Ufo-Pu55y Posted September 5, 2007 Posted September 5, 2007 -Anti-Debugger Detection : Advanced (* Not Ultra, due to trial)-Anti-Dumpers : Yep-Entry Point Obfuscation : Yep-Resources Encryption : Yep-Advanced API-Wrapping : Level 1 (* Not Level 2, due to trial)-Anti-Patching : None (* Due to trial)-Metamorph Security : Yep-Memory Guard : Yep-Monitor Blockers : Yep-CodeReplace Technology : Disabled (* Not supported for .NET)-API Virtualization Level : 10-Entry Point Virtualization : 100-Multi Branch Technology : Disabled (* Due to trial)-Encrypt Application : Yep-.NET Assembly Protection : Yep-F@cked Filesize : Yep (*From 28kb to 604kb)-:X : YepUnpackMe_Themida_1930.rarGood luck..
rongchaua Posted September 5, 2007 Posted September 5, 2007 Here is the unpack file. This file can not run, but we can use reflector to see source code. . http://www.box.net/shared/ku24qao1a6
Ufo-Pu55y Posted September 6, 2007 Author Posted September 6, 2007 Here is the unpack file. This file can not run, but we can use reflector to see source code. .Very good !! You only need to correct the RVA of the 1 item in the Relocation Table from 3000 to 4000, and u've got a fully working and 100% clean file ! How did u go this time ?
rongchaua Posted September 6, 2007 Posted September 6, 2007 (edited) You only need to correct the RVA of the 1 item in theRelocation Table from 3000 to 4000, and u've got afully working and 100% clean file !I know that. And I think 3000 must be to 5000.How did u go this time ?dump while its running?Yeah, I dump the memory and build new assembly.Here is the unpacked file which can runs.http://www.box.net/shared/ku24qao1a6 Edited September 6, 2007 by rongchaua
Ufo-Pu55y Posted September 6, 2007 Author Posted September 6, 2007 And I think 3000 must be to 5000.And I 'know', that it has to be 4000, since I made the UnpackMe To be sure, I've tested both of ur uploads - they both crash. But they run fine, after correcting it to 4000. I wonder, how it runs for you with 5000... again something with Vista :?
rongchaua Posted September 6, 2007 Posted September 6, 2007 (edited) Thank UFO for testing. I have tested again with Win XP . It really crashes . But it can run on my vista. ). By the way do you know how can we calculate this value so that we can get a right value when fix. Edited September 6, 2007 by rongchaua
Ufo-Pu55y Posted September 6, 2007 Author Posted September 6, 2007 (edited) By the way do you know how can we calculate this value so that we can get a right value when fix. I dunno, if there's much to calculate, but I made some screenshots. I think they'll help to better understand, what's what in a .net file: That value has often to be corrected (at least for me). The main thing is, that the RVA address of the HIGHLOW has to point exactly to the destination DWORD for the JMP at the entry point... Regarding this UnpackMe: So the easiest solution seems to be DeProtector again. After the dump, u only need to add a .reloc section, which should contain the stuff u see above... a job of some minutes ! Try harder, Themida ! Edited September 6, 2007 by Ufo-Pu55y
rongchaua Posted September 9, 2007 Posted September 9, 2007 Hi all,I have a file packed with Themida. After I unpack it, i can view source code with Themida. But file can not run. There is an error "unable to find a version of the runtime to run this application". How should I fix so that file can run?Here is it:http://www.box.net/shared/vksrsyabhiThanks.rca.
Ufo-Pu55y Posted September 9, 2007 Author Posted September 9, 2007 There is an error "unable to find a version of the runtime to run this application". How should I fix so that file can run?I dunno that app, but I also didn't see anything incorrect in the dump.In Reflector 'Analyze' HaxCr4x 3.3 and u'll see that it 'Depends On' a 'Winsock2005DLL' !Did it come with that app ? If yes, is/was any of them signed ?This error pops up already, when it dosn't find that DLL...
rendari Posted September 11, 2007 Posted September 11, 2007 (edited) No, thats not the thing UFOPUSSY... I think your metadata directory pointers found in the PE header are incorrect Edited September 11, 2007 by rendari
rongchaua Posted September 11, 2007 Posted September 11, 2007 No, thats not the thing UFOPUSSY... I think your metadata directory pointers found in the PE header are incorrectCan you fix it for me?
rendari Posted September 11, 2007 Posted September 11, 2007 Hmmm no its something else. I had the same problem with some other .NET protector, I forget how I fixed it Anyways, sorry I'll look at it later, right now I'm reversing something else
rongchaua Posted January 3, 2008 Posted January 3, 2008 Gifts for new years. http://rongchaua.net/index.php?option=com_...1&Itemid=36
kaksii Posted January 3, 2008 Posted January 3, 2008 Gifts for new years. http://rongchaua.net/index.php?option=com_...1&Itemid=36Hehe nice. I'm glad that themida is getting more and more explored.
Vrane Posted January 3, 2008 Posted January 3, 2008 could someone pls download all these .net unpackers from megaupload and upload it somewhere else??thx
kaksii Posted January 3, 2008 Posted January 3, 2008 could someone pls download all these .net unpackers from megaupload and upload it somewhere else??thxYeah, people. To download somethng from Megaupload you must have their toolbar installed.And when you install the toolbar, it often screws your browser.there is a site called www.filecrunch.com. I just uploaded something with it. Looks ok.
rongchaua Posted January 3, 2008 Posted January 3, 2008 I've made a new mirror. Download at new mirror if mega doesn't work for you.
Teddy Rogers Posted January 3, 2008 Posted January 3, 2008 Or quite simply start a new topic in Tools of the Trade and add those files to the topic. Seems even less complicated to me... Ted.
Vrane Posted January 3, 2008 Posted January 3, 2008 (edited) ok thx for the new links..little bug: about button doesn't work in themida and dnguard unpackers.. http://img124.imageshack.us/img124/6931/erormr4.jpg Edited January 3, 2008 by Vrane
ChupaChu Posted January 11, 2008 Posted January 11, 2008 Hi, mate! Copy/Paste more detailed info from "Details" button would be a good thing, so we can have a closer look into whats exactly went wrong.. .net spits out pretty usefull infomation in there.. I tried it on themida1.9.1.0 protected delphi exe file, and program (unpacker) displayed: Fix number of sections done!Fix entry point done! Fix SizeOfImage in Optional Header done! Fix checksum done! Fix dll characteristics done! Fix Debug directory RVA done! Fix Import Address Table Directory RVA done! Fix Import Address Table Directory Size done! Fix .NET MetaData Directory RVA done! Fix .NET MetaData Directory Size done! Fix raw offset of .text section done! Fix raw size of .text section done! Fix raw address of .rsrc section done! Fix .reloc section done! Fix Relocation Table RVA done! Fix first 4 bytes of .NET Directory done! Fix content of Relocation Table done! File patch was saved successfully! But the file is not a valid PE file afterwards If needed i can post packed file for further improvenment of this great tool. BR, ChupaChu!
rongchaua Posted January 12, 2008 Posted January 12, 2008 I tried it on themida1.9.1.0 protected delphi exe file, andprogram (unpacker) displayed:I think there is a misunderstood thing here. This is an unpacker for a .net assembly protected by Themida, not native code. Regards.rca.
ChupaChu Posted January 12, 2008 Posted January 12, 2008 Silly me, i did not read carefull enough Is there an non dot net support planed, in future? BR, ChupaChu!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now