Jump to content
Tuts 4 You

[unpackme] UnpackMe VMP Ultimate v2.13.5

Kido

By Kido
in UnPackMe

 Share

Recommended Posts

Kido

Kido

Posted
Posted (edited)

This is a simple UnpackMe using VMProtect Ultimate v2.13.5.


I also used vmp's licensing system in this UnackMe, and locked one function with key.


I have provided 3 different keys for this bin.


A blocked key ,a valid key locked with a hwid(which i suppose no one has th same hwid) and an expire key.


I also added 2 anti-debug thread to this file.


Using VMProtectIsDebuggerPresent(if you have sod, i guess you can bypass this one pretty easy) and VMProtectIsValidImageCRC(crc).


Didn't use VMProtectDecryptString feature.


 


 


Several things I expect from this UM:


Simply unpack it.


Bypass the blacklist key.


Bypass the expired situation.


Patch hwid.


 


Better create a tut for it.


Thanks.


 


Have fun,


Kido.


 


UnpackMe VMP Ultimate v2.13.5.7z


Edited by Kido
  • Like 1
Link to comment
Share on other sites
LCF-AT

LCF-AT

Posted
Posted

Hi,


 


so what is this with the 3 keys?If you enter any of them should then something happen etc?


 


@ Dreamer


 


Your file does not work so did forget to fix the direct API commands + creating new imports table.Just only a info of course to send you some feedback about your dump.




Here some of your direct APIs 

-----------------------------------------------------------

00CD001E   JMP 7C910537     ; ntdll.7C910537

00CD0042   JMP 7C934192     ; ntdll.7C934192

00CD00F6   JMP 7C90FE30

00CD01E0   JMP 7C90FE21

00CD0246   JMP 7C90FF2D

00CD028E   JMP 7C9100C4     ; ntdll.7C9100C4  <- 1. Crash

00CD02FA   JMP 7C90FE21

etc...
2 Anti-Debug threads can you patch to ret 4

-----------------------------------------------------------

ThreadFunction = VMProtec.004011A4

ThreadFunction = VMProtec.00401201

greetz


  • Like 3
Link to comment
Share on other sites
Teddy Rogers

Teddy Rogers

Posted
Posted

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Link to comment
Share on other sites
Kido

Kido

Posted
  • Author
Posted (edited)

Hi,

 

so what is this with the 3 keys?If you enter any of them should then something happen etc?

 

@ Dreamer

 

Your file does not work so did forget to fix the direct API commands + creating new imports table.Just only a info of course to send you some feedback about your dump.

Here some of your direct APIs -----------------------------------------------------------00CD001E   JMP 7C910537     ; ntdll.7C91053700CD0042   JMP 7C934192     ; ntdll.7C93419200CD00F6   JMP 7C90FE3000CD01E0   JMP 7C90FE2100CD0246   JMP 7C90FF2D00CD028E   JMP 7C9100C4     ; ntdll.7C9100C4  <- 1. Crash00CD02FA   JMP 7C90FE21etc...2 Anti-Debug threads can you patch to ret 4-----------------------------------------------------------ThreadFunction = VMProtec.004011A4ThreadFunction = VMProtec.00401201

greetz

For VMP's vm. it has this called VMProtectBeginVirtualizationLockByKey

What it really means is, you need a key to let the vmed code run normally.

The 3 keys I put is three different type of invalid keys we might have encounter while cracking a vmprotected file.

I've already add the description to ReadMe.txt

 

 

 

LockHWID.key

is a no limited key locked to a specific hwid

uEYb+aEAlZ9zdllf7qM52i60s9qWrHNoXhNOHA==

 

Blacklisted.key

as it shows is a blocked key with no hwid lock and no other limitation.

 

Exipred.key

is an exipired one with no hwid lock.

 

After you readkey,and click Register, if success,

The label should be "Registered" and the "Function" button should be enabled.

When you click the "Function" button, it will give you a MessageBox shows what your hwid is.

I have vmed the messagebox part and lock it with key.

So if not succefully registered, it will pop a messagebox created by vmp says that you need a key to run this function.

So hope you can bypass that part too.

 

BTW, the anti-debug thing is just a kid play, all you need to do is to ret it. LOL.

 

Best wishes,

Kido

Edited by Kido
Link to comment
Share on other sites
Kido

Kido

Posted
  • Author
Posted (edited)

Anti-Debug threads - is it new for vmprot?

No , vmprotect has several sdk fr anti-debug

i just used them ....

Edited by Kido
Link to comment
Share on other sites
LCF-AT

LCF-AT

Posted
Posted

@ Kido


 


Ah ok so you mean I have also to patch my HWID xy to


 


uEYb+aEAlZ9zdllf7qM52i60s9qWrHNoXhNOHA==


 


and then it should work to get a successfully register etc or?So I am getting a little confused with all these key stuff what is not really my specialty so the unpack process was easier. :)


 


greetz


Link to comment
Share on other sites
  • 8 months later...
kuazi GA

kuazi GA

Posted
Posted (edited)

@Kido


You want us to bypass the authorization?


 


K牛 怎么有时间跑到Tuts4来闲逛啊


Edited by kuazi GA
Link to comment
Share on other sites
  • 9 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...