How To Unpack VMProtect 3 (x64) Night Sky Ransomware With VMPDump [Patreon Unlocked]

39,327

537 0

Published 2022-01-31

In this tutorial we unpack Night Sky Ransomware (x64) which is protected with VMProtect 3. We use VMPDump to dump and fix the imports and then re-create the virtualized entry point manually. No other functions are virtualized!

Full tutorial on Patreon: www.patreon.com/posts/how-to-unpack-3-61935110

-----
OALABS DISCORD
discord.gg/6h5Bh5AMDU

OALABS PATREON
www.patreon.com/oalabs

OALABS GITHUB
github.com/OALabs

UNPACME - AUTOMATED MALWARE UNPACKING
www.unpac.me/#/
-----

Additional Learning Resources

Sandbox Tricks For Faster Reversing
• Sandbox Tricks For Faster Reverse Eng...

MSVC Entry Point and Security Init Cookie
www.patreon.com/posts/why-is-pe-entry-61343353

Unpacking VMP - Part 1
www.patreon.com/posts/how-to-unpack-1-61634765

Unpacking VMP - Part 2
www.patreon.com/posts/how-to-unpack-2-61636825

Unpacking VMP - Part 3
www.patreon.com/posts/how-to-unpack-3-61639901

Packed sample:
8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0

VMPDump:
github.com/0xnobody/vmpdump

Lab-Notes:
github.com/OALabs/Lab-Notes/blob/main/NightSky/nig…

#Unpacking #VMProtect #Malware

All Comments (21)

@nonskeetuser760 2 years ago

I've been looking for this for so long omg
@TTCBlaze 2 years ago

these vids are great, I understand everything inside them, to answer your question about the jump being 5 bytes off, it’s due to the CPU adding on however many bytes your jumping but by the time it’s done reading the instruction, it’s already 5 bytes ahead [jmp 0xAABBCCDD], (E9 DD CC BB AA), notice 5 bytes, anyways these vids are godly thanks
@snuiwnl 2 years ago

Thats soo satisfying omg
@orgozlan323 2 years ago

amazing,thank you
@_nit 2 years ago

Just a protip I'd like to mention, using '?' in IDA, there's a built in calculator instead of using python. It also supports links to results and copied bytes
@dylanjackson7975 2 years ago

Te amo sooooo much. This is freaking awesome.
@MetalPauly2 1 year ago

hah AWESOME... i remember back in early 2000's there was no information like this to learn from
@djpuxo 1 year ago

Hi, when I try to use vmpdump with a dll it dumps the debugger loader, any help?
@anuruddhawijesiri4123 1 year ago

Grat tutorial 🤘✌️
@SR-zi1pw 2 years ago

Great
@AholicKnight 2 years ago

finally a vmprotect 3.X unpacking tutorial
@MisterSiga 10 months ago

is vmprotect that weak that just running something like vmpdump breaks it ? Are there any decent protection software?
@shavitush 2 years ago

how come you're manually bytepatching the rva for the call/jmp in the oep instead of using ida's assembler? I find writing `call ` to be significantly more efficient than going through that
@Razorblade601 1 year ago

Does your paid tuts provide diffent ways to attack this protection ? For example if its more virtualized
@DL-bp7jp 1 year ago

Hi, Did you remove the first 2 parts you referee to here from YouTube? Are they Patreon locked now?
@jawnwrap 3 months ago

Instead of re-searching for the bytes in IDA, just rebase the segments to 0x0 and then get the RVA from x64dbg and go to that address in IDA.
@cherifaly6757 2 years ago

What if code is virtualized and mutated? Also what if it's a dll, not an exe? Are the same unpacking procedures should work?
@user-qh2cr4tj3r 2 years ago

I have difficulty unpack the themida 3.x. Is there any tutorial for themida 3.x?
@phoenixstyle 3 months ago

Does this method still work? Ive been trying to debug a VMP protected 64 bit binary, but the executable returns an error message when running. Do you know anything about this? (It's Ubisoft Trackmania's binary)
@user-yc2ry2uz4h 2 years ago

Hi, Im considering donateing and enjoy the contents on your Patreon. Can I watch every contents u have ever uploaded even if i join now？:)