Jump to content
Tuts 4 You

VMProtect v3.8.1 Ultra (Mutation + Virtualization)

X0rby

By X0rby
in UnPackMe

 Share
Go to solution Solved by X0rby,

Recommended Posts

X0rby

X0rby

Posted
Posted
VMProtect v3.8.1 Ultra (Mutation + Virtualization)

View File

VMProtect v3.8.1 Ultra (Mutation + Virtualization)

The target is an old software (from 2010) coded in c++, I just apply the VMP protection without any special code as I show in the two screenshots. All available protection features in VMProtect were used with this unpackme. Refer to the attached images for the specific protection settings used.

Challenge is to unpack the file, providing an explanation and details on your methodology.

  • Submitter
    X0rby
  • Submitted
    04/17/2023
  • Category
    UnPackMe

 

  • Like 1
  • 1 month later...
Sean the hard worker

Sean the hard worker

Posted
Posted (edited)

It's hard to me. the entry codes are virtualized and mutated and even without titanhide kernel mode anti-debug utility. I can't debug it cause of the vmprotect's anti-debug techniques.

Edited by windowbase
editing some words.
  • 2 weeks later...
X0rby

X0rby

Posted
  • Author
Posted

Reminder: this one is still unpacked.

nova789

nova789

Posted
Posted

Hmm the code is made in c++, one question if it was an .exe made in .net and protected with VMP 3.8.1 would it have been easy?

X0rby

X0rby

Posted
  • Author
Posted
5 hours ago, nova789 said:

 one question if it was an .exe made in .net and protected with VMP 3.8.1 would it have been easy?

Yes, I think so - the unpacking of NATIVE APPS is always harder than .NET

  • 9 months later...
X0rby

X0rby

Posted
  • Author
Posted

After the leak of VMP source code it can be done now...

  • Like 1
  • Solution
X0rby

X0rby

Posted
  • Author
  • Solution
Posted (edited)

Unpacked+devirtualized:

unpacked.exe

Cleaned (vmp 100% removed):

cleaned.exe

Edited by X0rby
  • Like 6
  • Thanks 2
  • 3 months later...
htmlsqldz

htmlsqldz

Posted
Posted

@X0rbyplease share the method

 

  • Like 1
ra1n

ra1n

Posted
Posted

Lack of any explanation whatsoever, likely the author just ripped code directly from the source of the original program; which they clearly have access to given the details of the post. For those of you seeking guidance, I'd look elsewhere (old but gold).

  • Like 1
  • Thanks 1
  • Haha 1
  • 3 months later...
RADIOX

RADIOX

Posted
Posted

I don't see any solution here fits the requirements ✍️

Screenshot_2024-11-14-01-15-29-320_com.android.chrome-edit.jpg

  • Like 2
  • Confused 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...