Jump to content
Tuts 4 You
  • 0
Sign in to follow this  
Arctic

VMProtect 3.4

Question

Arctic

Language: .NET
Platform: Windows
OS Version: All
Packer/Protector: VMProtect Ultimate 3.4.0 (Build 1155)

Description:

Unpack the file and get the password (along with some brief explanation). Would like to see if anyone can have a go at VMProtect's new .NET implementation. Good luck :)

VMP Settings used:

Anti-Debugger : User+Kernel

Anti-VM: No

Protections: Memory + Pack Output

Screenshot:

UnpackMe.vmp_iVNsnvAuGr.png.e3deff276bd7329ee0ccf26098b54d4d.png

 

 

VMP3.4.zip

Share this post


Link to post

3 answers to this question

Recommended Posts

  • 1
kao

The password is:

Spoiler

7qvtuUbs

 

Explanation:

To apply VMProtect properly, you need to understand how each and every option works. Specifically, packing option just compresses data, it doesn't add any real protection. And if you do not use "VMProtect.SDK.DecryptString", strings are not encrypted.

It's enough to run protected software under any debugger and search for strings in memory:

Spoiler

spacer.png

 

As for proper unpack and/or devirtualization, it's something I have on my todo list. But I haven't got a "proper" solution that I could share at the moment.

 

Edited by kao
typos (see edit history)
  • Like 2
  • Thanks 2

Share this post


Link to post
  • 0
Arctic
On 12/15/2019 at 9:56 AM, kao said:

The password is:

  Reveal hidden contents

7qvtuUbs

 

Explanation:

To apply VMProtect properly, you need to understand how each and every option works. Specifically, packing option just compresses data, it doesn't add any real protection. And if you do not use "VMProtect.SDK.DecryptString", strings are not encrypted.

It's enough to run protected software under any debugger and search for strings in memory:

  Hide contents

spacer.png

 

As for proper unpack and/or devirtualization, it's something I have on my todo list. But I haven't got a "proper" solution that I could share at the moment.

 

I could've sworn I used VMProtect's SDK and applied it's settings appropriately though. Maybe something didn't go right in the build and VMP never told me. Nicely done though.

   [VMProtect.BeginUltra]
        private void button1_Click(object sender, EventArgs e)
        {
            if(txtPsw.Text == VMProtect.SDK.DecryptString("7qvtuUbs"))
            {
                MessageBox.Show(VMProtect.SDK.DecryptString("Authentication successful!"), VMProtect.SDK.DecryptString("Validation"), MessageBoxButtons.OK, MessageBoxIcon.Information);
            }
            else
            {
                MessageBox.Show(VMProtect.SDK.DecryptString("Sorry, that appears to be incorrect."), VMProtect.SDK.DecryptString("Validation"), MessageBoxButtons.OK, MessageBoxIcon.Error);
            }
        }

image.png.8823f08cf364c0b716907907308637fa.png

Edited by Arctic (see edit history)

Share this post


Link to post
  • 0
kao

@Arctic: Well, if you can reproduce the issue, it's definitely a bug in (some combination of) VMProtect options. Worth sending a bugreport to the authors! ;)

 

 

  • Like 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...