Leaderboard

(1) I never accused you of lying (2) I don't care about your "tools" My point is crystal clear: this site will continue to die if we allow such "solutions" (which are 9/10 just people using public tooling and therefore can't provide any novel contributions). Go ahead, feel free to discuss the "internals", which was arguably the bare minimum you should have provided in the original response to this challenge.

Wow, very helpful 🙄 Every "solution" on this site is the most Cleo like response ever. I swear in almost every challenge, someone throws the .exe into public tooling, uploads the output, and provides zero explanation -- likely with the hope that people view them in awe. In my opinion, such solutions should result in consequences for the poster. This site will continue to die if people continue with these dull answers. For those interested in tackling such protection schemes, I would recommend: (1) https://github.com/NaC-L/Mergen (2) https://github.com/Colton1skees/Dna (3) https://whereisr0da.github.io/blog/posts/2021-02-16-vmp-3 (4) https://secret.club/2021/09/08/vmprotect-llvm-lifting-1.html

This one is an interesting sample. Code is really small, so it was stolen completely, thus it's hard to tell app code from protector code. Functional code is quite simple, just MessageBoxA. And that's it, it does nothing more. After showing the message box it starts freeing memory that definitely isn't app code. But for the sake of completeness let's get to the bottom of this. We have 8 more code bytes. And we have 1 reloc pointing there, meaning ExitProcess should perfectly fit in. Unpacked file attached with code, import and relocs restored and sections cut. unpacked.exe

I also thought that was fornicationed up.

Interesting 🌝 this is reminded me to the old days, is it possible to create a tutorial video I don't see good unpacking tutorials theses days

Themida v3.1.4 (x32 & x64) - Impossible Two files are protected with an old version Themida (3.1.4) Entry Point is virtualized Just find and restore OEP, recover the IAT and unpack if it possible Virustotal detects it as a virus, but my AV software is not File Information Submitter fReestYler Submitted 05/10/2025 Category UnPackMe View File

No pressure; anyone can enjoy doing CTF challenges here. Old-day masters no longer exist

Sorry, I'm really short on time for tutorials. Besides it won't be much of use, as mostly custom tools are used. But I could try to answer some questions.

Though this one is quite old, I didn't see it solved, so decided to unpack winenum version. It's relatively easy compared to other protectors: a couple of OEP bytes stolen, light import redirection and that's it. Unpacked attached, OEP restored, import rebuilt, sections cut. unpacked.exe

Very exciting! Themida 3.x seems to be a difficult point. If we can't restore the virtualized code, unpacking will become meaningless. Virtualization may be a good protection method, but there is too little discussion on this aspect. Once again, kudos!

Could you please upload it again? Thank you.

DotFix NiceProtect x32 v7.1 A Delphi file is protected with an old version DotFix NiceProtect (7.1) Original Entry Point is encrypted Just find and restore OEP, recover the IAT and unpack it File Information Submitter fReestYler Submitted 10/06/2025 Category UnPackMe View File

This one is quite easy or easy protection options were chosen. Import isn't redirected. EP code is restored, sections are cut, resources rebuilt. Had to cut it in 2 parts. unpacked.part1.rar And part 2. unpacked.part2.rar

Could you share more technical details

Like I said, only my own tools were used and they have no external public code. I'm not expecting anything, I just posted the result. The only thing I hope is that I get corrected, if I'm wrong. If you have proof I used public tools and lied-you're free to show them. I can answer some questions about internals, if you're interested. But if you expect me to open source a couple of years work just because some random guy from the Internet suspected and accused me of something, not gonna happen, sorry.

<font style="vertical-align: inherit;"><font style="vertical-align: inherit;">version.dpr</font></font>

I don't know how to create exe with PyInstaller. Also I didn't finished my updates yet.

Use version.ASM to load your dll. compile with fasm.