Posted April 17, 20232 yr VMProtect v3.8.1 Ultra (Mutation + Virtualization) The target is an old software (from 2010) coded in c++, I just apply the VMP protection without any special code as I show in the two screenshots. All available protection features in VMProtect were used with this unpackme. Refer to the attached images for the specific protection settings used. Challenge is to unpack the file, providing an explanation and details on your methodology. File Information Submitter X0rby Submitted 04/17/2023 Category UnPackMe View File
June 7, 20232 yr It's hard to me. the entry codes are virtualized and mutated and even without titanhide kernel mode anti-debug utility. I can't debug it cause of the vmprotect's anti-debug techniques. Edited June 7, 20232 yr by windowbase editing some words.
June 25, 20232 yr Hmm the code is made in c++, one question if it was an .exe made in .net and protected with VMP 3.8.1 would it have been easy?
June 26, 20232 yr Author 5 hours ago, nova789 said: one question if it was an .exe made in .net and protected with VMP 3.8.1 would it have been easy? Yes, I think so - the unpacking of NATIVE APPS is always harder than .NET
April 2, 20241 yr Author Unpacked+devirtualized: unpacked.exe Cleaned (vmp 100% removed): cleaned.exe Edited April 2, 20241 yr by X0rby
April 2, 20241 yr 11 hours ago, X0rby said: Unpacked+devirtualized: unpacked.exe 28.66 MB · 11 downloads Cleaned (vmp 100% removed): cleaned.exe 202 kB · 14 downloads Please record the process and post it, so we can get benefit from you. Regards. sean.
April 2, 20241 yr 13 hours ago, X0rby said: Unpacked+devirtualized: unpacked.exe 28.66 MB · 31 downloads Cleaned (vmp 100% removed): cleaned.exe 202 kB · 35 downloads @X0rby bro please share the method instead of sharing unpacked files. Regards.
July 17, 20241 yr Lack of any explanation whatsoever, likely the author just ripped code directly from the source of the original program; which they clearly have access to given the details of the post. For those of you seeking guidance, I'd look elsewhere (old but gold).
January 8Jan 8 hello everyone happy start of the new year please @X0rby could you show us with your talent how did you do the procedure to unpack it we would appreciate it master
April 13Apr 13 Hi all i think it was this code source but not sure https://github.com/sl4v3k/VMProtect-second-leak If someone can confirm it will be appreciate
April 16Apr 16 Hi thank you for your feedback , need source code from @X0rby pls if it possible , i have a question with the file he shared with us and the unpacked version he made, it's impossible for us to understand the mutation and virtualization on version 3.8? and then make a script?
May 27May 27 Hi X0rby, tried to solve this unpackme, thank you for the afford. I have a question. For example: 00409F46 | E8 D2F55100 | call asmtomachinecode.vmp_dump_scy.92951D | 00409F4B | CE | into | 00409F4C | 5E | pop esi | 00409F4D | C3 | ret | you solve it as: 00409F46 | FF15 E8E00A02 | call dword ptr ds:[<HeapAlloc>] | 00409F4C | 5E | pop esi | esi:"U‰еjяhP@A" 00409F4D | C3 | ret | How to do it if you don't have the original non packed file?
May 28May 28 Found how to solve it. Put bp on ntdll.dll and it lands to ntdll.dll:$52DD6 #521D6 <RtlAllocateHeap>. But there are many calls like this. The question is can this be done by script or every call have to be solved manually?
July 25Jul 25 On 5/28/2025 at 9:04 AM, HostageOfCode said: Found how to solve it. Put bp on ntdll.dll and it lands to ntdll.dll:$52DD6 #521D6 <RtlAllocateHeap>. Did you finally solve it? Could you make a video? The OP stop to reply, because it doesn't want to explain how he solved it.
Create an account or sign in to comment