VMProtect Ultimate 3.0.8

[Xjun]

Difficulty : 6
Language : C++
Platform : Windows
OS Version : Windows 7
Packer / Protector :VMProtect Ultimate 3.0.8

Description :

Memory Protection       -Yes

Import protection          -Yes

Resource Protection     -Yes

Pack the output File      -Yes

Debugger                      - user-mode+Kernel-mode

Virtualization Tools       -Yes

using VMProtect SDK.

Screenshot :

 

UnpackMe.7z

 

[av999]

not worked under Vmware

founded:

-popfd; rdtsc

-popfd;cpuid

-cpuid (eax=1) with 31bit detection in ecx

what else?

ps

 

unp-crc-notfixed.zip

Edited October 3, 2016 by av999

[Techlord]

Wondering why no one was working on this thread

Edited August 29, 2016 by Techlord

[Aer73]

@ Techlord.

I agree with you.

I'm working on a packed file with this version is being complicated.

Is few info about.

Many thanks.

 

Kindly regards.

 

[av999]

What about  x64 unpackme?

[av999]

del

Edited March 20, 2017 by av999

[Dragon Palace]

小军大牛怎么来这里了？

[Xjun]

On 2016/8/30 at 3:20 AM, av999 said:

not worked under Vmware

founded:

-popfd; rdtsc

-popfd;cpuid

-cpuid (eax=1) with 31bit detection in ecx

what else?

ps

 

unp-crc-notfixed.zip

thank you for your reply！

VMProtect 3.x  Chec detect VMware

XP -> cpuid (eax=1) with 31bit detection in ecx  -> ZwOpenSection "\device\physicalmemory"  

WIN7 -> cpuid (eax=1) with 31bit detection in ecx -> kernel32.EnumSystemFirmwareTables

[SHADOW_UA]

2 hours ago, Xjun said:

thank you for your reply！

VMProtect 3.x  Chec detect VMware

XP -> cpuid (eax=1) with 31bit detection in ecx  -> ZwOpenSection "\device\physicalmemory"  

WIN7 -> cpuid (eax=1) with 31bit detection in ecx -> kernel32.EnumSystemFirmwareTables

Correct. And while first one can be patched with cpuid.1.ecx parameter in VMX file, I can't see a way to permanently patch second one.

[_BaZzi]

<00452816>
db 90,90,90,90,90,90 ; vm detection

<0058796E>
	jmp @HookedCPUID_CRC

<00879550>
@HookedCPUID_CRC:
	mov ebx, 00100800
	jmp 00647698

<0047B689>
	jmp @HookedCPUID_VM
	
<00879570>
@HookedCPUID_VM:
	mov ebx, 00100800
	sub ebp,0xC
	jmp 0047B68F 

<00498066>
	jmp @HookedCPUID_V
	
<00879590>
@HookedCPUID_V:
	mov ebx, 00100800
	sub ebp,0xC
	jmp 0049806C 

<00545E14>
	jmp @HookedCPUID_U
	
<008795B0>
@HookedCPUID_U:
	mov ebx, 00100800
	sub ebp,0xC
	jmp 00545E1A 

Patch these to make the buttons work.

Besides, IsVirtualMachine will crash on xp.

UnpackMe.unpacked.exe.zip

Edited March 24, 2017 by _BaZzi
typo

[Techlord]

So now our guys have succeeded in unpacking VMP 3.0.8 also !

Great !

[NewBHack]

Is there a way to bypass VMWARE detection by Vmprotect 3.x?

[ktsky]

Awesome