Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[unpackme] VMProtect

xuhw
xuhw
in UnPackMe

Featured Replies

Hello xuhw,

there are not much to explain.There is also no redirection.

Just set BP on GetModuleHandleA and trace over ret 4 and now you can rebuild the OEP bytes.

PUSH EBP
MOV EBP,ESP
ADD ESP,-10
MOV EAX,4B66A4 // <--Look EBX
CALL 00406E80
JMP 005348D4

Set BP on ret and run.

00406E80   PUSH EBX  // <-- Call 00406E80
00406E81   MOV EBX,EAX
00406E83   XOR EAX,EAX
00406E85   MOV DWORD PTR DS:[4B70C4],EAX
00406E8A   PUSH 0
00406E8C   CALL 00406DBC  //  GMHA
00406E91   MOV DWORD PTR DS:[4BB668],EAX  // <--EBX holds value of EAX before.Here you are.
00406E96   MOV EAX,DWORD PTR DS:[4BB668]
00406E9B   MOV DWORD PTR DS:[4B70D0],EAX
00406EA0   XOR EAX,EAX
00406EA2   MOV DWORD PTR DS:[4B70D4],EAX
00406EA7   XOR EAX,EAX
00406EA9   MOV DWORD PTR DS:[4B70D8],EAX
00406EAE   CALL 00406E74
00406EB3   MOV EDX,4B70CC
00406EB8   MOV EAX,EBX
00406EBA   CALL 004049D4
00406EBF   POP EBX
00406EC0   RETN <------ here

Trace over and now you have the back jump address for the JMP above to rebuild your OEP.

Thats all here.

greetz

  • Author

Thanks "LCF-AT "!

But I do not quite understand.Please Your file give me ,I Contrast about it to learn!

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

  • Author

"LCF-AT ",I used your methods, the success of UnPack file.

Another,this is VMProtectV1.70.4 for "VB".

  • Author

Another,this is VMProtectV1.70.4 for "VB".

vmp_1.704.rar

Hi,

the same here.No redirection.Just break on "ThunRTMain" and rebuild....

004011A9   PUSH 4012C0			   ; VB5!
004011AE   CALL 00401122			 ; JMP to MSVBVM60.ThunRTMain

Thats all.

greetz

  • Author

Good "LCF-AT "!

Another ,This is a "DELPHI 7.0" file by vmprotcet 1.704.Continue...

DEMO.vmp1.704.rar

Hi,

it

Unpacked

Dumped

Dumped.rar

0012FFBC 00401132 返回到 vmp_1_70.00401132 来自 vmp_1_70.00405919

0012FFC0 004012C0 vmp_1_70.004012C0

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.