Jump to content
Tuts 4 You

VMProtect v3.5.0.1213

whoknows

By whoknows
in UnPackMe (.NET)

 Share
Go to solution Solved by BlackHat,

Recommended Posts

NoobStar

NoobStar

Posted
Posted

Nice  can you upload the tools in the tutorial,

  • 1 month later...
  • 1 year later...
Ricardo Goodlife

Ricardo Goodlife

Posted
Posted
On 1/19/2022 at 7:59 PM, BlackHat said:

How to Unpack this VMProtect 3.5 Challenge - 2022/01/10 by @BlackHat

Tutorial :

  Reveal hidden contents

Step 1. Start KSDumper and Dump the Challenge from Memory by running it. Download Here - https://github.com/EquiFox/KsDumper from GitHub. You can also use any Kernel base Dumper or JIT Dumper https://github.com/Anonym0ose/JitDumper
(When You use KSDumper, You may have to Load Unsafe Driver which you can do by running them using Command Prompt if only You are getting Access Denied error by running normally)

Step 2. Fix Sections Header of your Dumped File using CFF Explorer. Download from - https://ntcore.com/?tag=cff-explorer here and Fix the Broken value and Untick the IL only check in .NET section.

Step 3. Now Clean the Mutations of VMProtect using Demutation Tool made by wwh1004. You can read here - https://github.com/wwh1004/blog/tree/master/[.NET]反混淆VMP.NET之Mutation
(You can also download the Compiled file from this Link - https://disk.yandex.com/d/Zq2q-6YnkrDWiQ )

Step 4. Clean the File using de4dot. Use the Official de4dot without any mod. You can Download from Here - https://github.com/de4dot/de4dot
(Use --keep-names ntpfg while cleaning the file using de4dot)

Step 5. Use VMP Killer by DarkBullNull. Download Here - https://github.com/DarkBullNull/VMP.NET-Kill/releases/download/2.1/Release.rar
(Use Option 2 First and Fix CRC and Debug Check and after this use Option 4 to uncover the Hide Call Method)

Step 6. Open the Unpacked File in dnSpy and go to Module.cctor and nop the call.

Step 7. Crack the Validation Method and Get Profit.

Video Tutorial : 

  Reveal hidden contents

 

 

Best Regards

BlackHat

awesome.vmp35_BH_unp.exe 95 kB · 29 downloads

 

Hell0 Mr @BlackHat,

I know this topic is old, but can you provide any logic on the CFF Sections Headers Fixing?

VMP has changed them and I belive that might have disabled Dem.

Anyway, thanks for the info!

 

  • Like 2
  • 1 month later...
AarJee

AarJee

Posted
Posted (edited)
On 5/5/2023 at 2:56 PM, Ricardo Goodlife said:

 

Hell0 Mr @BlackHat,

I know this topic is old, but can you provide any logic on the CFF Sections Headers Fixing?

VMP has changed them and I belive that might have disabled Dem.

Anyway, thanks for the info!

 

I too agree that where the section header of vmp has been changed, Demutation is not working there.  @BlackHat  can you please suggest how to deal with it?

Edited by AarJee
  • Like 1
  • 1 year later...
Bang1338

Bang1338

Posted
Posted
On 7/4/2023 at 12:33 PM, AarJee said:

I too agree that where the section header of vmp has been changed, Demutation is not working there.  @BlackHat  can you please suggest how to deal with it?

maybe you can try VMUnprotect.Dumper (https://github.com/void-stack/VMUnprotect.Dumper) first then do Demutation

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...