I am trying to unpack 2 dll files which i'm not sure what they do. they seem to memory patch on some files.

with Die it is detected as VMProtect, but when i browse them with CFFExplorer, and looking at different sections, I'm only seeing TORO0 and TORO1 with no vmp sections.

I am not sure if it is VMP and so I have no clue how to unpack. can someone provide me some information on which kind of packer i am confronting with?

also I can provide sample dll if someone can help.

regards

payam

VMProtect sections are commonly renamed. It's a basic option in VMProtect: http://vmpsoft.com/support/user-manual/working-with-vmprotect/main-window/project-section/options-section/

 

thank you.

I guess it is vmprotect then.

I both have tried LCF-AT script and manual method using VirtualProtect API call without success.

as far as i know when i put bp on VirtualProtect, i have to see in dump section the code section gets decrypted. but in my case it does not do that and i wonder why.

do you have any idea?

It is probably a wibu codemeter dongle dll emulator made by toro from exetools. Unpack will not be enough you will need to devirtualize his encryption protection as well.

post hash of the file.