whoknows Posted August 7, 2020 Share Posted August 7, 2020 (edited) View File VMProtect v3.5.0.1213 Try to unpack or alternatively provide a serial. If there is no solution provided by Saturday 11am (GMT+0) I will attach the same without debugger detection. Protections used: Debugger detection (User-mode + Kernel-mode) Ultra (Mutation + Virtualization) Submitter whoknows Submitted 08/07/2020 Category UnPackMe (.NET) Edited August 7, 2020 by whoknows 1 Link to comment Share on other sites More sharing options...
Fr4x Posted August 7, 2020 Share Posted August 7, 2020 (edited) awesome.unvitualized.exe Virtualization removed, delegates need to be cleaned Edited August 7, 2020 by </DarkCod3r> (IRAN) 1 Link to comment Share on other sites More sharing options...
sirp Posted August 23, 2020 Share Posted August 23, 2020 (edited) First step Used DnSoy to dump it Edited September 6, 2020 by sirp Link to comment Share on other sites More sharing options...
er132 Posted August 30, 2020 Share Posted August 30, 2020 it seems No ways 🙄 Vmp for .net is the best Link to comment Share on other sites More sharing options...
tungtruong20xx Posted August 30, 2020 Share Posted August 30, 2020 On 8/23/2020 at 9:51 PM, sirp said: First step can u help me solution Link to comment Share on other sites More sharing options...
BataBo Posted August 30, 2020 Share Posted August 30, 2020 (edited) Here is one of the solutions: Spoiler AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACsbHDTcxIP0LWYgmPM663d4ylbijmKAs0o0gXodxQEb It uses cryptography to decrypt a string provided withing the key,key also contains RV and salt,which I both set to all \0,if it succeeds then it prints hi <DecrytpedString> thanks for registering,if it fails it prints invalid serial Edit: Decrypted Validate function: Spoiler Edited August 31, 2020 by BataBo Link to comment Share on other sites More sharing options...
AzoresRCE Posted August 30, 2020 Share Posted August 30, 2020 On 8/23/2020 at 3:51 PM, sirp said: First step clean mutations to fully complete 1 Link to comment Share on other sites More sharing options...
tungtruong20xx Posted August 31, 2020 Share Posted August 31, 2020 can u help me solotion unpack this vmprotect Link to comment Share on other sites More sharing options...
Washi Posted September 2, 2020 Share Posted September 2, 2020 (edited) Fun challenge. I went for finding just the key algorithm rather than fully devirtualizing, but the code is pretty clear. Here some sample keys: Spoiler whoknows: DkkLJ5UOI5DizM/Z7UhGQRt3dsR+OeyHlNNcQgmgFERdCXocbP6A3pMWWkhwqxLSMKEBN90qktRdhJPCsuCHQtm6M1GdlMtcFhkW5L+YTeaT3JAeZ+GTofwXKiD9ATdd washi: t4t7484q1B32mDFo36MW6MCKEWef3WYzd6W/6Gq9K7OPGJDkMC8DBs3jQEX5KfW5basCKM4fo9klSGwoauyyOL4FCXtz5hcdTYLPVRpWIWi+CIgPv/36P9iEuU5l0Nnu tuts4you: bX3YxhIyuJGGC5q7nCA5Ta8Ger+7AuRwdLe+58Pam+AwB9h8US6mO/NwosOE6DwEDx55ZHHzfGqZaFJbc9DNq3ZZv+pkwKhd5Vt3j3WpVFxTyhBxIflEAaymH08V5FqD Approach: Spoiler Notice Validate is virtualized using VMP, and returns a string which is later displayed. => returned value is probably the name. Notice that VM reads code using method 0x06000046. Also notice that field 0x04000048 is the virtual program counter and field 0x0400004A contains the stack. Use this harmony script to perform a VM trace that dumps the program counter, stack contents and calls. First run with garbage data reveals it requires a base64 string. Second run, with a random base64 string reveals the key consists of three parts: first and second part are both 32 bytes, the rest is of arbitrary length. Third run with hex data 00010203...4b4c4d4e4f reveals all that is necessary to create a keygen (full trace https://pastebin.com/Qcc2ULc6) Notice it creates a new instance of Rfc2898DeriveBytes using 'tetris' as password, the first 32 bytes of the serial as salt, and 1000 iterations Notice it creates a new instance of RijndaelManaged with blocksize = 256, mode = CBC, padding = PKCS7, and IV = the second part of the serial. Notice it attempts to decrypt the remaining part of the serial using this instance of RijndaelManaged. Keygen is simply doing the reverse of all operations in the trace. Notice the decrypted data is returned and displayed => encrypted data is username encrypted using the same algorithm. Keygen.7z Edited September 2, 2020 by Washi 3 8 Link to comment Share on other sites More sharing options...
