Home
Artists
Search Recent Random
Posts
Search DMs Popular Hash Lookup Tags Random
Importer
Import FAQ
Register
Partychan Telegram Live Sex ThePornDude
Home Artists Posts Import Register

How To Unpack VMProtect 3 (x64) Night Sky Ransomware (Patreon)

Published:
2022-02-01 03:30:09
Imported:
2022-12

Content

In this tutorial we unpack Night Sky Ransomware (x64) which is protected with VMProtect 3. We use VMPDump to dump and fix the imports and then re-create the virtualized entry point manually. 

Tools

Additional Learning Resources

Samples

Original packed sample:

8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0

Clean unpacked payload (fixed OEP):

ff5757086c464d624f4a6674d65409fb6fa84ad5ac089583ebc994ba949458d7

Files

How To Unpack VMProtect 3 (x64) Night Sky Ransomware With VMPDump [Patreon Unlocked]

In this tutorial we unpack Night Sky Ransomware (x64) which is protected with VMProtect 3. We use VMPDump to dump and fix the imports and then re-create the virtualized entry point manually. No other functions are virtualized! ----- OALABS DISCORD https://discord.gg/6h5Bh5AMDU OALABS PATREON https://www.patreon.com/oalabs OALABS GITHUB https://github.com/OALabs UNPACME - AUTOMATED MALWARE UNPACKING https://www.unpac.me/#/ ----- Packed sample: 8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0 VMPDump: https://github.com/0xnobody/vmpdump Lab-Notes: https://github.com/OALabs/Lab-Notes/blob/main/NightSky/nightsky.ipynb #Unpacking #VMProtect #Malware

Comments

DebugMechanic

This is an example call, not related to the video: Note** - Use the call address, not the return, do not use the next line down. Note** - Always count the opcodes. THEY MATTER!!! ---- Call Address: 00000000013A906D E8 9E A4 64 FF call ns_vpn_send_response Function address: 00000000009F3510 ns_vpn_send_response proc near ---- Subtraction: Python>0x00000000013A906D - 0x00000000009F3510 0x9b5b5d Invert: Python>hex(0xffffffffffffffff - 0x9b5b5d) '0xffffffffff64a4a2' Subtact the OPCODE Count From Above: E8 9E A4 64 FF This call has 5 opcodes, however, we took the first opcodes address. So we start our count at 9E. 1 2 3 4. We need to subtract 4 from our number above. Subtraction: Python>0xffffffffff64a4a2 - 0x4 0xffffffffff64a49e Result of Masking: 0xff64a49e or little endian 9E A4 64 FF So, the reason you are always 1 off, is because you are using the wrong address when you calculate your VA offset. Now you know :) You are welcome.