Teddy Rogers Posted July 7, 2007 Posted July 7, 2007 Themida 1.9.1.0http://tuts4you.com/download.php?view.1780Ted.
Killboy Posted July 7, 2007 Posted July 7, 2007 (edited) Woah! 18 MB ! That's why I love driver based protections Did you just check all the protection options ? Or are there several in it ? Dont want to download 18 MB, it wouldnt take too much time but, heh, still too long Edited July 7, 2007 by Killboy
Teddy Rogers Posted July 7, 2007 Author Posted July 7, 2007 Everything that makes it interesting is included Yes, it is good at pumping up a file around 403KB to over 3MB... Ted.
rendari Posted July 16, 2007 Posted July 16, 2007 Themida removed drivers from the protection a long time ago... Good to see the newest version out, time to take a crack at it
What Posted July 19, 2007 Posted July 19, 2007 (edited) Wow, pain in the @$$, and there is no protections enabled. I got a working dump for A, really dont think i can do the rest of them. But still trying. LOL Edited July 19, 2007 by What
rendari Posted July 20, 2007 Posted July 20, 2007 Wow, pain in the @$$, and there is no protections enabled. I got a working dump for A, really dont think i can do the rest of them. But still trying. LOL Yeah, almost all the protection features rely on the VM, so it takes a loooong time to restore them all, unless you just dump the VM, but thats unneat :/
SunBeam Posted August 17, 2007 Posted August 17, 2007 Why not? Dump app @ OEP (rebuilding OEP, of course), along with its VM. Should work wonders...
rendari Posted August 17, 2007 Posted August 17, 2007 (edited) Hehe, you go ahead and try that, and then come back and tell me why it didn't work Anyways, dumping is not hard once all the tricks it looks for are provided with ones dump. Edited August 17, 2007 by rendari
SunBeam Posted August 17, 2007 Posted August 17, 2007 (edited) @rendari: It isn't hard at all T_TUnPackMe_Themida 1.9.1.0.a.exe - unpacked:http://www.speedyshare.com/158518276.html Edited August 17, 2007 by sunbeam
rendari Posted August 17, 2007 Posted August 17, 2007 (edited) a is easy to unpack. Try unpacking the one with Virtual API's or with Stolen Code The VM will initate some sneaky silent checks and crash you. So you have to find and fix them Edited August 17, 2007 by rendari
What Posted August 17, 2007 Posted August 17, 2007 (edited) Working on Themida. Was analyzing code at the crash of ollydbg at start up. The problem is fld tbyte ptr [0046a037]. During analysis i Noticed this was completely useless code so i filled it with 0s and now themida lodes fine. I geuss it could be like the %s%s crash but when showing disassembled view, I say this because you can see it in the dump windows in hex view but when you click disassemble view it crashes. I want to try and patch Ollydbg to ignore it. Ill report back if I get anything. Just for themida so its before code. It probably says something like if shows fld tbyte ptr [0046a037] then crash. Well its got to be Ollys code because when debugging in win32dasm no crash, can see the byte fine. Edit In: After more searching it seems to be the FFFF right after so just fill those 2 bytes with 0s. Causing the Problem. Still havent found a fix though. Edited August 18, 2007 by What
rendari Posted August 17, 2007 Posted August 17, 2007 I always skip over the EP. No point at stopping there with Themida, so that trick never bothered me...
What Posted August 17, 2007 Posted August 17, 2007 Well really want to patch it incase other companies start using this technique. And its annoying.
rendari Posted August 17, 2007 Posted August 17, 2007 If other companies start to use it, I'll patch. But only ones so far who do that are Themida and SKVP 2. Neither bother me. So, I won't patch because I am so lazy
SunBeam Posted August 18, 2007 Posted August 18, 2007 There's a patch for any targets using the "invalid floating point" bug. Look it up. As for the unpackmes, I'll start up on every variant Let's see what this bugger can do
What Posted August 18, 2007 Posted August 18, 2007 (edited) thanks for telling me there was a solution SunBeam. I tracked it down, a half a byte patch. @ 004AA2f2 to DB38. It was DF38. No More crash on start up. I created a quick Search N Replace Patch for it. Works for all those people with SND version just direct to SND.exe. Search N replace a bunch of different ollydbgs. Tested on SND, Defixed, Modified Re-Paired. Edited August 18, 2007 by What
Fungus Posted August 18, 2007 Posted August 18, 2007 I found this bug along time ago now and posted it in the SND olly beta thread...
What Posted August 18, 2007 Posted August 18, 2007 (edited) I found this bug along time ago now and posted it in the SND olly beta thread... @ Fungus Sorry, didnt see it. my fix is a little different, albeit, same area. LOL Anyway working on themida, all done but all protections , with all protections enabled it over 10 MB dump. Edited August 25, 2007 by What
SunBeam Posted August 18, 2007 Posted August 18, 2007 Dump can be slimmed down, if Themida section is removed. But then again, if VM wasn't removed, you'll need that section
azfk Posted August 7, 2009 Posted August 7, 2009 Ok, so I've done them starting from .c and worked my way up to g, didn't notice the difference between .c to .f, except I think for one of them and for G, ImportRec sometimes can't read process memory and I need to use UIF, anyways, for .g, I'm having trouble and was wondering how to progress to the next step. I was wondering how to deal with 'Code Replace' or could anyone provide a basis for what it does and how to counter it, as far as from my searching, I understand that it isn't hard or difficult as Code Virtualization, but as I'm rather new to this, I really wouldn't know, of course, I don't want step by step answers, but more of a general sense as to what is going on.I've unpacked this and fixed the IAT, though sometimes, I see 9-11 thunks while most of the time ImpRec only finds 5, for some odd reason, I'm going to look deeper into that, I've manually stepping through my unpacked file as it crashes everytime I run and I have found this so far:PUSH 457440MOV ECX,45C6E4CALL 0043C191 ...JMP 007B7C1C...After that section, it jumps to an empty section:0000 ADD BYTE PTR DS:[EAX],AL0000 ADD BYTE PTR DS:[EAX],AL0000 ADD BYTE PTR DS:[EAX],AL0000 ADD BYTE PTR DS:[EAX],ALI went back to the unpack me and started tracing through and found code there but it isn't in my dumped file:PUSH 0C61434JMP 007B373E ; UnPackMe.007B373E...6A 00 PUSH 09C PUSHFD...BB 01000000 MOV EBX,18D86 00040000 LEA EAX,DWORD PTR DS:[ESI+400]F0:8618 LOCK XCHG BYTE PTR DS:[EAX],BL ; LOCK prefix0ADB OR BL,BL...60 PUSHADIf I binary copy this over, it doesn't allow me to write to executable.Also one more thing, in my dumped file, when I was manually tracing through, the code would transfer automatically (If I binary copy, I wanted to dump it later) at this command8D86 00040000 LEA EAX,DWORD PTR DS:[ESI+400]F0:8618 LOCK XCHG BYTE PTR DS:[EAX],BL ; LOCK prefixI understand this to be a semaphore or something akin to that, where 2 or more threads are waiting and making each other finish etc.BUT in the unpackme version, it does not jump control but continues execution...Any advice/help would be appreciatedFile NAME: UnPackMe_Themida 1.9.1.0.g
Charlzz Posted April 17, 2010 Posted April 17, 2010 Can anybody explain why after this instruction (UnPackMe_Themida 1.9.1.0.c.exe) 00706393 C785 7D181B07 00000000 MOV DWORD PTR SS:[EBP+71B187D],0 we binary search for 39 85 ?? ?? ?? 0? 0F Exist any logic there ?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now