Page 1 of 1
Vmprotect help
Posted: Thu Apr 30, 2020 9:45 am
by Taitor
Hello all
I'm trying to unpack vmprotect program but not success anyone help me thanks
Here is my work video
https://mega.nz/file/DY5nBb7L#MgFzwKv6m ... e0Bfxp41do
Re: Vmprotect help
Posted: Thu Apr 30, 2020 2:21 pm
by CodeExplorer
Hi. From what I could tell the fact that when your dump file name is "use32.dll" can't be good,
try hitting "Pick DLL" and choose main exe.
Re: Vmprotect help
Posted: Fri May 01, 2020 12:35 am
by Taitor
Hello again
I have been trying on this program for two days but I did not get success. Scylla say "no api found "
If you don't mind can I post my program link here and someone help to make a unpacking tutorial
Thanks !
Re: Vmprotect help
Posted: Fri May 01, 2020 5:37 am
by CodeExplorer
You can post the program here,
so other reversers could try out.
Re: Vmprotect help
Posted: Fri May 01, 2020 6:22 am
by Taitor
Re: Vmprotect help
Posted: Wed May 06, 2020 6:25 am
by CodeExplorer
OEP 021ED258
VA = 2553BCC start of some invalid import thunks
for example: 02553BCC 0215D948
those thunks belong to main exe so you just have to cut those thunks.
The error is here:
0040C2A6 FFD6 CALL ESI ; ImageCon.021C55DC
More exactly here:
005A2308 55 PUSH EBP
005A2309 8BEC MOV EBP,ESP
005A230B B8 30235A00 MOV EAX,5A2330 ; UNICODE "WSAStartup"
005A2310 E8 CFFEFFFF CALL 005A21E4 ; ImageCon.005A21E4
005A2315 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
005A2318 52 PUSH EDX
005A2319 0FB755 08 MOVZX EDX,WORD PTR SS:[EBP+8]
005A231D 52 PUSH EDX
005A231E FFD0 CALL EAX
005A2320 5D POP EBP
005A2321 C2 0800 RETN 8
Exception happens inside "WSAStartup" call (CALL EAX) so I don't have any idea.