Video Tutorial How to Unpack VMProtect Tutorial

Hexui Undetected CSGO Cheats PUBG Accounts

Rake

I'm not your friend
Administrator
Jan 21, 2014
12,992
79,068
2,465
Learn to unpack VMProtect tutorial, teaching you how to unpack a binary which is packed using VMProtect. This binary was created without the virtualization part of VMP.

Zero2Automated is the best Malware Analysis course that you can buy and it was developed in part by the creator of this video. If you want to learn more about advanced reverse engineering and malware analysis you should checkout their courses using the link below!

Zero 2 Automated is the best Malware Analysis course and it was created by the maker of this video
Get 10% off all their courses with our Coupon Code = "GUIDEDHACKING"

^ Coupon Automatically Applied with the link above ^

Defeating Commercial Packers Like a Pro - VMProtect, ASPack, PECompact, FlawedAmmyy, Ramnit Dropper and more. Learn how to unpack 5 different packers & malware samples in this malware analysis & How to Unpack tutorial series.

This was originally a 1 hour unpacking tutorial but we broke it down into smaller parts for easier viewing in our How to Unpack Malware tutorial series. Subscribe to get notified of the next videos. The videos in this series are:

  1. How to unpack FlawedAmmyy ( Ammyy Admin )
  2. How to unpack Ramnit Dropper
  3. How to unpack VMProtect (no virtualization)
  4. How to unpack PECompact
  5. How to unpack ASPack


A packer is a piece of software which obfuscates the original binary on disk, they started as very simple programs which just did a simple xor against the original bytes. The original code would be replaced with a stub, and the stub would xor the original binary, map it into memory and then execute the original code. In this way, static analysis is impossible. VMProtect is a common commercial packer similar to Themida. But in this How to Unpack VMProtect tutorial you will learn the ins and outs of unpacking binaries, including malware samples. Unpacking malware is something as a malware analyst you would have to do quite frequently, as almost all malware uses packers to evade antivirus detection. While packers have become increasing complicated over the years, unpacking them still follows the same steps and has the same goal. The point of unpacking a binary is to enable static analysis, once you have dumped the original binary to disk, you can begin to reverse engineer it.

In this How to Unpack VMProtect tutorial you will learn how to unpack a VMProtect protected binary. VMProtect is a cryptor or packer which compresses, obfuscates & protects programs, you use it if you want stop people from reversing engineering your software. VMProtect works on all versions of Windows and can support any executables, DLLs, drivers, OCX and other executable file types. It is a complete solution, offering much more than the basic features of a packer and it is highly customizable. Customization options include, different mutations, virtualization, memory protection, import hiding, resource protection, file packing, debugger detection, detection of virtualization tools such as VMBox etc..., it even offers license management and more. It can be quite annoying when a file you want to reverse engineer it packed with VMProtect, most people will typically just give up as soon as they see VMP PE sections.

But let's talk about this packed file and this How to Unpack VMProtect tutorial. When we first open the file, it's clearly packed because the main function calls 1 function, and this main function can't be analyzed by IDA, the stack pointer analysis fails, which typically means it's packed. After following some jumps/calls we finally find a function which pushes a value onto the stack and them immediately returns, indicating the return will cause execution to flow to the address that was just pushed onto the stack. At this point, we know where the REAL unpacking should begin. So we move onto dynamic analysis and breakpoint that address. After following through the code we are looking for more calls or jmps to some sort of unpacking loop.

That doesn't seem to get us anywhere so we start break pointing VirtualAllocate() & VirtualProtect(). And we do get a break on VirtualProtect and a loop which indicates setting up memory for the unpacked code. After following this for a bit, we do find some strings from the unpacked binary, so it's clear the decryption of the binary has completed and the loading of it has either just begin or ended. After stepping through a ton of code we eventually find something that looks like an entrypoint So we breakpoint the main function of unpacked binary to see if it's finished unpacking.

Once we confirmed we have found our original entry point we breakpoint it and open up Scylla, correctly indicate the OEP and we see if we can fix the import table, typically if that works, you know you're good to go. Regardless we're pretty sure we found it, after dumping we open it in IDA and if the IDA analysis looks good, then we know we've made a good dump, and we're done!

Malware Hashes (MD5 - all on VirusBay):
Ammyy: 7fb83e646cbabc50bec4b33c8130b5ae
ASPack: 9cc1b039aa8e4a98da3c390fdacc414c
PECompact: ad8cd029b32568830c8304f6075bb805
Ramnit: 6ee3d4e6b9cec67165e90f7ee7c9c33b
VMProtect: a39b4f74b5108a2b9f1a33b2feb22cc5
 
Last edited:
Community Mods