Analysis updated 2026-05-18
Open a .zvm bytecode file in IDA Pro and have it automatically decoded into readable instructions.
Trace malware control flow using the plugin's auto-generated cross-references between loop branches.
Decrypt XOR key chains embedded in Zeus VM samples during malware analysis.
| duntss/ida-zvm-disassembler | adya84/ha-world-cup-2026 | afk-surf/safeclipper | |
|---|---|---|---|
| Stars | 16 | 16 | 16 |
| Language | Python | Python | Python |
| Setup difficulty | moderate | easy | moderate |
| Complexity | 4/5 | 2/5 | 3/5 |
| Audience | researcher | general | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires an existing IDA Pro installation to copy the plugin files into.
IDA-ZVM-Disassembler is a plugin for IDA Pro, a professional tool security researchers use to read and analyze compiled binary programs. When malware authors want to make their code harder to analyze, they sometimes build a custom virtual machine, a mini interpreter with its own made-up instruction set, and compile their malicious logic into that private bytecode instead of normal machine code. Zeus VM is one such custom virtual machine found in the wild, and its bytecode cannot be read by standard disassembly tools. This plugin teaches IDA Pro how to read Zeus VM bytecode. It adds both a loader (which recognizes .zvm files when you open them) and a processor module (which translates the raw bytes into readable assembly-style instructions). Once installed, you open a .zvm file and IDA automatically decodes the format and presents the disassembly. The plugin handles 69 instructions covering arithmetic, bitwise operations, memory access, control flow, RC4 (an encryption algorithm), and shuffle operations. It also transparently decrypts XOR key chains that would otherwise obscure the analysis, adds cross-references between loop branches so you can trace execution flow, and auto-generates comments explaining what each instruction does. Registers are shown with size suffixes (.b for byte.w for word) matching the architecture's conventions. Installation involves copying two Python files into the appropriate folders inside your IDA Pro installation. The plugin is ported from an existing Binary Ninja plugin by OALabs and is written in Python.
An IDA Pro plugin that decodes Zeus VM malware bytecode into readable assembly-style instructions for security analysis.
Mainly Python. The stack also includes Python, IDA Pro.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.