X0rby Posted April 21, 2023 Posted April 21, 2023 View File VMProtect v3.8.1 Ultra (Mutation + Virtualization) The target is an old software (from 2010) coded in c++, I just apply the VMP protection without any special code as I show in the two screenshots. All available protection features in VMProtect were used with this unpackme. Refer to the attached images for the specific protection settings used. Challenge is to unpack the file, providing an explanation and details on your methodology. Submitter X0rby Submitted 04/17/2023 Category UnPackMe 1
lovejoy226 Posted June 7, 2023 Posted June 7, 2023 (edited) It's hard to me. the entry codes are virtualized and mutated and even without titanhide kernel mode anti-debug utility. I can't debug it cause of the vmprotect's anti-debug techniques. Edited June 7, 2023 by windowbase editing some words.
nova789 Posted June 25, 2023 Posted June 25, 2023 Hmm the code is made in c++, one question if it was an .exe made in .net and protected with VMP 3.8.1 would it have been easy? 1
X0rby Posted June 26, 2023 Author Posted June 26, 2023 5 hours ago, nova789 said: one question if it was an .exe made in .net and protected with VMP 3.8.1 would it have been easy? Yes, I think so - the unpacking of NATIVE APPS is always harder than .NET 1
X0rby Posted April 2, 2024 Author Posted April 2, 2024 After the leak of VMP source code it can be done now... 3
X0rby Posted April 2, 2024 Author Posted April 2, 2024 (edited) Unpacked+devirtualized: unpacked.exe Cleaned (vmp 100% removed): cleaned.exe Edited April 2, 2024 by X0rby 7 2
lovejoy226 Posted April 2, 2024 Posted April 2, 2024 11 hours ago, X0rby said: Unpacked+devirtualized: unpacked.exe 28.66 MB · 11 downloads Cleaned (vmp 100% removed): cleaned.exe 202 kB · 14 downloads Please record the process and post it, so we can get benefit from you. Regards. sean. 1
Oliver Posted April 2, 2024 Posted April 2, 2024 13 hours ago, X0rby said: Unpacked+devirtualized: unpacked.exe 28.66 MB · 31 downloads Cleaned (vmp 100% removed): cleaned.exe 202 kB · 35 downloads @X0rby bro please share the method instead of sharing unpacked files. Regards. 2
ra1n Posted July 17, 2024 Posted July 17, 2024 Lack of any explanation whatsoever, likely the author just ripped code directly from the source of the original program; which they clearly have access to given the details of the post. For those of you seeking guidance, I'd look elsewhere (old but gold). 2 1 1
RADIOX Posted November 14, 2024 Posted November 14, 2024 I don't see any solution here fits the requirements ✍️ 3 1
force1758 Posted January 8 Posted January 8 hello everyone happy start of the new year please @X0rby could you show us with your talent how did you do the procedure to unpack it we would appreciate it master 1
sasadz Posted April 13 Posted April 13 Hi all i think it was this code source but not sure https://github.com/sl4v3k/VMProtect-second-leak If someone can confirm it will be appreciate 1
sasadz Posted April 16 Posted April 16 Hi thank you for your feedback , need source code from @X0rby pls if it possible , i have a question with the file he shared with us and the unpacked version he made, it's impossible for us to understand the mutation and virtualization on version 3.8? and then make a script? 1
HostageOfCode Posted May 27 Posted May 27 Hi X0rby, tried to solve this unpackme, thank you for the afford. I have a question. For example: 00409F46 | E8 D2F55100 | call asmtomachinecode.vmp_dump_scy.92951D | 00409F4B | CE | into | 00409F4C | 5E | pop esi | 00409F4D | C3 | ret | you solve it as: 00409F46 | FF15 E8E00A02 | call dword ptr ds:[<HeapAlloc>] | 00409F4C | 5E | pop esi | esi:"U‰еjяhP@A" 00409F4D | C3 | ret | How to do it if you don't have the original non packed file? 2
HostageOfCode Posted May 28 Posted May 28 Found how to solve it. Put bp on ntdll.dll and it lands to ntdll.dll:$52DD6 #521D6 <RtlAllocateHeap>. But there are many calls like this. The question is can this be done by script or every call have to be solved manually? 2
etness Posted July 25 Posted July 25 On 5/28/2025 at 9:04 AM, HostageOfCode said: Found how to solve it. Put bp on ntdll.dll and it lands to ntdll.dll:$52DD6 #521D6 <RtlAllocateHeap>. Did you finally solve it? Could you make a video? The OP stop to reply, because it doesn't want to explain how he solved it.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now