Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[unpackme] Themida 1.9.3.0 .net

Ufo-Pu55y
Ufo-Pu55y
in UnPackMe (.NET)

Featured Replies

Posted

-Anti-Debugger Detection : Advanced (* Not Ultra, due to trial)

-Anti-Dumpers : Yep

-Entry Point Obfuscation : Yep

-Resources Encryption : Yep

-Advanced API-Wrapping : Level 1 (* Not Level 2, due to trial)

-Anti-Patching : None (* Due to trial)

-Metamorph Security : Yep

-Memory Guard : Yep

-Monitor Blockers : Yep

-CodeReplace Technology : Disabled (* Not supported for .NET)

-API Virtualization Level : 10

-Entry Point Virtualization : 100

-Multi Branch Technology : Disabled (* Due to trial)

-Encrypt Application : Yep

-.NET Assembly Protection : Yep

-F@cked Filesize : Yep (*From 28kb to 604kb)

-:X : Yep

UnpackMe_Themida_1930.rar

Good luck..

I got my laptop fixed. Will check it out :)

Here is the unpack file. This file can not run, but we can use reflector to see source code. :D .

http://www.box.net/shared/ku24qao1a6

  • Author
Here is the unpack file. This file can not run, but we can use reflector to see source code. :D .
Very good !! :ninja:

You only need to correct the RVA of the 1 item in the

Relocation Table from 3000 to 4000, and u've got a

fully working and 100% clean file !

How did u go this time ?

dump while its running?

You only need to correct the RVA of the 1 item in the

Relocation Table from 3000 to 4000, and u've got a

fully working and 100% clean file !

I know that. And I think 3000 must be to 5000.

How did u go this time ?

dump while its running?

Yeah, I dump the memory and build new assembly.

Here is the unpacked file which can runs.

http://www.box.net/shared/ku24qao1a6

Edited by rongchaua

  • Author
And I think 3000 must be to 5000.
And I 'know', that it has to be 4000, since I made the UnpackMe :rolleyes:

To be sure, I've tested both of ur uploads - they both crash.

But they run fine, after correcting it to 4000.

I wonder, how it runs for you with 5000... again something with Vista :?

Thank UFO for testing. I have tested again with Win XP . It really crashes . But it can run on my vista. ;) ).

By the way do you know how can we calculate this value so that we can get a right value when fix.

Edited by rongchaua

  • Author
By the way do you know how can we calculate this value so that we can get a right value when fix.

I dunno, if there's much to calculate, but I made some screenshots.

I think they'll help to better understand, what's what in a .net file:

post-20979-1189097659_thumb.png

That value has often to be corrected (at least for me).

The main thing is, that the RVA address of the HIGHLOW has

to point exactly to the destination DWORD for the JMP at the

entry point...

Regarding this UnpackMe:

So the easiest solution seems to be DeProtector again.

After the dump, u only need to add a .reloc section, which

should contain the stuff u see above... a job of some minutes !

Try harder, Themida ! :cool2:

Edited by Ufo-Pu55y

Hi all,

I have a file packed with Themida. After I unpack it, i can view source code with Themida. But file can not run. There is an error "unable to find a version of the runtime to run this application". How should I fix so that file can run?

Here is it:

http://www.box.net/shared/vksrsyabhi

Thanks.

rca.

  • Author
There is an error "unable to find a version of the runtime to run this application". How should I fix so that file can run?
I dunno that app, but I also didn't see anything incorrect in the dump.

In Reflector 'Analyze' HaxCr4x 3.3 and u'll see that it 'Depends On' a 'Winsock2005DLL' !

Did it come with that app ? If yes, is/was any of them signed ?

This error pops up already, when it dosn't find that DLL...

No, thats not the thing UFOPUSSY... I think your metadata directory pointers found in the PE header are incorrect ;)

Edited by rendari

No, thats not the thing UFOPUSSY... I think your metadata directory pointers found in the PE header are incorrect

Can you fix it for me?

Hmmm no its something else. I had the same problem with some other .NET protector, I forget how I fixed it :( Anyways, sorry I'll look at it later, right now I'm reversing something else :P

  • 1 month later...

none of this files workz grml

  • 2 months later...

could someone pls download all these .net unpackers from megaupload and upload it somewhere else??

thx

could someone pls download all these .net unpackers from megaupload and upload it somewhere else??

thx

Yeah, people. To download somethng from Megaupload you must have their toolbar installed.

And when you install the toolbar, it often screws your browser.

there is a site called www.filecrunch.com. I just uploaded something with it. Looks ok.

I've made a new mirror. Download at new mirror if mega doesn't work for you.

Or quite simply start a new topic in Tools of the Trade and add those files to the topic. Seems even less complicated to me... :dunno:

Ted.

ok thx for the new links..

little bug: about button doesn't work in themida and dnguard unpackers.. 

http://img124.imageshack.us/img124/6931/erormr4.jpg

Edited by Vrane

Hi, mate!

Copy/Paste more detailed info from "Details" button would

be a good thing, so we can have a closer look into whats

exactly went wrong.. .net spits out pretty usefull infomation

in there..

I tried it on themida1.9.1.0 protected delphi exe file, and

program (unpacker) displayed:

Fix number of sections done!

Fix entry point done!

Fix SizeOfImage in Optional Header done!

Fix checksum done!

Fix dll characteristics done!

Fix Debug directory RVA done!

Fix Import Address Table Directory RVA done!

Fix Import Address Table Directory Size done!

Fix .NET MetaData Directory RVA done!

Fix .NET MetaData Directory Size done!

Fix raw offset of .text section done!

Fix raw size of .text section done!

Fix raw address of .rsrc section done!

Fix .reloc section done!

Fix Relocation Table RVA done!

Fix first 4 bytes of .NET Directory done!

Fix content of Relocation Table done!

File patch was saved successfully!

But the file is not a valid PE file afterwards :(

If needed i can post packed file for further

improvenment of this great tool.

BR, ChupaChu!

I tried it on themida1.9.1.0 protected delphi exe file, and

program (unpacker) displayed:

I think there is a misunderstood thing here. This is an unpacker for a .net assembly protected by Themida, not native code.

Regards.

rca.

Silly me, i did not read carefull enough :doh:

Is there an non dot net support planed, in future?

BR, ChupaChu!

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.