Leaderboard

This is a very bad thing to add! Grabbing this personal information from a user without mentioning that is a terrible act to do !! Now you have ip @ of @CodeExplorer did you ask him if he agreed to that or not?? No! So that's why everyone must run any garbage from the internet on an isolated machine!

Here is unpacked folder, all tools included. https://limewire.com/d/PWsfv#C32mVemS40 https://fileroy.com/2WVGr1E9zkx7/file https://zippyshare.day/YPGm89uDHMSpeoC/file Final unpacked exe is called drr_msil_Slayed2cleaned_.exe

If you don’t care about “random forum users”, then don’t publish things publicly. You posted it here on purpose, so a public post means public criticism. You don’t get to choose who is allowed to comment... The website example is bullshit. A website logging IPs during an HTTP request is not the same as an executable secretly making outbound connections. The protocol forces one; the other is a decision you coded yourself. Acting like they’re the same is dishonest. Running a program does not mean permission for hidden network activity.

#include <stdint.h> #include <string.h> #include <stdio.h> #ifndef _WIN32 #define __stdcall #endif int __stdcall ted(uint8_t* input_buf, uint8_t* output_buf, uint8_t arg_8) { uint8_t permuted_input[10]; permuted_input[0] = input_buf[6]; // var_10 permuted_input[1] = input_buf[9]; // var_F permuted_input[2] = input_buf[1]; // var_E permuted_input[3] = input_buf[4]; // var_D permuted_input[4] = input_buf[8]; // var_C permuted_input[5] = input_buf[3]; // var_B permuted_input[6] = input_buf[7]; // var_A permuted_input[7] = input_buf[0]; // var_9 permuted_input[8] = input_buf[5]; // var_8 permuted_input[9] = input_buf[2]; // var_7 uint8_t var_24[4] = {0, 0, 0, 0}; uint8_t key_string[] = { 0x6F, 0x6D, 0x65, 0x64, 0x4F, 0x4D, 0x45, 0x44, 0x45, 0x44, 0x4F, 0x4D }; uint8_t var_1D = 0xEA; for (int i = 0; i < 10; i++) { uint8_t val = permuted_input[i]; uint16_t product1 = (i + 1) * val; uint8_t p1_low = (uint8_t)product1; var_24[0] += p1_low; var_24[1] -= p1_low; uint16_t product2 = (i + 0x38) * val; var_24[2] += (uint8_t)product2; } uint8_t al = var_24[0] * permuted_input[0]; uint8_t bl = var_24[1] ^ al; var_24[2] = ((bl + 1) ^ var_24[2]) & 3; uint8_t current_dl = var_1D; for (int i = 0; i < 12; i++) { uint8_t key_char = key_string[i]; - // The original assembly does: mov al, [ebp + key_char + var_10] // This reads outside the 'permuted_input' array. uint8_t magic_byte = *( (&permuted_input[0]) + key_char ); uint8_t calculated = magic_byte ^ current_dl; uint8_t add_val = (uint8_t)(i * 5); calculated += add_val; output_buf[i] = calculated; current_dl = calculated + 0x22; } uint8_t final_byte = ((arg_8 * 4) & 0x0C) | var_24[2]; output_buf[12] = final_byte; return 1; } int main() { uint8_t input[] = {0,1,2,3,4,5,6,7,8,9}; uint8_t output[13]; ted(input, output, 0x10); return 0; }

Better late than never, my writeups are finally live: https://washi1337.github.io/ctf-writeups/writeups/flare-on/2025/

NETReactorSlayer-6.4.0.0_Fixed9.rar: https://workupload.com/file/9FgKGVGdEEY I completely restored NETReactorSlayer-6.4.0.0\NETReactorSlayer.Core\Helper\EncryptedResource.cs and just add trial Decrypter_v5. I've added ControlFlowReactor.cs for the new control flow and I've changed MethodDecrypter.cs to call it from "public void Run(IContext context)" in each Module.cctor method called.

That’s a weak excuse. “Reverse engineering forum” is not a reason to steal personal data. Running unknown binaries in a VM is indeed a good practice, not a license for you to silently collect IPs or any identifying info without disclosure. The problem isn’t whether it’s legal, it’s that you did not inform the user, If your app contacts a license server and logs IPs that must be stated explicitly ! Saying “it only collects minimal data” after the fact doesn’t change anything. Consent is obtained before, not justified after and “statistics” doesn’t magically make undisclosed data collection acceptable. Reverse engineering is about analyzing protections and behavior not normalizing shady practices and then hiding behind assumptions.

