How To Unpack VMProtect Malware - Part 3 (Patreon)

Fixing OEP (Virtualized Entry Point)

This is the third part in our three-part tutorial series on unpacking VMProtect malware. At this stage we have dumped the unpacked PE payload. The entry point was virtualized so the dumped sample won't run but it could be statically reverse engineered -- if static reverse engineering is all that is required this final stage is not needed.

The MSVC Entry Point

Since the unpacked payload is an MSVC binary we know that the entry point code is the same as any other MSVC binary so we can simply steal the bytes from another binary (one we have compiled ourselves) and create a new entry point. 

For a detailed look at how the MSVC entry point and the security cookie initialization function and SEH are setup check out our detailed MSVC Entry Point Tutorial.  

Build A New OEP

• First open a "clean" MSVC compiled binary in IDA (our HelloWorld binary)
  
• Locate the security cookie constant in the clean sample and use the bytes to locate the __security_init_cookie function in the dumped sample -- note the address.
  
• Locate some unique bytes in the clean sample function __scrt_common_main_seh  and use these bytes to locate the __scrt_common_main_seh function in the dumped sample -- note the address.
  
• Copy the entry point function bytes from the clean sample into the entry point of the dumped sample (this will be in one of the VMProtect PE sections).
  
• Calculate the relative offset from the call and jmp instruction in the new entry point to the __security_init_cookie, and __scrt_common_main_seh functions in the dump sample.
  
• Fix the call and jmp instructions in the dump sample entry point to point to the correct addresses. For a negative jump the two's complement of the relative address must be used.
  
• Once the addresses have been fixed in the dump use the IDA Patch program -> Apply patches to input file... function to patch the dumped file.

Self Study Examples

Now that we have concluded our three-part tutorial there are two examples you can try in your lab to familiarize yourself with these concepts. 

1. HelloWorld Unpacking

Attached to this post is a copy of our HelloWorld example binary. Use this binary to replicate our tutorial.

• Download the HelloWorld binary
• Download the demo version of VMProtect
• Load HellowWorld in VMProtect and virtualize the entry point
• Load the protected binary in x64dbg
• Add a hardware breakpoint on __stdio_common_vfprintf
• When the breakpoint is hit search in the HelloWorld .text section for the security cookie constant 
• Add a hardware breakpoint on the __security_init_cookie function and remove the breakpoint from __stdio_common_vfprintf
• Relaunch the binary and wait for the new breakpoint to be hit
• Download VMPDump
• Launch an administrator cmd shell and use VMPDump to dump the HelloWorld process
• Open the dumped binary in IDA along with a clean (unprotected) version of HelloWorld 
• Locate the the __security_init_cookie, and __scrt_common_main_seh functions in the dumped binary by searching for unique bytes from the clean binary 
• Copy the entry point bytes from the clean binary into the entry point of the dumped binary 
• Fix the relative addresses in the dumped entry point so the call and jmp instructions reference  the __security_init_cookie, and __scrt_common_main_seh functions in the dumped binary
• Use the IDA Patch program functionality to patch the dumped binary
• Try to run the dumped binary and make sure it still prints "hello world one" and "hello world two".

2. NightSky Ransomware Unpacking

Once you are comfortable unpacking the HelloWorld example replicate the unpacking process with NightSky Ransomware.

** Use a safe isolated Virtual Machine this is a live ransomware sample

A full walk-through of unpacking NightSky Ransomware will be available here next week -- see if you can unpack it before then!