VMProtect v3.8.1 Ultra (Mutation + Virtualization)

The target is an old software (from 2010) coded in c++, I just apply the VMP protection without any special code as I show in the two screenshots. All available protection features in VMProtect were used with this unpackme. Refer to the attached images for the specific protection settings used.

Challenge is to unpack the file, providing an explanation and details on your methodology.

File Information

Submitter X0rby

Submitted 04/17/2023

Category UnPackMe

View File

It's hard to me. the entry codes are virtualized and mutated and even without titanhide kernel mode anti-debug utility. I can't debug it cause of the vmprotect's anti-debug techniques.

Edited June 7, 20232 yr by windowbase
editing some words.

Reminder: this one is still unpacked.

Hmm the code is made in c++, one question if it was an .exe made in .net and protected with VMP 3.8.1 would it have been easy?

5 hours ago, nova789 said:

 one question if it was an .exe made in .net and protected with VMP 3.8.1 would it have been easy?

Yes, I think so - the unpacking of NATIVE APPS is always harder than .NET

After the leak of VMP source code it can be done now...

Unpacked+devirtualized:

unpacked.exe

Cleaned (vmp 100% removed):

cleaned.exe

Edited April 2, 20241 yr by X0rby

11 hours ago, X0rby said:

Unpacked+devirtualized:

unpacked.exe 28.66 MB · 11 downloads

Cleaned (vmp 100% removed):

cleaned.exe 202 kB · 14 downloads

Please record the process and post it, so we can get benefit from you.

Regards.

sean.

13 hours ago, X0rby said:

Unpacked+devirtualized:

unpacked.exe 28.66 MB · 31 downloads

Cleaned (vmp 100% removed):

cleaned.exe 202 kB · 35 downloads

 @X0rby bro please share the method instead of sharing unpacked files.

Regards.

@X0rbyplease share the method

 

Lack of any explanation whatsoever, likely the author just ripped code directly from the source of the original program; which they clearly have access to given the details of the post. For those of you seeking guidance, I'd look elsewhere (old but gold).

I don't see any solution here fits the requirements ✍️

hello everyone happy start of the new year please @X0rby could you show us with your talent how did you do the procedure to unpack it we would appreciate it master

Hi all i think it was this code source but not sure  https://github.com/sl4v3k/VMProtect-second-leak If someone can confirm it will be appreciate

this is copy of old 3.5.1

nothing new

Hi thank you for your feedback , need source code from @X0rby pls if it possible , i have a question with  the file he shared with us and the unpacked version he made, it's impossible for us to understand the mutation and virtualization on version 3.8? and then make a script?

Hi X0rby, tried to solve this unpackme, thank you for the afford. I have a question. For example:

00409F46 | E8 D2F55100        | call asmtomachinecode.vmp_dump_scy.92951D              |
00409F4B | CE                 | into                                                   |
00409F4C | 5E                 | pop esi                                                |
00409F4D | C3                 | ret                                                    |

you solve it as:

00409F46 | FF15 E8E00A02            | call dword ptr ds:[<HeapAlloc>]                        |
00409F4C | 5E                       | pop esi                                                | esi:"U‰еjяhP@A"
00409F4D | C3                       | ret                                                    |

How to do it if you don't have the original non packed file?

Found how to solve it. Put bp on ntdll.dll and it lands to ntdll.dll:$52DD6 #521D6 <RtlAllocateHeap>. But there are many calls like this. The question is can this be done by script or every call have to be solved manually?

On 5/28/2025 at 9:04 AM, HostageOfCode said:

Found how to solve it. Put bp on ntdll.dll and it lands to ntdll.dll:$52DD6 #521D6 <RtlAllocateHeap>.

Did you finally solve it? Could you make a video?
The OP stop to reply, because it doesn't want to explain how he solved it.