Uploaded :)

I've just fixed NETReactorSlayer to work with this protection: NETReactorSlayer-6.4.0.0_Fixed1: https://workupload.com/file/EU2AEkDCjSz Please test it and let me know;

https://limewire.com/d/ms51G#Mpzupr348q https://fileroy.com/M2BGwO2XGj40/file https://zippyshare.day/EbxBhxDZZZbrlIH/file

VMPLicenseProtector This is a recently developed recreational utility. I'm unsure which forum section is appropriate, so moderators please feel free to move it if necessary. The tool implements a combined The Enigma and VMProtect protection scheme and is designed for applying VMProtect to Win32/Win64 executables and DLLs without requiring source code. It is not compatible with .NET assemblies. The interface supports Chinese/English language switching. To function, VMProtect_Con.exe must be placed in the tool's directory. Note that the tool itself is incompatible with Windows 7 and requires the DirectX 11 runtime to be installed. Software protected with it remains compatible with Windows XP/7/10. Trial Version Limitations: Only the anti-hijacking feature is enabled. All other functions are disabled. Uses a fixed RSA key. Please do not use it to protect commercial software. While some features are disabled, the tool may be sufficient for users with modest needs if patched. The trial license expires after one month, but functionality can be extended through patching. Archive Password: View by double-clicking the RAR file in WinRAR (check comment) or use: tuts4you. File Information Submitter lengyue Submitted 12/26/2025 Category CrackMe View File

var_2C= dword ptr -2Ch var_25= byte ptr -25h var_24= dword ptr -24h var_1E= byte ptr -1Eh var_1D= byte ptr -1Dh var_1C= dword ptr -1Ch var_18= dword ptr -18h var_14= dword ptr -14h var_10= byte ptr -10h var_F= byte ptr -0Fh var_E= byte ptr -0Eh var_D= byte ptr -0Dh var_C= byte ptr -0Ch var_B= byte ptr -0Bh var_A= byte ptr -0Ah var_9= byte ptr -9 var_8= byte ptr -8 var_7= byte ptr -7 var_6= byte ptr -6 var_5= byte ptr -5 arg_0= dword ptr 8 arg_4= dword ptr 0Ch arg_8= byte ptr 10h push ebp mov ebp, esp sub esp, 2Ch push ebx push esi push edi mov eax, [ebp+arg_0] movzx ecx, byte ptr [eax] movzx edx, byte ptr [eax+1] mov [ebp+var_9], cl movzx ecx, byte ptr [eax+2] mov [ebp+var_E], dl movzx edx, byte ptr [eax+3] mov [ebp+var_7], cl movzx ecx, byte ptr [eax+4] mov [ebp+var_B], dl movzx edx, byte ptr [eax+5] mov [ebp+var_D], cl movzx ecx, byte ptr [eax+6] mov [ebp+var_8], dl movzx edx, byte ptr [eax+7] mov [ebp+var_10], cl movzx ecx, byte ptr [eax+8] mov [ebp+var_A], dl movzx edx, byte ptr [eax+9] mov al, [ebp+arg_8] mov esi, [ebp+arg_4] add al, al add al, al mov [ebp+var_2C], esi mov [ebp+var_C], cl mov [ebp+var_F], dl mov [ebp+var_25], al mov [ebp+var_1C], 64656D6Fh mov [ebp+var_18], 44454D4Fh mov [ebp+var_14], 4D4F4445h mov [ebp+var_1D], 0EAh mov eax, 0 mov [ebp+var_24], eax xor ecx, ecx lea ecx, [ecx+0] loc_4011D0: mov dl, [ebp+ecx+var_10] mov bl, byte ptr [ebp+var_24+1] lea eax, [ecx+1] imul dl add byte ptr [ebp+var_24], al sub bl, al mov [ebp+var_1E], al lea eax, [ecx+38h] imul dl add byte ptr [ebp+var_24+2], al inc ecx mov byte ptr [ebp+var_24+1], bl cmp ecx, 0Ah jl short loc_4011D0 mov al, byte ptr [ebp+var_24] imul [ebp+var_10] mov dl, [ebp+var_1D] xor bl, al lea edi, [ebp+var_1C] mov [ebp+var_6], al mov [ebp+var_5], bl lea ecx, [ebx+1] xor cl, byte ptr [ebp+var_24+2] and cl, 3 mov byte ptr [ebp+var_24+2], cl xor ecx, ecx sub edi, esi jmp short loc_401223 jmp short loc_401220 align 10h loc_401220: mov esi, [ebp+var_2C] loc_401223: add esi, ecx movzx eax, byte ptr [edi+esi] mov al, [ebp+eax+var_10] xor al, dl mov dl, cl add dl, dl add dl, dl lea ebx, [edx+ecx] add al, bl inc ecx mov [esi], al lea edx, [eax+22h] cmp ecx, 0Ch jl short loc_401220 mov al, [ebp+var_25] mov ecx, [ebp+var_2C] and al, 0Ch or al, byte ptr [ebp+var_24+2] pop edi mov [ecx+0Ch], al pop esi xor ecx, ebp mov eax, 1 pop ebx mov esp, ebp pop ebp retnHi, is it possible this function to be reversed? The function has 2 parameters - (uint8_t* source, uint8_t* output). Would like to convert it to get the source from the output. Thanks in advance.

