Focus on runtime tracing. Set breakpoints on key APIs (registry, file, network) and let the protected software run. You don’t need a clean unpack to understand malicious behavior.
Let's walk through a simplified (but accurate) scenario: virbox protector unpack
This is where 90% of unpacking attempts fail. Virbox does not store a clean IAT. It stores encrypted indexes to its own API resolver. Focus on runtime tracing