lovejoy226 Posted February 12 Posted February 12 View File Themida x32 v3.1.8.0 The Entry Point is virtualized. 2 Parts of the codes are also virtualized. [Your Mission] Just unpack this file and make it run well without any errors or termination. No devirtualiztion are necessary. Submitter New Year - New Mind Submitted 02/12/2025 Category UnPackMe 1 1
14yoKID Posted February 12 Posted February 12 Think i figured it out where the real OEP is now the real issue is why my dump aint working ๐ 1
lovejoy226 Posted February 13 Author Posted February 13 (edited) On 2/12/2025 at 5:50 PM, 14yoKID said: Think i figured it out where the real OEP is now the real issue is why my dump aint working ๐ Expand 00407483 | E8 3A040000 | call hashgen_protected_entry_vmed | 00407488 | 56 | push esi | 00407489 | E8 CE0C0000 | call <JMP.&exit> | 0040748E | FF75 E0 | push dword ptr ss:[ebp-20] | 00407491 | E8 CC0C0000 | call <JMP.&_exit> | 00407496 | CC | int3 | 00407497 | E9 46906D00 | jmp hashgen_protected_entry_vmed. | OEP 0040749C | 6A 3E | push 3E | 0040749E | 4F | dec edi | 0040749F | A4 | movsb | 004074A0 | 6C | insb | 004074A1 | 3B0D 40D04000 | cmp ecx,dword ptr ds:[40D040] | 004074A7 | 75 01 | jne hashgen_protected_entry_vmed. | 004074A9 | C3 | ret | 004074AA | E9 89060000 | jmp hashgen_protected_entry_vmed. | 004074AF | 55 | push ebp | 004074B0 | 8BEC | mov ebp,esp | 004074B2 | 8B45 08 | mov eax,dword ptr ss:[ebp+8] | 004074B5 | 56 | push esi | 004074B6 | 8B48 3C | mov ecx,dword ptr ds:[eax+3C] | 004074B9 | 03C8 | add ecx,eax | 004074BB | 0FB741 14 | movzx eax,word ptr ds:[ecx+14] | 004074BF | 8D51 18 | lea edx,dword ptr ds:[ecx+18] | 004074C2 | 03D0 | add edx,eax | @14yoKID Dumping it at the oep, you could not obtain the working binary. So I uploaded this unpackme. I got this. hashgen_protected_Entry_VMed_dump_SCY.zipFetching info... Are there anyone who can do it? Many thanks in advance. Regards. sean. Edited February 13 by New Year - New Mind 1
lovejoy226 Posted February 13 Author Posted February 13 On 2/12/2025 at 5:50 PM, 14yoKID said: Think i figured it out where the real OEP is now the real issue is why my dump aint working ๐ Expand @14yoKID try to unpack this. Project1_ACProtected.zipFetching info... Regards. sean. 1
Solution HostageOfCode Posted February 21 Solution Posted February 21 Hmm , expected themida to be harder but was not harder even 5% to unpack than vmprotect. hashgen_protected_Entry_VMed__fixed.exeFetching info... 1
lovejoy226 Posted February 21 Author Posted February 21 (edited) Quote The Entry Point is virtualized. 2 Parts of the codes are also virtualized. [Your Mission] Just unpack this file and make it run well without any errors or termination. No devirtualiztion are necessary. Expand @HostageOfCode You have done it. man. Many thanks. Regards. sean. Edited February 21 by New Year - New Mind 1
lovejoy226 Posted February 21 Author Posted February 21 On 2/21/2025 at 1:21 PM, HostageOfCode said: Hmm , expected themida to be harder but was not harder even 5% to unpack than vmprotect. hashgen_protected_Entry_VMed__fixed.exe 200 kB ยท 2 downloads Expand @HostageOfCode How to reduce the size of the dump? My resulting dump is this but not reduced of the size. hashgen_protected_Entry_VMed_dump_SCY.zipFetching info... Regards. sean. 1
InvizCustos Posted February 21 Posted February 21 On 2/21/2025 at 1:21 PM, HostageOfCode said: Hmm , expected themida to be harder but was not harder even 5% to unpack than vmprotect. Expand I assume it depends on the protection settings. Try unpacking this target 1
HostageOfCode Posted February 22 Posted February 22 On 2/21/2025 at 2:54 PM, New Year - New Mind said: @HostageOfCode How to reduce the size of the dump? My resulting dump is this but not reduced of the size. hashgen_protected_Entry_VMed_dump_SCY.zip 8.42 MB ยท 1 download Regards. sean. Expand Your iat is not solved correctly. Put bp on GetProcAddress and log all the apis. Tried to make it run with the virtualized functions but without success so far. It uses IsProcessorFeaturePresent and other tricks to detect unpack. 1
lovejoy226 Posted February 22 Author Posted February 22 (edited) On 2/22/2025 at 12:50 PM, HostageOfCode said: Your iat is not solved correctly. Put bp on GetProcAddress and log all the apis. Tried to make it run with the virtualized functions but without success so far. It uses IsProcessorFeaturePresent and other tricks to detect unpack. Expand @HostageOfCode Do you mean that it does not run in your system? It runs in my system after dumping. but the addressofentrypoint is invalid? And after rebooting my pc, it does not run. Regards. sean. Edited February 22 by New Year - New Mind 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now