@boot please can you again sign your titanhide driver (the certificate is revoked) or if possible can you share the method to load latest vmp in xdbg without titanhide? Thanks in Adv!

@0X7C9 pls can u upload https://tut4u.com/hexorcist-reverse-engineering-course/ in your webdav server

Unpackers tools - source code C# My source code: https://gitlab.com/CodeCracker https://github.com/CodeCrackerSND https://bitbucket.org/CodeCrackerSND/ I will NOT share (anymore) the rest of my tools!

ty

import hashlib def generate_key(input_string): input_string = input_string.upper() salted_string = input_string + ':K3yS@lt2025' md5_hash = hashlib.md5(salted_string.encode()).hexdigest().upper() md5_hash = md5_hash[:16] formatted_hash = '-'.join([md5_hash[i:i+4] for i in range(0, len(md5_hash), 4)]) return formatted_hash input_string = input("Enter your string: ") key = generate_key(input_string) print("Generated serial:", key)

you really want then open a new challenge of unpack me. Will try to do it. Like a proper way.

Ok will prove it what will i get?

its not trial , its dng hvm enterprise 4.94 [ it can be run for 3 days ] , unpack it here x86 and x64 bit , Unpackme_64bit_3_days_time.zip UnpackMe_3_Days.zip

i am not asking about how did u dump jit code , saying about , can u little bit brief about => how did you Load assembly and RunModuleConstructor or load assembly from different Domain, this part => var asm = Assembly.LoadFrom(Filename); RuntimeHelpers.RunModuleConstructor(asm .ManifestModule.ModuleHandle);

@CodeExplorer Hello master, I followed your instructions for the new version of this application, but the code doesn't fully open and the executable still doesn't work. Could you please review it again? Your knowledge regarding this version of Reactor is very valuable to me. https://gofile.io/d/c1jG6d

<font dir="auto" style="vertical-align: inherit;"><font dir="auto" style="vertical-align: inherit;">SEKeygen.rar</font></font>HWID hash: 83A5249484F096DB700F771CF0A5F51B Decoded value 8A357B71C2ECFA5F7FC3275B5DBF9F61D4F98CA089470FCF390DFC0BC125917C92D667ACA678A0D485F7566FBBA52233 Reg SOFTWARE\Classes\Interface\{19335D77-1E2D-1337-146B-19F5CABF57A8} KeySize: 1024 E: 65537 CPU MAC BIOS HDD HWID

Very nice crackme Salin! Noticed couple of things and gave it a try,its using a recrusive function that looked like Fbonacci but with a twist - when n equals 8 it returns the first character of my input XORed with 0x78 instead of the normal Fibonacci value. Code computes fib(14) and compares it against specific values in a switch statement. I knew standard fib(14) is 377 which equals 0x179. Working backwards since fib(8) gets replaced with char[0] ^ 0x78 , i needed to figure out what value makes the sequance land on 377. Turns out fib(8) needs to be 21 for this to work. So char[0] ^ 0x78 = 21 which means char[0] = 21 ^ 0x78 = 0x6D = 'm' There's a loop that validates characters 3 through 9 using a table at byte_411BFC. The validation formula : fib(i+8) - fib(i+6) == byte_411BFC[i] ^ char[3+i] Just rearranged it to solve for each character and u get : a, m, b, i, q, u, e. Now characters 1 and 2 were trickier. Character 1 determines a value dl through another Fibonacci call and character 2 gets XORed with that. There's a secondary check involving fib(17) that needs to equal 1597. After some trial and error found that char[1] = 'o' gives the right Fibonacci value, and char[2] = 'z' satisfies the XOR constraint. And if we finally put it all together we get a valid serial for this amazing crackme which is : mozambique I ran it through checksum calculation and got 0x12D4. Some code where it compares : 0040134B | 893D 20434100 | mov dword ptr ds:[414320],edi | 00401351 | 81FF D4120000 | cmp edi,12D4 |

