From securityonline.info
VMProtect injects stubs for every import call or jmp. These stubs resolve the ‘obfuscated’ thunk in the .vmpX section and add a fixed constant to ‘deobfuscate’ it. The calls or jumps themselves are then dispatched with a ret instruction.
VMPDump scans all executable sections for these stubs and lifts them to VTIL using the VTIL x64 lifter. The analysis is then performed on these stubs, in order to determine what kind of call must be replaced and what bytes must be overwritten.