Jump to content
Tuts 4 You

[unpackme]VMProtect 1.70.4


HSN.C3r

Recommended Posts

Hi all.

Protector option:

Level: Maximum protection

Virtual machine count: 1

Debugger detection: User mode + Kernel mode

Write a tutorial ,If you unpacked it.

Good Luck :)

UnPackMe.rar

Edited by HSN.C3r
Link to comment

Good, It works ...

But the anti-debug is still in the file.When I open it in ollydbg ,It closes ollydbg.

How did you open it in ollydbg?

Could you tell me about bypassing this antidebug ?

Edited by HSN.C3r
Link to comment

Nah no antidebug.. It's the export bug in olly.. quite lame..

Too long export crashes olly.. You can patch you olly for this or wipe exports.

q.

Link to comment

Generic Unpacker by deroko (GUD) of ARTeam made 90% for unpacking this target.

1-st run of GUD - nothing useful

2-nd run - dump+import

3-th run (fixed: ebfe to stop GUD at string "Original EntryPoint at.....") - target stopped in first call

and [esp]=adress for ret ---- it's enough for restoring oep

http://rapidshare.de/files/41144913/UnPacked.zip.html

Edited by av999
Link to comment
  • 1 month later...

Sorry, but can help me, in how fix IAT

screenshot002qq9.png

Me dumped file:

http://www.ziddu.com/download/3570325/gzbo...dumped.rar.html

vmp 1.7 iat repair

run the script at oep

vmp code base = va of .vmp0

Memory map, item 23

Address=0043C000

Size=00095000 (610304.)

Owner=gzbotPRO 00400000

Section=.vmp0

Contains=code

Type=Imag 01001002

Access=R

Initial access=RWE

vmp code end = va of .vmp1

Memory map, item 25

Address=004D2000

Size=000A8000 (688128.)

Owner=gzbotPRO 00400000

Section=.vmp1

Contains=code,exports

Type=Imag 01001002

Access=R

Initial access=RWE

So:

vmp code base = 0043C000

vmp code end = 004D2000

But I have problem, how can fix problem....

screenshot001or3.png

Thanks

Link to comment

Hi,

so the script used * signs so thats the reason for the error messages.Just change it to some else like this.

jne ****  
to
jne sssfirst****:
to
first:je first****
to
je first****:
to
sss:

greetz

Link to comment

i don't understand :(

this is script:

jne ssss

first:

sti

find eip,#c2#,1

cmp $RESULT,0

je first

bphws eip, "x"

inc isfirst

jmp fix

ssss:

thanks

Edited by c0lo
Link to comment

Thanks, I'm noob and understand .. :P

1) Dumped file, using GUD.

2) Open File Ollydbg

OEP

0040203A g>- E9 A5F50500 JMP gzbotPRO.004615E4

3) Run OdbgScript and load "VMProtect_1.7_IAT_Repair" Fix thanks to LCF-AT learn me :(

4) Enter Data Info:

screenshot003jc3.png

vmp code base = 0043C000

vmp code end = 004D2000

5) And Run Script....

6) And script finish in

screenshot004gs4.png

0043C25A 9C PUSHFD

7) Now???

Edited by c0lo
Link to comment

Hi,

the problem is that the script is not working 100% to fix all.I had also this problem on a other app so in this case you need to fix it by hand.Problem are some JMP

Link to comment
hello guys anyone have a tutorial how unpack VmProtec translated to english???

@_ak47_ Me onlyread tutorial in other language... buy in english not...

Thanks nooby, I am try learn more, and understand...

Edited by c0lo
  • Like 1
Link to comment
  • 1 year later...

hi all friend

I have a problem with this Portector

when I run this app (VMP 1.7.40 unpack me) normally without Olly Shown message "detect debugger" :

---------------------------

A debugger has been found running in your system.

Please, unload it from memory and restart your program.

---------------------------

and I re-start my machine but show that error message:(

and when running olly and with Requirement Plug-in or used "OllyDbg - YPOGEiOS " but this problem happened.:help

thank you for attention

Link to comment

@ FarFar

Use StrongOD

-Hide PEB

-KernelMode

-Normal

Now close Olly.

Olllyxxxx.ini

DriverName=something else here

save.

This setting is enough for this UnpackMe.Close all debugger and run the target normaly with a mousclick.Now if it starts normaly then you can start your Olly and run this UnpackMe in your Olly.If you get still the detected message then close your Olly and wait some seconds.Now start Olly again and load your UnpackMe and run.Try this now.

greetz

Link to comment

dear LCF-AT thank you very much for help me worthy.gif

but whenever I run this app or some app packed by thMida or Winlicence , shown debugger detect message kick.gif , i can run that normally thats app. when I re-start my system and never run any debugger happened this problem.

I think my sys have a virus or trojan and that virus for protect himself patch memory one of core file (kernel) , it is just my mind . is it possible ?

thank you for attention

Best Regards for all friends

Link to comment

Hi FarFar,

so if you still get detected then be sure that you nothing else has running which can detect.Do you know my system setup movie?Watch my VMP tutorial there you can see how to setup your Olly and how to remove some unknown hooks.

Info: For hiding you can use just StrongOD and with the phantOm plugin let just enable the protect DRx option!

Try again and tell your result.

greetz

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...