Themida & VMProtect (Same Virtualized Code Sections)

I want you guys who are capable of unvirtualizing and unpacking them to upload the final ones.

These files are just the same part of the codes virtualized which are 2 lines of the original mfc source codes.

So if you can unvirtualize them and unpack them, please upload the final ones.

Any other protections are excluded absolutely.

Give it a try and improve your skills.

Best Regards.

sean.

File Information

Submitter lovejoy226

Submitted 04/07/2025

Category UnPackMe

View File

Didn't see it as solved, so decided to give it a try. VMProtect version is quite easy, devirted code:

00B91EEE      837D EC 0F                CMP DWORD PTR SS:[EBP-14],0F
00B91EF2      76 05                     JBE SHORT hashgen_.00B91EF9
00B91EF4      8B45 D8                   MOV EAX,DWORD PTR SS:[EBP-28]
00B91EF7      EB 03                     JMP SHORT hashgen_.00B91EFC
00B91EF9      8D45 D8                   LEA EAX,DWORD PTR SS:[EBP-28]
00B91EFC      6A 03                     PUSH 3
00B91EFE      50                        PUSH EAX
00B91EFF      8D8D 9CFCFFFF             LEA ECX,DWORD PTR SS:[EBP-364]
00B91F05      51                        PUSH ECX
00B91F06      8D8D 98FCFFFF             LEA ECX,DWORD PTR SS:[EBP-368]
00B91F0C      8F01                      POP DWORD PTR DS:[ECX]
00B91F0E      E8 DD170000               CALL hashgen_.00B936F0
00B91F13      8D85 90FCFFFF             LEA EAX,DWORD PTR SS:[EBP-370]
00B91F19      50                        PUSH EAX
00B91F1A      C645 FC 17                MOV BYTE PTR SS:[EBP-4],17
00B91F1E      68 ED030000               PUSH 3ED
00B91F23      8B8D 94FCFFFF             MOV ECX,DWORD PTR SS:[EBP-36C]
00B91F29      8BF9                      MOV EDI,ECX
00B91F2B      FF15 A892B900             CALL DWORD PTR DS:[<&mfc140u.#5427>]                 ;  mfc140u.5E0C82B0
00B91F31      90                        NOP
00B91F32      90                        NOP
00B91F33      90                        NOP
00B91F34      90                        NOP
00B91F35      90                        NOP
00B91F36      90                        NOP
00B91F37      90                        NOP
00B91F38      90                        NOP
00B91F39      90                        NOP
00B91F3A      90                        NOP
00B91F3B      90                        NOP
00B91F3C      90                        NOP
00B91F3D      90                        NOP
00B91F3E      90                        NOP

And a code for a name 123456 is e10adc3949ba59abbe56e057f20f883e

On 4/7/2025 at 9:31 PM, lovejoy226 said:

Any other protections are excluded absolutely.

4 hours ago, unpacker1 said:

Didn't see it as solved, so decided to give it a try. VMProtect version is quite easy, devirted code:

