[unpackme]VMProtect 1.70.4

[HSN.C3r]

Hi all.

Protector option:

Level: Maximum protection

Virtual machine count: 1

Debugger detection: User mode + Kernel mode

Write a tutorial ,If you unpacked it.

Good Luck

UnPackMe.rar

Edited December 9, 2008 by HSN.C3r

[LCF-AT]

Hello,

try this.

greetz

UnPackMe_Unpacked.rar

[HSN.C3r]

Good, It works ...

But the anti-debug is still in the file.When I open it in ollydbg ,It closes ollydbg.

How did you open it in ollydbg?

Could you tell me about bypassing this antidebug ?

Edited December 12, 2008 by HSN.C3r

[quosego]

Nah no antidebug.. It's the export bug in olly.. quite lame..

Too long export crashes olly.. You can patch you olly for this or wipe exports.

q.

[HSN.C3r]

How can I fix ollydbg , explain more plz

[LCF-AT]

Hello,

you can run this unpackMe without problems in Olly if you patch the right places.So at the moment I don

[av999]

Generic Unpacker by deroko (GUD) of ARTeam made 90% for unpacking this target.

1-st run of GUD - nothing useful

2-nd run - dump+import

3-th run (fixed: ebfe to stop GUD at string "Original EntryPoint at.....") - target stopped in first call

and [esp]=adress for ret ---- it's enough for restoring oep

http://rapidshare.de/files/41144913/UnPacked.zip.html

Edited December 15, 2008 by av999

[HSN.C3r]

@ quosego

Many thanks for info.

@ LCF-AT

you can run this unpackMe without problems in Olly if you patch the right places.So at the moment I don

[zeger]

http://www.unpack.cn/viewthread.php?tid=30...;extra=page%3D1

[c0lo]

I don't understandd, how repair iat in vmprotect dumped , can learn more ...

[Sp1d3rZ]

I hope its help u.

http://vip-file.com/download/3b8847955758/VMProtect-1.7-IAT-Repair.txt.html

[c0lo]

Sorry, but can help me, in how fix IAT

Me dumped file:

http://www.ziddu.com/download/3570325/gzbo...dumped.rar.html

vmp 1.7 iat repair

run the script at oep

vmp code base = va of .vmp0

Memory map, item 23

Address=0043C000

Size=00095000 (610304.)

Owner=gzbotPRO 00400000

Section=.vmp0

Contains=code

Type=Imag 01001002

Access=R

Initial access=RWE

vmp code end = va of .vmp1

Memory map, item 25

Address=004D2000

Size=000A8000 (688128.)

Owner=gzbotPRO 00400000

Section=.vmp1

Contains=code,exports

Type=Imag 01001002

Access=R

Initial access=RWE

So:

vmp code base = 0043C000

vmp code end = 004D2000

But I have problem, how can fix problem....

Thanks

[LCF-AT]

Hi,

so the script used * signs so thats the reason for the error messages.Just change it to some else like this.

jne ****  
to  
jne sssfirst****:  
to  
first:je first****  
to  
je first****:  
to  
sss:

greetz

[c0lo]

i don't understand

this is script:

jne ssss

first:

sti

find eip,#c2#,1

cmp $RESULT,0

je first

bphws eip, "x"

inc isfirst

jmp fix

ssss:

thanks

Edited February 19, 2009 by c0lo

[LCF-AT]

I said you have to change the lines which using this signs **** so Olly script can

[c0lo]

Thanks, I'm noob and understand ..

1) Dumped file, using GUD.

2) Open File Ollydbg

OEP

0040203A g>- E9 A5F50500 JMP gzbotPRO.004615E4

3) Run OdbgScript and load "VMProtect_1.7_IAT_Repair" Fix thanks to LCF-AT learn me

4) Enter Data Info:

vmp code base = 0043C000

vmp code end = 004D2000

5) And Run Script....

6) And script finish in

0043C25A 9C PUSHFD

7) Now???

Edited February 19, 2009 by c0lo

[LCF-AT]

Hi,

the problem is that the script is not working 100% to fix all.I had also this problem on a other app so in this case you need to fix it by hand.Problem are some JMP

[c0lo]

Thanks LCF-AT, me now send link in your inbox ..

[Nooby]

i used f-word in the script labels, so the labels were replaced with * when you post it on the forum.

if you wanna know further,

http://rapidshare.com/files/200116074/1111.swf

it's not that complex so I don't have the interest in doing it all over again with english comments.

vmp_iat2.rar

Edited February 20, 2009 by Nooby

[_ak47_]

hello guys anyone have a tutorial how unpack VmProtec translated to english???

[c0lo]

hello guys anyone have a tutorial how unpack VmProtec translated to english???

@_ak47_ Me onlyread tutorial in other language... buy in english not...

Thanks nooby, I am try learn more, and understand...

Edited February 20, 2009 by c0lo

[FuJ!N]

hi all friend

I have a problem with this Portector

when I run this app (VMP 1.7.40 unpack me) normally without Olly Shown message "detect debugger" :

---------------------------

A debugger has been found running in your system.

Please, unload it from memory and restart your program.

---------------------------

and I re-start my machine but show that error message:(

and when running olly and with Requirement Plug-in or used "OllyDbg - YPOGEiOS " but this problem happened.

thank you for attention

[LCF-AT]

@ FarFar

Use StrongOD

-Hide PEB

-KernelMode

-Normal

Now close Olly.

Olllyxxxx.ini

DriverName=something else here

save.

This setting is enough for this UnpackMe.Close all debugger and run the target normaly with a mousclick.Now if it starts normaly then you can start your Olly and run this UnpackMe in your Olly.If you get still the detected message then close your Olly and wait some seconds.Now start Olly again and load your UnpackMe and run.Try this now.

greetz

[FuJ!N]

dear LCF-AT thank you very much for help me

but whenever I run this app or some app packed by thMida or Winlicence , shown debugger detect message , i can run that normally thats app. when I re-start my system and never run any debugger happened this problem.

I think my sys have a virus or trojan and that virus for protect himself patch memory one of core file (kernel) , it is just my mind . is it possible ?

thank you for attention

Best Regards for all friends

[LCF-AT]

Hi FarFar,

so if you still get detected then be sure that you nothing else has running which can detect.Do you know my system setup movie?Watch my VMP tutorial there you can see how to setup your Olly and how to remove some unknown hooks.

Info: For hiding you can use just StrongOD and with the phantOm plugin let just enable the protect DRx option!

Try again and tell your result.

greetz