The Enigma Protector x64 v7.4 (HWID Lock) Two simple Win x64 GUI applications protected using Enigma x64 v7.4. Challenge is to; bypass the hardware ID lock; unpack the application. Let us go together to solve this issue. File Information Submitter lovejoy226 Submitted 06/17/2024 Category UnPackMe View File

Here compiled unlicense with codeexplorer's fixes: unlicense compiled With pyton 3.09 and 3.11 versions.

I wanted to devirtualize it manually so I made a disassembler for it using the new yara-x to locate the handlers and the bytecode. Probably going to turn it into a full devirtualizer from binaryshield bytecode straight to x86_64. I saw these values(the one in the cmp comment) put them as input since it was valid I didn't go further. You can find my work at https://github.com/xlatbx59/Bshld, the file with the disassembly is at https://github.com/xlatbx59/Bshld/blob/master/binshield.txt. It was fun to reverse

I commented out that portion of code because transparency works correctly, but if you look closely, it generates artifacts, especially when selecting text. However, I solved the problem just last night by looking at some templates on the forum in asm x86 and making the appropriate changes. Below, I show all the updated code. In attachment you will find image resource and the exe file. #include <windows.h> #include <wingdi.h> #include "ufmod.h" #include "resource.h" #include "song.h" #pragma comment(lib, "Msimg32.lib") #pragma comment(lib, "ufmod.lib") #pragma comment(lib, "winmm.lib") HINSTANCE hInst; HBITMAP hBackground = NULL; HBRUSH hBrushBackground = NULL; HBRUSH hBrush; COLORREF transparentColor = RGB(255, 0, 255); // Magenta color key // Bitmap per il pulsante di chiusura HBITMAP hBtnCloseNormal = NULL; HBITMAP hBtnCloseHover = NULL; // Procedura finestra del dialogo INT_PTR CALLBACK DialogProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam) { switch (uMsg) { case WM_INITDIALOG: { HICON hIcon = LoadIcon(hInst, MAKEINTRESOURCE(IDI_ICON1)); SendMessage(hwndDlg, WM_SETICON, ICON_BIG, (LPARAM)hIcon); SetWindowText(hwndDlg, L"Keygen Template by jNe"); // Imposta il testo predefinito SetDlgItemText(hwndDlg, EDIT_username, L"Enter Username"); // play chip-tune <3 uFMOD_SetVolume(20); uFMOD_PlaySong(songData, (void*)sizeof(songData), XM_MEMORY); // BMP in background hBackground = LoadBitmap(GetModuleHandle(NULL), MAKEINTRESOURCE(BMP_form)); hBrush = CreatePatternBrush(hBackground); // set magenta color key SetLayeredWindowAttributes(hwndDlg, transparentColor, 0, LWA_COLORKEY); // --- FINE --- // BMP close hBtnCloseNormal = LoadBitmap(GetModuleHandle(NULL), MAKEINTRESOURCE(BMP_close)); hBtnCloseHover = LoadBitmap(GetModuleHandle(NULL), MAKEINTRESOURCE(BMP_close_hover)); if (hBtnCloseNormal) { HWND hBtnClose = GetDlgItem(hwndDlg, BTN_CLOSE); if (hBtnClose) { BITMAP bm; GetObject(hBtnCloseNormal, sizeof(bm), &bm); SetWindowPos(hBtnClose, NULL, 0, 0, bm.bmWidth, bm.bmHeight, SWP_NOMOVE | SWP_NOZORDER); } } } return TRUE; case WM_ERASEBKGND: return TRUE; case WM_PAINT: { PAINTSTRUCT ps; HDC hdc = BeginPaint(hwndDlg, &ps); if (hBackground) { HDC hdcMem = CreateCompatibleDC(hdc); HBITMAP hOldBmp = (HBITMAP)SelectObject(hdcMem, hBackground); BITMAP bm; GetObject(hBackground, sizeof(bm), &bm); BitBlt(hdc, 0, 0, bm.bmWidth, bm.bmHeight, hdcMem, 0, 0, SRCCOPY); SelectObject(hdcMem, hOldBmp); DeleteDC(hdcMem); } EndPaint(hwndDlg, &ps); } return