Jump to content
Tuts 4 You

Unknown Packer


Recommended Posts

I am trying to unpack 2 dll files which i'm not sure what they do. they seem to memory patch on some files.

with Die it is detected as VMProtect, but when i browse them with CFFExplorer, and looking at different sections, I'm only seeing TORO0 and TORO1 with no vmp sections.

I am not sure if it is VMP and so I have no clue how to unpack. can someone provide me some information on which kind of packer i am confronting with?

also I can provide sample dll if someone can help.



Link to comment

thank you.

I guess it is vmprotect then.

I both have tried LCF-AT script and manual method using VirtualProtect API call without success.

as far as i know when i put bp on VirtualProtect, i have to see in dump section the code section gets decrypted. but in my case it does not do that and i wonder why.

do you have any idea?

Link to comment

It is probably a wibu codemeter dongle dll emulator made by toro from exetools. Unpack will not be enough you will need to devirtualize his encryption protection as well.

Link to comment
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...