Jump to content
Tuts 4 You

[unpackme] Themida 1.9.3.0 .net


Ufo-Pu55y

Recommended Posts

-Anti-Debugger Detection : Advanced (* Not Ultra, due to trial)

-Anti-Dumpers : Yep

-Entry Point Obfuscation : Yep

-Resources Encryption : Yep

-Advanced API-Wrapping : Level 1 (* Not Level 2, due to trial)

-Anti-Patching : None (* Due to trial)

-Metamorph Security : Yep

-Memory Guard : Yep

-Monitor Blockers : Yep

-CodeReplace Technology : Disabled (* Not supported for .NET)

-API Virtualization Level : 10

-Entry Point Virtualization : 100

-Multi Branch Technology : Disabled (* Due to trial)

-Encrypt Application : Yep

-.NET Assembly Protection : Yep

-F@cked Filesize : Yep (*From 28kb to 604kb)

-:X : Yep

UnpackMe_Themida_1930.rar

Good luck..

Link to comment
Here is the unpack file. This file can not run, but we can use reflector to see source code. :D .
Very good !! :ninja:

You only need to correct the RVA of the 1 item in the

Relocation Table from 3000 to 4000, and u've got a

fully working and 100% clean file !

How did u go this time ?

Link to comment
You only need to correct the RVA of the 1 item in the

Relocation Table from 3000 to 4000, and u've got a

fully working and 100% clean file !

I know that. And I think 3000 must be to 5000.

How did u go this time ?

dump while its running?

Yeah, I dump the memory and build new assembly.

Here is the unpacked file which can runs.

http://www.box.net/shared/ku24qao1a6

Edited by rongchaua
Link to comment
And I think 3000 must be to 5000.
And I 'know', that it has to be 4000, since I made the UnpackMe :rolleyes:

To be sure, I've tested both of ur uploads - they both crash.

But they run fine, after correcting it to 4000.

I wonder, how it runs for you with 5000... again something with Vista :?

Link to comment

Thank UFO for testing. I have tested again with Win XP . It really crashes . But it can run on my vista. ;) ).

By the way do you know how can we calculate this value so that we can get a right value when fix.

Edited by rongchaua
Link to comment
By the way do you know how can we calculate this value so that we can get a right value when fix.

I dunno, if there's much to calculate, but I made some screenshots.

I think they'll help to better understand, what's what in a .net file:

post-20979-1189097659_thumb.png

That value has often to be corrected (at least for me).

The main thing is, that the RVA address of the HIGHLOW has

to point exactly to the destination DWORD for the JMP at the

entry point...

Regarding this UnpackMe:

So the easiest solution seems to be DeProtector again.

After the dump, u only need to add a .reloc section, which

should contain the stuff u see above... a job of some minutes !

Try harder, Themida ! :cool2:

Edited by Ufo-Pu55y
Link to comment
There is an error "unable to find a version of the runtime to run this application". How should I fix so that file can run?
I dunno that app, but I also didn't see anything incorrect in the dump.

In Reflector 'Analyze' HaxCr4x 3.3 and u'll see that it 'Depends On' a 'Winsock2005DLL' !

Did it come with that app ? If yes, is/was any of them signed ?

This error pops up already, when it dosn't find that DLL...

Link to comment

Hmmm no its something else. I had the same problem with some other .NET protector, I forget how I fixed it :( Anyways, sorry I'll look at it later, right now I'm reversing something else :P

Link to comment
  • 1 month later...
  • 2 months later...
could someone pls download all these .net unpackers from megaupload and upload it somewhere else??

thx

Yeah, people. To download somethng from Megaupload you must have their toolbar installed.

And when you install the toolbar, it often screws your browser.

there is a site called www.filecrunch.com. I just uploaded something with it. Looks ok.

Link to comment
Teddy Rogers

Or quite simply start a new topic in Tools of the Trade and add those files to the topic. Seems even less complicated to me... :dunno:

Ted.

Link to comment

ok thx for the new links..

little bug: about button doesn't work in themida and dnguard unpackers..

http://img124.imageshack.us/img124/6931/erormr4.jpg
Edited by Vrane
Link to comment

Hi, mate!

Copy/Paste more detailed info from "Details" button would

be a good thing, so we can have a closer look into whats

exactly went wrong.. .net spits out pretty usefull infomation

in there..

I tried it on themida1.9.1.0 protected delphi exe file, and

program (unpacker) displayed:

Fix number of sections done!

Fix entry point done!

Fix SizeOfImage in Optional Header done!

Fix checksum done!

Fix dll characteristics done!

Fix Debug directory RVA done!

Fix Import Address Table Directory RVA done!

Fix Import Address Table Directory Size done!

Fix .NET MetaData Directory RVA done!

Fix .NET MetaData Directory Size done!

Fix raw offset of .text section done!

Fix raw size of .text section done!

Fix raw address of .rsrc section done!

Fix .reloc section done!

Fix Relocation Table RVA done!

Fix first 4 bytes of .NET Directory done!

Fix content of Relocation Table done!

File patch was saved successfully!

But the file is not a valid PE file afterwards :(

If needed i can post packed file for further

improvenment of this great tool.

BR, ChupaChu!

Link to comment
I tried it on themida1.9.1.0 protected delphi exe file, and

program (unpacker) displayed:

I think there is a misunderstood thing here. This is an unpacker for a .net assembly protected by Themida, not native code.

Regards.

rca.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...