TRUE; case WM_DRAWITEM: { LPDRAWITEMSTRUCT lpdis = (LPDRAWITEMSTRUCT)lParam; if (lpdis->CtlID == BTN_CLOSE) { HDC hdcMem = CreateCompatibleDC(lpdis->hDC); HBITMAP hBmpToUse; if (lpdis->itemState & ODS_SELECTED) { hBmpToUse = hBtnCloseHover; // HOVER } else { hBmpToUse = hBtnCloseNormal; // NORMAL } if (hBmpToUse) { HBITMAP hOldBmp = (HBITMAP)SelectObject(hdcMem, hBmpToUse); BitBlt(lpdis->hDC, lpdis->rcItem.left, lpdis->rcItem.top, lpdis->rcItem.right - lpdis->rcItem.left, lpdis->rcItem.bottom - lpdis->rcItem.top, hdcMem, 0, 0, SRCCOPY); SelectObject(hdcMem, hOldBmp); } DeleteDC(hdcMem); } } return TRUE; case WM_CTLCOLORDLG: return (INT_PTR)hBrush; case WM_CTLCOLOREDIT: case WM_CTLCOLORSTATIC: { HDC hdcEdit = (HDC)wParam; int controlId = GetDlgCtrlID((HWND)lParam); if (controlId == ABOUT) { SetBkMode(hdcEdit, TRANSPARENT); SetTextColor(hdcEdit, RGB(255, 255, 255)); SetBkColor(hdcEdit, 0x00000000); SetBrushOrgEx(hdcEdit, -23, -88, NULL); return (INT_PTR)hBrush; } if (controlId == EDIT_username) { SetBkMode(hdcEdit, TRANSPARENT); SetTextColor(hdcEdit, RGB(255, 255, 255)); SetBkColor(hdcEdit, 0x00000000); SetBrushOrgEx(hdcEdit, -23, -88, NULL); return (INT_PTR)hBrush; } if (controlId == EDIT_serial) { SetBkMode(hdcEdit, TRANSPARENT); SetTextColor(hdcEdit, RGB(255, 255, 255)); SetBkColor(hdcEdit, 0x00000000); SetBrushOrgEx(hdcEdit, -23, -151, NULL); return (INT_PTR)hBrush; } break; } case WM_LBUTTONDOWN: SendMessage(hwndDlg, WM_NCLBUTTONDOWN, HTCAPTION, 0); return TRUE; case WM_COMMAND: switch (LOWORD(wParam)) { case EDIT_username: { if (HIWORD(wParam) == EN_CHANGE) { char username[256]; GetDlgItemTextA(hwndDlg, EDIT_username, username, 256); SetDlgItemTextA(hwndDlg, EDIT_serial, "OMFG-THIS-IS-A-DEMO"); } break; } case BTN_CLOSE: SendMessage(hwndDlg, WM_CLOSE, 0, 0); return TRUE; } break; case WM_CLOSE: uFMOD_StopSong(); if (hBrush) DeleteObject(hBrush); if (hBackground) DeleteObject(hBackground); if (hBtnCloseNormal) DeleteObject(hBtnCloseNormal); if (hBtnCloseHover) DeleteObject(hBtnCloseHover); EndDialog(hwndDlg, 0); return FALSE; } return FALSE; } // Entry point int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { hInst = hInstance; DialogBox(hInstance, MAKEINTRESOURCE(IDD_DIALOG1), NULL, DialogProc); return 0; } keygen template - fix.zip

Hi @LCF-AT , DriverMonitor is an old tool that has been released for over 20 years. I am accustomed to using this app to load some Windows drivers. For learning and testing purposes, I used some leaked certificates to sign this driver. Now I will upload the signed driver here. I have set up a callback function (ProcessNotifyExRoutine_call_back) in the driver to filter specific process names in order to prevent their loading. Therefore, before uninstalling the driver, the target process cannot be started. This simple APP can kill some driver-protected antivirus software or system-level processes. For example, antivirus software such as Kaspersky and Symantec. If you terminate the system processes (e.g. winlogon.exe and dwm.exe), it will result in a BSOD. bin_v0.002.zip(Requires: 64-bit OS & >= Windows 7) DriverMonitor_EN.rar Video_2025-09-14_161309.mp4 (4.69 MB)

@everyone Can you please write step by step guide tutorials if you solve these kind of problems, so other people get helped by your efforts. No meaning jobs, just showing off. But this is not obligation. your choice for helping others learn. Regards. sean.

