payam5959 Posted February 22, 2021 Posted February 22, 2021 I am trying to unpack 2 dll files which i'm not sure what they do. they seem to memory patch on some files. with Die it is detected as VMProtect, but when i browse them with CFFExplorer, and looking at different sections, I'm only seeing TORO0 and TORO1 with no vmp sections. I am not sure if it is VMP and so I have no clue how to unpack. can someone provide me some information on which kind of packer i am confronting with? also I can provide sample dll if someone can help. regards payam
kao Posted February 22, 2021 Posted February 22, 2021 VMProtect sections are commonly renamed. It's a basic option in VMProtect: http://vmpsoft.com/support/user-manual/working-with-vmprotect/main-window/project-section/options-section/
payam5959 Posted February 23, 2021 Author Posted February 23, 2021 thank you. I guess it is vmprotect then. I both have tried LCF-AT script and manual method using VirtualProtect API call without success. as far as i know when i put bp on VirtualProtect, i have to see in dump section the code section gets decrypted. but in my case it does not do that and i wonder why. do you have any idea?
HostageOfCode Posted February 24, 2021 Posted February 24, 2021 It is probably a wibu codemeter dongle dll emulator made by toro from exetools. Unpack will not be enough you will need to devirtualize his encryption protection as well.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now