BataBo Posted September 3, 2020 Share Posted September 3, 2020 16 hours ago, Washi said: Fun challenge. I went for finding just the key algorithm rather than fully devirtualizing, but the code is pretty clear. Here some sample keys: Hide contents whoknows: DkkLJ5UOI5DizM/Z7UhGQRt3dsR+OeyHlNNcQgmgFERdCXocbP6A3pMWWkhwqxLSMKEBN90qktRdhJPCsuCHQtm6M1GdlMtcFhkW5L+YTeaT3JAeZ+GTofwXKiD9ATdd washi: t4t7484q1B32mDFo36MW6MCKEWef3WYzd6W/6Gq9K7OPGJDkMC8DBs3jQEX5KfW5basCKM4fo9klSGwoauyyOL4FCXtz5hcdTYLPVRpWIWi+CIgPv/36P9iEuU5l0Nnu tuts4you: bX3YxhIyuJGGC5q7nCA5Ta8Ger+7AuRwdLe+58Pam+AwB9h8US6mO/NwosOE6DwEDx55ZHHzfGqZaFJbc9DNq3ZZv+pkwKhd5Vt3j3WpVFxTyhBxIflEAaymH08V5FqD Approach: Reveal hidden contents Notice Validate is virtualized using VMP, and returns a string which is later displayed. => returned value is probably the name. Notice that VM reads code using method 0x06000046. Also notice that field 0x04000048 is the virtual program counter and field 0x0400004A contains the stack. Use this harmony script to perform a VM trace that dumps the program counter, stack contents and calls. First run with garbage data reveals it requires a base64 string. Second run, with a random base64 string reveals the key consists of three parts: first and second part are both 32 bytes, the rest is of arbitrary length. Third run with hex data 00010203...4b4c4d4e4f reveals all that is necessary to create a keygen (full trace https://pastebin.com/Qcc2ULc6) Notice it creates a new instance of Rfc2898DeriveBytes using 'tetris' as password, the first 32 bytes of the serial as salt, and 1000 iterations Notice it creates a new instance of RijndaelManaged with blocksize = 256, mode = CBC, padding = PKCS7, and IV = the second part of the serial. Notice it attempts to decrypt the remaining part of the serial using this instance of RijndaelManaged. Keygen is simply doing the reverse of all operations in the trace. Notice the decrypted data is returned and displayed => encrypted data is username encrypted using the same algorithm. Keygen.7z 7.15 kB · 7 downloads Are you sure it's correct,the key isn't 'tetris' the key is 'duck',keys provided above don't work. Link to comment Share on other sites More sharing options...
kao Posted September 3, 2020 Share Posted September 3, 2020 I think Washi's solution is actually for At least, the provided keys work for that executable. 1 Link to comment Share on other sites More sharing options...
Washi Posted September 3, 2020 Share Posted September 3, 2020 (edited) 3 hours ago, BataBo said: Are you sure it's correct,the key isn't 'tetris' the key is 'duck',keys provided above don't work. Whoops you are completely right, I posted my reply to the wrong vmp crackme/unpackme challenge thread. @whoknows has made two threads This one is actually easier, since code is pretty much readable (after you dumped it from memory that is). And yea, the password for this one is indeed "duck" rather than tetris. Edited September 3, 2020 by Washi 2 Link to comment Share on other sites More sharing options...
tungtruong20xx Posted September 5, 2020 Share Posted September 5, 2020 Hey Guy Can u help me unpack this method Sorry my english is bad .exe and runtime.dll Link to comment Share on other sites More sharing options...
zELzELE Posted September 7, 2020 Share Posted September 7, 2020 just packer, mutation and refh proxy. 1 Link to comment Share on other sites More sharing options...