00B91EEE      837D EC 0F                CMP DWORD PTR SS:[EBP-14],0F
00B91EF2      76 05                     JBE SHORT hashgen_.00B91EF9
00B91EF4      8B45 D8                   MOV EAX,DWORD PTR SS:[EBP-28]
00B91EF7      EB 03                     JMP SHORT hashgen_.00B91EFC
00B91EF9      8D45 D8                   LEA EAX,DWORD PTR SS:[EBP-28]
00B91EFC      6A 03                     PUSH 3
00B91EFE      50                        PUSH EAX
00B91EFF      8D8D 9CFCFFFF             LEA ECX,DWORD PTR SS:[EBP-364]
00B91F05      51                        PUSH ECX
00B91F06      8D8D 98FCFFFF             LEA ECX,DWORD PTR SS:[EBP-368]
00B91F0C      8F01                      POP DWORD PTR DS:[ECX]
00B91F0E      E8 DD170000               CALL hashgen_.00B936F0
00B91F13      8D85 90FCFFFF             LEA EAX,DWORD PTR SS:[EBP-370]
00B91F19      50                        PUSH EAX
00B91F1A      C645 FC 17                MOV BYTE PTR SS:[EBP-4],17
00B91F1E      68 ED030000               PUSH 3ED
00B91F23      8B8D 94FCFFFF             MOV ECX,DWORD PTR SS:[EBP-36C]
00B91F29      8BF9                      MOV EDI,ECX
00B91F2B      FF15 A892B900             CALL DWORD PTR DS:[<&mfc140u.#5427>]                 ;  mfc140u.5E0C82B0
00B91F31      90                        NOP
00B91F32      90                        NOP
00B91F33      90                        NOP
00B91F34      90                        NOP
00B91F35      90                        NOP
00B91F36      90                        NOP
00B91F37      90                        NOP
00B91F38      90                        NOP
00B91F39      90                        NOP
00B91F3A      90                        NOP
00B91F3B      90                        NOP
00B91F3C      90                        NOP
00B91F3D      90                        NOP
00B91F3E      90                        NOP

And a code for a name 123456 is e10adc3949ba59abbe56e057f20f883e

Great work if correct!! But you should aim to share knowledge on this site for it isn't very fruitful to pointlessly upload an answer like this.

It's hard to describe it in a single post. It's a generic deobfuscator, not VMProtect-only, based on classic optimization techniques, nothing fancy like AI or patterns. Written completely from scratch, nothing LLVM-based or something. It's still a work in-progress, but getting into stable beta-stage, so I decided to give it additional testing.

Devirt should be correct, at least I tested the exe with this code and it works. The one thing I can mess a little is an intermediate representation->asm translation since it's done partially manually.

10 hours ago, unpacker1 said:

It's hard to describe it in a single post. It's a generic deobfuscator, not VMProtect-only, based on classic optimization techniques, nothing fancy like AI or patterns. Written completely from scratch, nothing LLVM-based or something. It's still a work in-progress, but getting into stable beta-stage, so I decided to give it additional testing.

Devirt should be correct, at least I tested the exe with this code and it works. The one thing I can mess a little is an intermediate representation->asm translation since it's done partially manually.

Wow, very helpful 🙄

Every "solution" on this site is the most Cleo like response ever. I swear in almost every challenge, someone throws the .exe into public tooling, uploads the output, and provides zero explanation -- likely with the hope that people view them in awe. In my opinion, such solutions should result in consequences for the poster.

This site will continue to die if people continue with these dull answers.

For those interested in tackling such protection schemes, I would recommend:
(1) https://github.com/NaC-L/Mergen
(2) https://github.com/Colton1skees/Dna
(3) https://whereisr0da.github.io/blog/posts/2021-02-16-vmp-3
(4) https://secret.club/2021/09/08/vmprotect-llvm-lifting-1.html

Like I said, only my own tools were used and they have no external public code. I'm not expecting anything, I just posted the result. The only thing I hope is that I get corrected, if I'm wrong.

If you have proof I used public tools and lied-you're free to show them. I can answer some questions about internals, if you're interested. But if you expect me to open source a couple of years work just because some random guy from the Internet suspected and accused me of something, not gonna happen, sorry.

6 minutes ago, unpacker1 said:

Like I said, only my own tools were used and they have no external public code. I'm not expecting anything, I just posted the result. The only thing I hope is that I get corrected, if I'm wrong.

If you have proof I used public tools and lied-you're free to show them. I can answer some questions about internals, if you're interested. But if you expect me to open source a couple of years work just because some random guy from the Internet suspected and accused me of something, not gonna happen, sorry.

(1) I never accused you of lying

(2) I don't care about your "tools"

My point is crystal clear: this site will continue to die if we allow such "solutions" (which are 9/10 just people using public tooling and therefore can't provide any novel contributions).

Go ahead, feel free to discuss the "internals", which was arguably the bare minimum you should have provided in the original response to this challenge.