A brief overview of how VM protection works.
Applied Emulation Tutorial Series
https://www.patreon.com/collection/155915?view=expanded
This is a good time to make sure your tools are installed and working. Read through the Introduction Tooling Setup (first tutorial video) and ensure you have the required software installed. If you need a hand getting anything setup just ask on discord!
The good.exe binary is a non-obfuscated reference which is used to demonstrate a simple word build function using the EAX register.
Open good.exe in IDA
When prompted to open a .pdb for the binary confirm, and when the .pdb is not found opt to search for it on disk and open good.pdb 
Navigate to the _good function and observer the letters moved into the EAX register
What word is contained in the EAX register?
OPTIONAL — open good.exe in x64dbg and debug until the return from the _good function. Observe the EAX register.
The goodvm.exe binary is an obfuscated version of the good.exe binary. A simple VM has been created that accepts two instructions and contains one register.
AA [op0] = mov al, op0
BB CC [op0] = shl eax, op0
EAX —> Register0
The same good.exe word build function has been implemented with the VM instruction set. You can observe this by debugging the application and observing the memory address in the VM that is used to represent the EAX register.
Open goodvm.exe in IDA
When prompted to open a .pdb for the binary confirm, and when the .pdb is not found opt to search for it on disk and open goodvm.pdb 
Observer the _bytecode data, this is the raw code for our VM
Copy the _bytecode data as hex bytes and save it in a notepad for later
Highlight the bytes
Edit —> Export data
Select hex string (spaced) and copy the bytes in the Preview window
Navigate to the emulate function and compare this with the good function in the other binary… they look nothing alike, this is the VM obfuscation!
Open the emu.py file in a text editor and paste the _bytecode data bytes into the code replacing the string "!! BYTE CODE GOES HERE !!"
Save the updated emu.py file and run it from the command line using Python
What is the result?
OPTIONAL — open goodvm.exe in x64db, the goodvm.pdb file should be loaded automatically by the debugger as long as it is located in the same directory.
Run until the entrypoint of the binary
Navigate to the Symbols tab and click on the goodvm.exe module
If the .pdb was loaded correctly the emulate function should be listed in the symbols
Double click to navigate to the emulate function and place a breakpoint at the return of function before the stack has been cleaned up. 
Run until the breakpoint is hit and observe the local variable at ESP, this is the memory address that represents the EAX register in the VM!
** We are able to dynamically observe the results of the VM even without understanding the VM code