VMProtect OEP Finding Method

 Hello.

So today we gonna learn how to find the OEP of VMProtected targets. We gonna use ESP trick to do this.

What is VMProtect?
VMProtect protects code by executing it on a virtual machine with no-standard architecture that makes it extremely difficult to analyze and crack the software. Besides that, VMProtect generates and verifies serial number, limits free upgrades and much more.

In this tutorial we learn "How to find OEP of VMProtected targets."
Let's do it.

1. Firstly Load the target in Ollydbg. I used Olly Shadow Modification with Phantom and StrongOD plugin.


2. After file successfully loaded on Olly press CTRL + G and type "VirtualProtect".


Then click on OK or press Enter and put a BP there by pressing F2


3. Then press run and you will landed at VirtualProtect as shown in pic.

4. After press run check Is codesection filled ?


Our code section is still empty now Run again and Again utill you see that codesection filled.



5. Now follow ESP in DUMP.


6. Find last kernel32 in dump windows as shown in pic and but a Hardware Breakpoint on access at byte.


Press run one time



7. Now put a Memory BP on Access on codesection.
  

8. No press run again and again utill you reach at OEP :)


That's All
Thanks for Visiting.

Hope it will help. If you have any problem just comment below. I will try my best to help you.