AzoresRCE Posted September 28, 2020 Share Posted September 28, 2020 "Ultra (Mutation + Virtualization)" This was never Virtualized... Link to comment Share on other sites More sharing options...
0x59 Posted October 21, 2020 Share Posted October 21, 2020 On 8/7/2020 at 8:47 AM, </DarkCod3r> (IRAN) said: awesome.unvitualized.exe 149 kB · 24 downloads Virtualization removed, delegates need to be cleaned u remove anti-tamper only still virtualized 😕 Link to comment Share on other sites More sharing options...
BlackHat Posted November 3, 2020 Share Posted November 3, 2020 awesome.vmp35_cracked.exe Every other portion of VMP is removed including CRC etc check. But still it will not run until we fix Delegates. It is still left Spoiler I did almost same approach on this - https://telegra.ph/VMP-Unpacking-11-02 2 2 Link to comment Share on other sites More sharing options...
Leopar36 Posted February 12, 2021 Share Posted February 12, 2021 (edited) Spoiler using System; using System.ComponentModel; using System.Drawing; using System.IO; using System.Linq; using System.Security.Cryptography; using System.Text; using System.Windows.Forms; namespace awesome { // Token: 0x02000002 RID: 2 public class Form1 : Form { // Token: 0x06000002 RID: 2 RVA: 0x00002097 File Offset: 0x00000297 public Form1() { this.InitializeComponent(); } // Token: 0x06000003 RID: 3 RVA: 0x00002888 File Offset: 0x00000A88 private void button1_Click(object sender, EventArgs e) { string text = null; try { text = Form1.Validate(this.textBox1.Text); } catch { this.label2.ForeColor = Color.Red; this.label2.Text = "invalid serial"; } finally { if (text != null) { this.label2.ForeColor = Color.DarkGreen; this.label2.Text = string.Format("hi {0} thanks for registering", text); } } } // Token: 0x06000004 RID: 4 RVA: 0x000028F8 File Offset: 0x00000AF8 public static string Validate(string ikari) { byte[] array = Convert.FromBase64String(ikari); byte[] salt = array.Take(32).ToArray<byte>(); byte[] rgbIV = array.Skip(32).Take(32).ToArray<byte>(); byte[] array2 = array.Skip(64).Take(array.Length - 64).ToArray<byte>(); string @string; using (Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes("duck", salt, 1000)) { byte[] bytes = rfc2898DeriveBytes.GetBytes(32); using (RijndaelManaged rijndaelManaged = new RijndaelManaged()) { rijndaelManaged.BlockSize = 256; rijndaelManaged.Mode = CipherMode.CBC; rijndaelManaged.Padding = PaddingMode.PKCS7; using (ICryptoTransform cryptoTransform = rijndaelManaged.CreateDecryptor(bytes, rgbIV)) { using (MemoryStream memoryStream = new MemoryStream(array2)) { using (CryptoStream cryptoStream = new CryptoStream(memoryStream, cryptoTransform, CryptoStreamMode.Read)) { byte[] array3 = new byte[array2.Length]; int count = cryptoStream.Read(array3, 0, array3.Length); memoryStream.Close(); cryptoStream.Close(); @string = Encoding.UTF8.GetString(array3, 0, count); } } } } } return @string; } // Token: 0x06000005 RID: 5 RVA: 0x00002A64 File Offset: 0x00000C64 protected override void Dispose(bool disposing) { if (disposing && this.components != null) { this.components.Dispose(); } base.Dispose(disposing); } // Token: 0x06000006 RID: 6 RVA: 0x00002AEC File Offset: 0x00000CEC private void InitializeComponent() { this.textBox1 = new TextBox(); this.button1 = new Button(); this.label2 = new Label(); base.SuspendLayout(); this.textBox1.BorderStyle = BorderStyle.FixedSingle; this.textBox1.Font = new Font("Consolas", 9.75f); this.textBox1.Location = new Point(13, 45); this.textBox1.Multiline = true; this.textBox1.Name = "textBox1"; this.textBox1.Size = new Size(348, 66); this.textBox1.TabIndex = 1; this.button1.Font = new Font("Consolas", 9.75f); this.button1.Location = new Point(12, 117); this.button1.Name = "button1"; this.button1.Size = new Size(349, 35); this.button1.TabIndex = 2; this.button1.Text = "validate"; this.button1.UseVisualStyleBackColor = true; this.button1.Click += this.button1_Click; this.label2.Font = new Font("Consolas", 9.75f); this.label2.Location = new Point(12, 9); this.label2.Name = "label2"; this.label2.Size = new Size(349, 23); this.label2.TabIndex = 4; this.label2.Text = "welcome!"; this.label2.TextAlign = ContentAlignment.MiddleCenter; base.AutoScaleDimensions = new SizeF(6f, 13f); base.AutoScaleMode = AutoScaleMode.Font; base.ClientSize = new Size(373, 160); base.Controls.Add(this.label2); base.Controls.Add(this.button1); base.Controls.Add(this.textBox1); base.FormBorderStyle = FormBorderStyle.FixedToolWindow; base.MaximizeBox = false; base.Name = "Form1"; base.StartPosition = FormStartPosition.CenterScreen; base.Text = "VMYarrak v3.5.0.1213"; base.ResumeLayout(false); base.PerformLayout(); } // Token: 0x04000001 RID: 1 private IContainer components; // Token: 0x04000002 RID: 2 private TextBox textBox1; // Token: 0x04000003 RID: 3 private Button button1; // Token: 0x04000004 RID: 4 private Label label2; } } Download: https://s4.dosya.tc/server13/tkpa2e/awesome.vmp_clean.exe.html Key: HlgoynfyxFiMv94XScOTlJA65DTJrPd9pRY0zI3mKyO+IOunYkFdYWn6lGCufjKvVLrzZ94ivnJgqyVgvfjKpSyN4ImrVY/Bl5XU7+ne859RySqgyX919rcgIs6mk6OK SS Edited February 17, 2021 by Leopar36 1 1 Link to comment Share on other sites More sharing options...
bruhware2811 Posted March 5, 2021 Share Posted March 5, 2021 On 2/12/2021 at 9:56 PM, Leopar36 said: Reveal hidden contents using System; using System.ComponentModel; using System.Drawing; using System.IO; using System.Linq; using System.Security.Cryptography; using System.Text; using System.Windows.Forms; namespace awesome { // Token: 0x02000002 RID: 2 public class Form1 : Form { // Token: 0x06000002 RID: 2 RVA: 0x00002097 File Offset: 0x00000297 public Form1() { this.InitializeComponent(); } // Token: 0x06000003 RID: 3 RVA: 0x00002888 File Offset: 0x00000A88 private void button1_Click(object sender, EventArgs e) { string text = null; try { text = Form1.Validate(this.textBox1.Text); } catch { this.label2.ForeColor = Color.Red; this.label2.Text = "invalid serial"; } finally { if (text != null) { this.label2.ForeColor = Color.DarkGreen; this.label2.Text = string.Format("hi {0} thanks for registering", text); } } } // Token: 0x06000004 RID: 4 RVA: 0x000028F8 File Offset: 0x00000AF8 public static string Validate(string ikari) { byte[] array = Convert.FromBase64String(ikari); byte[] salt = array.Take(32).ToArray<byte>(); byte[] rgbIV = array.Skip(32).Take(32).ToArray<byte>(); byte[] array2 = array.Skip(64).Take(array.Length - 64).ToArray<byte>(); string @string; using (Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes("duck", salt, 1000)) { byte[] bytes = rfc2898DeriveBytes.GetBytes(32); using (RijndaelManaged rijndaelManaged = new RijndaelManaged()) { rijndaelManaged.BlockSize = 256; rijndaelManaged.Mode = CipherMode.CBC; rijndaelManaged.Padding = PaddingMode.PKCS7; using (ICryptoTransform cryptoTransform = rijndaelManaged.CreateDecryptor(bytes, rgbIV)) { using (MemoryStream memoryStream = new MemoryStream(array2)) { using (CryptoStream cryptoStream = new CryptoStream(memoryStream, cryptoTransform, CryptoStreamMode.Read)) { byte[] array3 = new byte[array2.Length]; int count = cryptoStream.Read(array3, 0, array3.Length); memoryStream.Close(); cryptoStream.Close(); @string = Encoding.UTF8.GetString(array3, 0, count); } } } } } return @string; } // Token: 