[redbull]

Hi Guys,

I have a target which I am 99% sure is VMProtect 1.8 (def bigger than 1.7 and no sigs detect it).

It is giving me gray hairs. I am able to find the parts in the loader which write the data back to the original segments and the target is a Delphi executable. I know it must return to OEP shortly after that section. I must say this was a rather tricky protector using threads and exception handling to run more unpacking code.

I have dumped it (without having the correct OEP) and I have also used Universal Import Finder (1.2) with success in building the IATs. (Great Tool BTW, very very nice idea).

I studied the videos on VMProtect unpacking (the one from Nooby jumps to mind).

Not understanding the chinese is a problem for me, but I tried to do it all myself. The problem was this being a different version, the code looks different.

I have two questions:
1. Is there a way to do a dump (based on signature) because I know the compiler was Delphi ??
2. Is there any other resources on VMProtect unopacking other than the IAT ollydbg scripts and the two SWF videos on TUTS4YOU??

I know there are a bunch of calls to VirtualProtectEx which is how I found where the protector was writing the segments back. Are there other things I can look at to get closer to an OEP??