Jump to content
Tuts 4 You

Unknown Packer


Recommended Posts

I am trying to unpack 2 dll files which i'm not sure what they do. they seem to memory patch on some files.

with Die it is detected as VMProtect, but when i browse them with CFFExplorer, and looking at different sections, I'm only seeing TORO0 and TORO1 with no vmp sections.

I am not sure if it is VMP and so I have no clue how to unpack. can someone provide me some information on which kind of packer i am confronting with?

also I can provide sample dll if someone can help.



Link to comment
Share on other sites

thank you.

I guess it is vmprotect then.

I both have tried LCF-AT script and manual method using VirtualProtect API call without success.

as far as i know when i put bp on VirtualProtect, i have to see in dump section the code section gets decrypted. but in my case it does not do that and i wonder why.

do you have any idea?

Link to comment
Share on other sites


It is probably a wibu codemeter dongle dll emulator made by toro from exetools. Unpack will not be enough you will need to devirtualize his encryption protection as well.

Link to comment
Share on other sites

  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...