0x06000005 RID: 5 RVA: 0x00002A64 File Offset: 0x00000C64 protected override void Dispose(bool disposing) { if (disposing && this.components != null) { this.components.Dispose(); } base.Dispose(disposing); } // Token: 0x06000006 RID: 6 RVA: 0x00002AEC File Offset: 0x00000CEC private void InitializeComponent() { this.textBox1 = new TextBox(); this.button1 = new Button(); this.label2 = new Label(); base.SuspendLayout(); this.textBox1.BorderStyle = BorderStyle.FixedSingle; this.textBox1.Font = new Font("Consolas", 9.75f); this.textBox1.Location = new Point(13, 45); this.textBox1.Multiline = true; this.textBox1.Name = "textBox1"; this.textBox1.Size = new Size(348, 66); this.textBox1.TabIndex = 1; this.button1.Font = new Font("Consolas", 9.75f); this.button1.Location = new Point(12, 117); this.button1.Name = "button1"; this.button1.Size = new Size(349, 35); this.button1.TabIndex = 2; this.button1.Text = "validate"; this.button1.UseVisualStyleBackColor = true; this.button1.Click += this.button1_Click; this.label2.Font = new Font("Consolas", 9.75f); this.label2.Location = new Point(12, 9); this.label2.Name = "label2"; this.label2.Size = new Size(349, 23); this.label2.TabIndex = 4; this.label2.Text = "welcome!"; this.label2.TextAlign = ContentAlignment.MiddleCenter; base.AutoScaleDimensions = new SizeF(6f, 13f); base.AutoScaleMode = AutoScaleMode.Font; base.ClientSize = new Size(373, 160); base.Controls.Add(this.label2); base.Controls.Add(this.button1); base.Controls.Add(this.textBox1); base.FormBorderStyle = FormBorderStyle.FixedToolWindow; base.MaximizeBox = false; base.Name = "Form1"; base.StartPosition = FormStartPosition.CenterScreen; base.Text = "VMYarrak v3.5.0.1213"; base.ResumeLayout(false); base.PerformLayout(); } // Token: 0x04000001 RID: 1 private IContainer components; // Token: 0x04000002 RID: 2 private TextBox textBox1; // Token: 0x04000003 RID: 3 private Button button1; // Token: 0x04000004 RID: 4 private Label label2; } } Download: https://s4.dosya.tc/server13/tkpa2e/awesome.vmp_clean.exe.html Key: HlgoynfyxFiMv94XScOTlJA65DTJrPd9pRY0zI3mKyO+IOunYkFdYWn6lGCufjKvVLrzZ94ivnJgqyVgvfjKpSyN4ImrVY/Bl5XU7+ne859RySqgyX919rcgIs6mk6OK SS How did you clean it so well? Do you have any tools? Link to comment Share on other sites More sharing options...
BlackHat Posted October 4, 2021 Share Posted October 4, 2021 On 11/3/2020 at 1:35 PM, BlackHat said: awesome.vmp35_cracked.exe 493 kB · 29 downloads Every other portion of VMP is removed including CRC etc check. But still it will not run until we fix Delegates. It is still left Reveal hidden contents I did almost same approach on this - https://telegra.ph/VMP-Unpacking-11-02 I forgot this Post btw It was fine except Delegates which can be fixed easily. awesome_done.exe Link to comment Share on other sites More sharing options...
abbas Posted December 2, 2021 Share Posted December 2, 2021 hey guys i know you're all too busy with life for arranging a tutorial but could you please at least say the steps you took or refer to other pertaining tutorials/papers? Link to comment Share on other sites More sharing options...
ifox Posted December 2, 2021 Share Posted December 2, 2021 How clear and fix the Delegates? Link to comment Share on other sites More sharing options...
Washi Posted December 2, 2021 Share Posted December 2, 2021 Have to agree with the posts above. Most of the solutions here are not really tutorials. They are mostly just a binary / source code that is cleared without any explanation of how it is done, which is what tuts4you I believe is meant to be about. Link to comment Share on other sites More sharing options...