Here are the steps to get a completely modified version of x64dbg. Go to https://github.com/x64dbg/x64dbg Press this button in the top-right corner of your screen: You can then change the code to your liking (e.g., to bypass the anti-debug problem).

@guily6669 Have you installed the keyboard driver of your windows's? Regards. sean.

cracked.mkv Cracked.mp4

@StarrySky How to do it? Regards. sean.

Regards. sean.

@boot Does your method work also to this? Your picture above is different from mine even though the RVA is same as yours. hashgen.vmp.hwid.lock.zip Regards. sean.

@boot Fantastic!!! How did you do it? Can you reveal your method? Regards. sean.

Hello, everyone. Try to do this bypass and runme challenge. If you do it successfully, post the screenshot please. VMProtect MY PC HWID LOCKED hashgen.vmp.zip Regards. sean.

hi, i am new to devirtualization topic and this challenge was very good for beginners and me. first, my goal was not just obtain the keys but devirtualize whole function automatically and recompile back to be able to patch it. i lifted handlers to LLVM IR and recompiled in a new binary to analyze it this is my final output i know its a little difficult to read, but at least you can see the correct keys clearly if you look at if statements. sadly, code crashes at runtime, i dont know why. it will probably take really long time to identify the problem. i dont think i will do that. maybe i might try VTIL instead of LLVM. i would like to see others approaches on fully devirtualizing this vm. great challange again.

@fearless Many thanks. I've forgotten the way to use "masm32" assembler. Regards. sean.

Are there anyone who are able to build assembly dll source codes in the SRC folder? I have errors when assembling them. Many thanks in advance. Regards. sean.

@CodeExplorer Can it be feasible to unpack this target with your method? Regards. sean.

@CreateAndInject The same nationalities that you and he is. Oh, coincidence. Thank you @CreateAndInject for notifying the forum of it and him. Regards. sean.

Hello, everyone. Is this enigma x64 one still able to be bypassed? Waiting for your replies as soon as possible. Many thanks in advance. Regards. sean.

In x64 bit OS, the icesword doesn't run. Regards. sean.

I have tried to add Etw Hook's source code to the source code of TitanHide.sys, but it was not effective and I am not considering it for now. I will release newly compiled plugins and drivers, using methods to bypass signatures. They will not need to disable signatures and can be loaded in normal mode.

Refer to this thread. Regards. sean.

Let's forget about the packing, is not saying anything nowadays the important protection is the virtualization. And well having devirtualized both of the top protectors themida and vmprotect for me personally it took longer to devirtualize vmp than themida (basic vms). Themida is harder to get the semantics for each handler which in vmp is easy peasy. But on the other side to "restore" the original code I found it much harder with vmp than with themida as the code is transformed to a stack based virtual machine. In Themida (at least the basic ones which I analyzed) the conversion from handler to original code is almost 1:1. In VMP you will have to make your own "compiler" / optimization passes to get something close to the original code. Ofc not always the goal is to restore the original code, but to understand it little bit and change some inner jcc inside for example in that case vmp debugging is simpler than a black oreans vm. If you care about security and not so much about performance I would go more with a double-layered vm from Oreans and with the black variant (EAGLE, SHARK and PUMA). The complexity of those virtual machines plus the obfuscation of black overcomes the complexity of VMProtect single vm. Also there are lots of public documention for vmp meanwhile for new themida vms not so much. Ofc you can always go with a not so well know protector like Obsidium / Enigma. All of the above is supposing you want to protect some native code, if you want to protect some .NET program then forget all of the above and go for some modded Confuser / NETReactor or something similar. Just my 2cents.

From context menu choose CreateBackup then "Make Snapshot" and run program then to see differences choose "Compare Snapshot". Before make new snaphot choose "Clear Snapshot" for cleaning changes that plugin made. For bigger targets and with many changes can be plugin laggy. CreateBackup.dp64

Press the reset button on your PC. XOR EDX,EDX SYSENTER 4 Bytes only and bye bye. greetz