscure the analysis, adds cross-references between loop branches so you can trace execution flow, and auto-generates comments explaining what each instruction does. Registers are shown with size suffixes (.b for byte.w for word) matching the architecture's conventions. Installation involves copying two Python files into the appropriate folders inside your IDA Pro installation. The plugin is ported from an existing Binary Ninja plugin by OALabs and is written in Python.

prompts (copy fr)

prompt 1
Explain how a custom virtual machine like Zeus VM makes malware harder to analyze.
prompt 2
Walk me through installing this plugin into my IDA Pro setup.
prompt 3
Summarize what the 69 supported instructions in this plugin cover.
prompt 4
Describe how this plugin decrypts XOR key chains during analysis.

Frequently asked questions

what is ida-zvm-disassembler fr?

An IDA Pro plugin that decodes Zeus VM malware bytecode into readable assembly-style instructions for security analysis.

What language is ida-zvm-disassembler written in?

Mainly Python. The stack also includes Python, IDA Pro.

How hard is ida-zvm-disassembler to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is ida-zvm-disassembler for?

Mainly researcher.

peek the repo → explain another one

This repo across BitVibe Labs

double-check against the repo, no cap.