Jump to content
Tuts 4 You

[unpackme] UnpackMe VMP Ultimate v2.13.5


Kido

Recommended Posts

This is a simple UnpackMe using VMProtect Ultimate v2.13.5.


I also used vmp's licensing system in this UnackMe, and locked one function with key.


I have provided 3 different keys for this bin.


A blocked key ,a valid key locked with a hwid(which i suppose no one has th same hwid) and an expire key.


I also added 2 anti-debug thread to this file.


Using VMProtectIsDebuggerPresent(if you have sod, i guess you can bypass this one pretty easy) and VMProtectIsValidImageCRC(crc).


Didn't use VMProtectDecryptString feature.


 


 


Several things I expect from this UM:


Simply unpack it.


Bypass the blacklist key.


Bypass the expired situation.


Patch hwid.


 


Better create a tut for it.


Thanks.


 


Have fun,


Kido.


 


UnpackMe VMP Ultimate v2.13.5.7z


Edited by Kido
  • Like 1
Link to comment

Hi,


 


so what is this with the 3 keys?If you enter any of them should then something happen etc?


 


@ Dreamer


 


Your file does not work so did forget to fix the direct API commands + creating new imports table.Just only a info of course to send you some feedback about your dump.



Here some of your direct APIs
-----------------------------------------------------------
00CD001E JMP 7C910537 ; ntdll.7C910537
00CD0042 JMP 7C934192 ; ntdll.7C934192
00CD00F6 JMP 7C90FE30
00CD01E0 JMP 7C90FE21
00CD0246 JMP 7C90FF2D
00CD028E JMP 7C9100C4 ; ntdll.7C9100C4 <- 1. Crash
00CD02FA JMP 7C90FE21
etc... 2 Anti-Debug threads can you patch to ret 4
-----------------------------------------------------------
ThreadFunction = VMProtec.004011A4
ThreadFunction = VMProtec.00401201

greetz


  • Like 3
Link to comment

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Link to comment

Hi,

 

so what is this with the 3 keys?If you enter any of them should then something happen etc?

 

@ Dreamer

 

Your file does not work so did forget to fix the direct API commands + creating new imports table.Just only a info of course to send you some feedback about your dump.

Here some of your direct APIs -----------------------------------------------------------00CD001E   JMP 7C910537     ; ntdll.7C91053700CD0042   JMP 7C934192     ; ntdll.7C93419200CD00F6   JMP 7C90FE3000CD01E0   JMP 7C90FE2100CD0246   JMP 7C90FF2D00CD028E   JMP 7C9100C4     ; ntdll.7C9100C4  <- 1. Crash00CD02FA   JMP 7C90FE21etc...2 Anti-Debug threads can you patch to ret 4-----------------------------------------------------------ThreadFunction = VMProtec.004011A4ThreadFunction = VMProtec.00401201

greetz

For VMP's vm. it has this called VMProtectBeginVirtualizationLockByKey

What it really means is, you need a key to let the vmed code run normally.

The 3 keys I put is three different type of invalid keys we might have encounter while cracking a vmprotected file.

I've already add the description to ReadMe.txt

 

 

 

LockHWID.key

is a no limited key locked to a specific hwid

uEYb+aEAlZ9zdllf7qM52i60s9qWrHNoXhNOHA==

 

Blacklisted.key

as it shows is a blocked key with no hwid lock and no other limitation.

 

Exipred.key

is an exipired one with no hwid lock.

 

After you readkey,and click Register, if success,

The label should be "Registered" and the "Function" button should be enabled.

When you click the "Function" button, it will give you a MessageBox shows what your hwid is.

I have vmed the messagebox part and lock it with key.

So if not succefully registered, it will pop a messagebox created by vmp says that you need a key to run this function.

So hope you can bypass that part too.

 

BTW, the anti-debug thing is just a kid play, all you need to do is to ret it. LOL.

 

Best wishes,

Kido

Edited by Kido
Link to comment

@ Kido


 


Ah ok so you mean I have also to patch my HWID xy to


 


uEYb+aEAlZ9zdllf7qM52i60s9qWrHNoXhNOHA==


 


and then it should work to get a successfully register etc or?So I am getting a little confused with all these key stuff what is not really my specialty so the unpack process was easier. :)


 


greetz


Link to comment
  • 8 months later...

@Kido


You want us to bypass the authorization?


 


K牛 怎么有时间跑到Tuts4来闲逛啊


Edited by kuazi GA
Link to comment
  • 9 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...