Vmprotect help

A place to talk. Keep it civil. No sexual content, racism, necrophilia, etc.
Post Reply
Taitor
Posts: 3
Joined: Sun Apr 26, 2020 12:28 pm

Vmprotect help

Post by Taitor »

Hello all
I'm trying to unpack vmprotect program but not success anyone help me thanks
Here is my work video

https://mega.nz/file/DY5nBb7L#MgFzwKv6m ... e0Bfxp41do
CodeExplorer
Posts: 178
Joined: Tue Jun 13, 2017 11:13 am

Re: Vmprotect help

Post by CodeExplorer »

Hi. From what I could tell the fact that when your dump file name is "use32.dll" can't be good,
try hitting "Pick DLL" and choose main exe.
Taitor
Posts: 3
Joined: Sun Apr 26, 2020 12:28 pm

Re: Vmprotect help

Post by Taitor »

Hello again
I have been trying on this program for two days but I did not get success. Scylla say "no api found "
If you don't mind can I post my program link here and someone help to make a unpacking tutorial

Thanks !
CodeExplorer
Posts: 178
Joined: Tue Jun 13, 2017 11:13 am

Re: Vmprotect help

Post by CodeExplorer »

You can post the program here,
so other reversers could try out.
Taitor
Posts: 3
Joined: Sun Apr 26, 2020 12:28 pm

Re: Vmprotect help

Post by Taitor »

CodeExplorer
Posts: 178
Joined: Tue Jun 13, 2017 11:13 am

Re: Vmprotect help

Post by CodeExplorer »

OEP 021ED258
VA = 2553BCC start of some invalid import thunks
for example: 02553BCC 0215D948
those thunks belong to main exe so you just have to cut those thunks.

The error is here:
0040C2A6 FFD6 CALL ESI ; ImageCon.021C55DC

More exactly here:
005A2308 55 PUSH EBP
005A2309 8BEC MOV EBP,ESP
005A230B B8 30235A00 MOV EAX,5A2330 ; UNICODE "WSAStartup"
005A2310 E8 CFFEFFFF CALL 005A21E4 ; ImageCon.005A21E4
005A2315 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
005A2318 52 PUSH EDX
005A2319 0FB755 08 MOVZX EDX,WORD PTR SS:[EBP+8]
005A231D 52 PUSH EDX
005A231E FFD0 CALL EAX
005A2320 5D POP EBP
005A2321 C2 0800 RETN 8

Exception happens inside "WSAStartup" call (CALL EAX) so I don't have any idea.
Post Reply