How To Unpack VMProtect 3 (x64) Night Sky Ransomware With VMPDump [Patreon Unlocked]
40,059
Published 2022-01-31
Full tutorial on Patreon: www.patreon.com/posts/how-to-unpack-3-61935110
-----
OALABS DISCORD
discord.gg/6h5Bh5AMDU
OALABS PATREON
www.patreon.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
www.unpac.me/#/
-----
Additional Learning Resources
Sandbox Tricks For Faster Reversing
• Sandbox Tricks For Faster Reverse Eng...
MSVC Entry Point and Security Init Cookie
www.patreon.com/posts/why-is-pe-entry-61343353
Unpacking VMP - Part 1
www.patreon.com/posts/how-to-unpack-1-61634765
Unpacking VMP - Part 2
www.patreon.com/posts/how-to-unpack-2-61636825
Unpacking VMP - Part 3
www.patreon.com/posts/how-to-unpack-3-61639901
Packed sample:
8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0
VMPDump:
github.com/0xnobody/vmpdump
Lab-Notes:
github.com/OALabs/Lab-Notes/blob/main/NightSky/nig…
#Unpacking #VMProtect #Malware
All Comments (21)
-
I've been looking for this for so long omg
-
these vids are great, I understand everything inside them, to answer your question about the jump being 5 bytes off, it’s due to the CPU adding on however many bytes your jumping but by the time it’s done reading the instruction, it’s already 5 bytes ahead [jmp 0xAABBCCDD], (E9 DD CC BB AA), notice 5 bytes, anyways these vids are godly thanks
-
Thats soo satisfying omg
-
Just a protip I'd like to mention, using '?' in IDA, there's a built in calculator instead of using python. It also supports links to results and copied bytes
-
amazing,thank you
-
hah AWESOME... i remember back in early 2000's there was no information like this to learn from
-
Grat tutorial 🤘✌️
-
finally a vmprotect 3.X unpacking tutorial
-
Te amo sooooo much. This is freaking awesome.
-
Hi, when I try to use vmpdump with a dll it dumps the debugger loader, any help?
-
is vmprotect that weak that just running something like vmpdump breaks it ? Are there any decent protection software?
-
how come you're manually bytepatching the rva for the call/jmp in the oep instead of using ida's assembler? I find writing `call
-
Does your paid tuts provide diffent ways to attack this protection ? For example if its more virtualized
-
Hi, Did you remove the first 2 parts you referee to here from YouTube? Are they Patreon locked now?
-
Great
-
Instead of re-searching for the bytes in IDA, just rebase the segments to 0x0 and then get the RVA from x64dbg and go to that address in IDA.
-
Does this method still work? Ive been trying to debug a VMP protected 64 bit binary, but the executable returns an error message when running. Do you know anything about this? (It's Ubisoft Trackmania's binary)
-
I have difficulty unpack the themida 3.x. Is there any tutorial for themida 3.x?
-
What if code is virtualized and mutated? Also what if it's a dll, not an exe? Are the same unpacking procedures should work?
-
Great tutorial. What about ELF binary. Can you figure it out?