Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Posted

VMProtect v3.8.1 Ultra (Mutation + Virtualization)

The target is an old software (from 2010) coded in c++, I just apply the VMP protection without any special code as I show in the two screenshots. All available protection features in VMProtect were used with this unpackme. Refer to the attached images for the specific protection settings used.

Challenge is to unpack the file, providing an explanation and details on your methodology.

File Information

Submitter X0rby

Submitted 04/17/2023

Category UnPackMe

View File

VMProtect v3.8.1 Ultra (Mutation + Virtualization)

  • 1 month later...

It's hard to me. the entry codes are virtualized and mutated and even without titanhide kernel mode anti-debug utility. I can't debug it cause of the vmprotect's anti-debug techniques.

Edited by windowbase
editing some words.

  • 2 weeks later...
  • Author

Reminder: this one is still unpacked.

Hmm the code is made in c++, one question if it was an .exe made in .net and protected with VMP 3.8.1 would it have been easy?

  • Author
5 hours ago, nova789 said:

 one question if it was an .exe made in .net and protected with VMP 3.8.1 would it have been easy?

Yes, I think so - the unpacking of NATIVE APPS is always harder than .NET

  • 9 months later...
  • Author

After the leak of VMP source code it can be done now...

  • Author

Unpacked+devirtualized:

unpacked.exe

Cleaned (vmp 100% removed):

cleaned.exe

Edited by X0rby

  • 3 months later...

@X0rbyplease share the method

 

Lack of any explanation whatsoever, likely the author just ripped code directly from the source of the original program; which they clearly have access to given the details of the post. For those of you seeking guidance, I'd look elsewhere (old but gold).

  • 3 months later...

I don't see any solution here fits the requirements ✍️

Screenshot_2024-11-14-01-15-29-320_com.android.chrome-edit.jpg

  • 1 month later...

hello everyone happy start of the new year please @X0rby could you show us with your talent how did you do the procedure to unpack it we would appreciate it master

  • 3 months later...

this is copy of old 3.5.1

nothing new

Hi thank you for your feedback , need source code from @X0rby pls if it possible , i have a question with  the file he shared with us and the unpacked version he made, it's impossible for us to understand the mutation and virtualization on version 3.8? and then make a script?

  • 1 month later...

Hi X0rby, tried to solve this unpackme, thank you for the afford. I have a question. For example:

00409F46 | E8 D2F55100        | call asmtomachinecode.vmp_dump_scy.92951D              |
00409F4B | CE                 | into                                                   |
00409F4C | 5E                 | pop esi                                                |
00409F4D | C3                 | ret                                                    |

you solve it as:

00409F46 | FF15 E8E00A02            | call dword ptr ds:[<HeapAlloc>]                        |
00409F4C | 5E                       | pop esi                                                | esi:"U‰еjяhP@A"
00409F4D | C3                       | ret                                                    |

How to do it if you don't have the original non packed file?

Found how to solve it. Put bp on ntdll.dll and it lands to ntdll.dll:$52DD6 #521D6 <RtlAllocateHeap>. But there are many calls like this. The question is can this be done by script or every call have to be solved manually?

  • 1 month later...
On 5/28/2025 at 9:04 AM, HostageOfCode said:

Found how to solve it. Put bp on ntdll.dll and it lands to ntdll.dll:$52DD6 #521D6 <RtlAllocateHeap>.

Did you finally solve it? Could you make a video?
The OP stop to reply, because it doesn't want to explain how he solved it.

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.