Solution BlackHat Posted January 19, 2022 Solution Share Posted January 19, 2022 How to Unpack this VMProtect 3.5 Challenge - 2022/01/10 by @BlackHat Tutorial : Spoiler Step 1. Start KSDumper and Dump the Challenge from Memory by running it. Download Here - https://github.com/EquiFox/KsDumper from GitHub. You can also use any Kernel base Dumper or JIT Dumper https://github.com/Anonym0ose/JitDumper (When You use KSDumper, You may have to Load Unsafe Driver which you can do by running them using Command Prompt if only You are getting Access Denied error by running normally) Step 2. Fix Sections Header of your Dumped File using CFF Explorer. Download from - https://ntcore.com/?tag=cff-explorer here and Fix the Broken value and Untick the IL only check in .NET section. Step 3. Now Clean the Mutations of VMProtect using Demutation Tool made by wwh1004. You can read here - https://github.com/wwh1004/blog/tree/master/[.NET]反混淆VMP.NET之Mutation (You can also download the Compiled file from this Link - https://disk.yandex.com/d/Zq2q-6YnkrDWiQ ) Step 4. Clean the File using de4dot. Use the Official de4dot without any mod. You can Download from Here - https://github.com/de4dot/de4dot (Use --keep-names ntpfg while cleaning the file using de4dot) Step 5. Use VMP Killer by DarkBullNull. Download Here - https://github.com/DarkBullNull/VMP.NET-Kill/releases/download/2.1/Release.rar (Use Option 2 First and Fix CRC and Debug Check and after this use Option 4 to uncover the Hide Call Method) Step 6. Open the Unpacked File in dnSpy and go to Module.cctor and nop the call. Step 7. Crack the Validation Method and Get Profit. Video Tutorial : Spoiler VMprotect 3.5 - BlackHat.mp4 Best Regards BlackHat awesome.vmp35_BH_unp.exe 4 5 Link to comment Share on other sites More sharing options...
vosiyons Posted January 20, 2022 Share Posted January 20, 2022 18 hours ago, BlackHat said: Bu VMProtect 3.5 Mücadelesi Nasıl Açılır - 2022/01/10 tarafından @Siyah şapka öğretici : Gizli içerikleri ortaya çıkarın Step 1. Start KSDumper and Dump the Challenge from Memory by running it. Download Here - https://github.com/EquiFox/KsDumper from GitHub. You can also use any Kernel base Dumper or JIT Dumper https://github.com/Anonym0ose/JitDumper (When You use KSDumper, You may have to Load Unsafe Driver which you can do by running them using Command Prompt if only You are getting Access Denied error by running normally) Step 2. Fix Sections Header of your Dumped File using CFF Explorer. Download from - https://ntcore.com/?tag=cff-explorer here and Fix the Broken value and Untick the IL only check in .NET section. Step 3. Now Clean the Mutations of VMProtect using Demutation Tool made by wwh1004. You can read here - https://github.com/wwh1004/blog/tree/master/[.NET]反混淆VMP.NET之Mutation (You can also download the Compiled file from this Link - https://disk.yandex.com/d/Zq2q-6YnkrDWiQ ) Step 4. Clean the File using de4dot. Use the Official de4dot without any mod. You can Download from Here - https://github.com/de4dot/de4dot (Use --keep-names ntpfg while cleaning the file using de4dot) Step 5. Use VMP Killer by DarkBullNull. Download Here - https://github.com/DarkBullNull/VMP.NET-Kill/releases/download/2.1/Release.rar (Use Option 2 First and Fix CRC and Debug Check and after this use Option 4 to uncover the Hide Call Method) Step 6. Open the Unpacked File in dnSpy and go to Module.cctor and nop the call. Step 7. Crack the Validation Method and Get Profit. Video Eğitimi : Gizli içerikleri ortaya çıkarın VMprotect 3.5 - BlackHat.mp4 14.79 MB · 0 downloads Saygılarımla Siyah şapka harika.vmp35_BH_unp.exe 95 kB · 2 indirme Hello, can you upload the tools in the tutorial, thank you very much, you did a great job. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now