[unpackme]Themida 2.0.3.0 - UnpackME

[Sp1d3rZ]

Themida v2.0.3.0 - UnpackMe

Protection Level = V.HARD

I give u Protection Details for making ur unpack easy

==Protection Options==

Anti-Debugger Detection = Ultra

Advanced API-Wrapping = Level2

Anti Dumpers = Enable

Anti- Patching = File Patch (Sign Support)

Entry Point Obfuscation = Enable

Metamorph Security = Enable

Resource Encryption = Enable

Memory Guard = Enable

VMWare/Virtual PC = Compatible

Compression = App/Res/Secure

Monitor Blockers = File Monitors/Registry Monitors

Delphi/BCB Form = Enable

When Debugger Found = Exit Silently

Code Replace = Enable

==Advanced Option==

Encrypt App = Enable

.NET ASM = Enable

Hide from PE = Type2

When U DID IT Please write a tut.

Themida2.UnpackMe.rar

[Loveless]

New stack antidump and new import routine... other stuff look simple. will recode script and dump later when i get time. no time now.

[sfs]

vb app

[Loki]

Moved to correct section

[Loveless]

done. op check pm. for everyone else:

import routine write:

0057960A	8F00			   POP DWORD PTR DS:[EAX]
0057960C	8128 A654FC65	  SUB DWORD PTR DS:[EAX],65FC54A6

vm oep

VM OEP:
0056DB1C	68 69C52507		PUSH 725C569
0056DB21  ^ E9 4769F5FF		JMP Themida_.004C446D

iat

00401000  C6 91 79 72 39 08 79 72  Ƒyr9yr

00401008 E3 BC 76 72 FA 00 79 72

[quosego]

Not funny loveless...

I wanted to be the first

nice work.

Will unpack it also.

EDIT:

Ran straight through my script.. Nothing new..

(No updates necessary in my script )

Script Log Window
Address	Message
7C901231   VM antidump redirector is used.
58F000	 Modulebase: 00400000
58F000	 Code & IAT Section: 00401000
7C809A8A   VM is located in the Themida/Winlicense section.
7C90D4DE   -------------
7C90D4DE   IAT fixing started.
576D73	 IAT loop detected and skipped at: 00576BB5
576DC4	 Eax holds an API place detected at: 00576DC4
576DC4	 Cmp eax,50 detected at: 00579AC0
4D3396	 IAT fixing finished.
4D3396	 -------------
4D3396	 IAT start: 00400FFC
4D3396	 IAT end: 00401074
4D3396	 IAT Size: 00000078
4D3396	 -------------
4D3396	 Heap antidump and Stack antidump are redirected.(2)
401128	 -------------
401128	 Total CodeReplace functions: 00000000
401128	 -------------
401128	 PE Header antidump is located at: 004000E0
401128	 Stack Antidump located at: 00415100
401128	 Heap Antidump(1) located at: 00415104
401128	 Heap Antidump(2) located at: 00415108
401128	 -------------
401128	 OEP or near OEP located at: 00401128

q.

Edited October 1, 2008 by quosego

[Loveless]

Well, your script better then. Had to update mine AGAIN

Not funny loveless... smile.gif

I wanted to be the first smile.gif

nice work.

teeheehee thank you

Edited October 1, 2008 by Loveless

[rooster1]

quosego

is there a place we can download your script or are you keeping it to yourself?

many thanks for any reply

[Loveless]

Sp1d3rZ says my exe doesn't run on his machine, so i guess quosego solved it first properly then i dont have other machine to test it on, so i dunno what i missed...

Edited October 1, 2008 by Loveless

[ZenLoren]

Hi all Themida Experts,

Is the below script proper for IAT rebuilding & make call/jump address for this thread target ?

or there is some mistake

Lorens!

// Thanks Quesego i am manipulating his original script :)var prevadrr
var first
var oldaddr
var zero1
var zero2
var IATvar save_edi		  // Variable to save EDI var pAddr		  // address where the jump should be assembled
var pJumpTarget 	// Target Address of above jump bphws 00401128, "x" 	// Hardware BreakPoint on Execution at OEP
bphws 00576FBA, "x"	 // Hardware BreakPoint on Address instruction 
			// 00576fBA  mov ebx,dword ptr ss:[ebp+71B2A1D] real & EAX=Real API
LABEL_02:esto
bpwm 401000, 12000		// Break-point on Memory Code Section
cmp eip, 00401128		// Did we reach OEP or Near OEP ?
je END				// go to END of scriptmov temp, eip			// Save eip in temp variable
mov temp, [temp]
and temp, 0ffffcmp temp, 09D8B			 
jne LABEL_04mov IAT, eax			 
jmp LABEL_02LABEL_04:
cmp temp, 0008f			// our check to save real api 
je LABEL_01cmp temp, 5788			// check Just to skip breakpoint
je just_skipcmp temp, 0FAA			// Use of this check is for saving EDI where the jump/call will be assemble
je  just_skip_0FAA		cmp temp, 0E9AB		  // Now we should make our call/jump things
je LABEL_07jmp LABEL_02LABEL_01:			// SAVE real Address
cmp [eax], 0			// IAT is 00 API's 90909090
jne LABEL_07			// <-- I guess we should remove this check for this target
sti
sti
mov [eax],IAT			// write the api into the IAT
jmp LABEL_02LABEL_07:			// Make our call/jump 
sti
push edi			
mov edi, save_edi		// saved edi now in edimov oldaddr, IAT		// calculation of api location.. 
sub oldaddr, edi
sub oldaddr, 4
mov [edi],oldaddr		// write the api into an direct jmp/callpop edijmp LABEL_02just_skip:
sti
jmp LABEL_02
just_skip_0FAA:			// Saving EDI address 
stimov save_edi, edi		// here saving it in var save_edi
jmp LABEL_02END:
ret

[Loveless]

well if it works, it works right? that script is too spaghetti for me to read into

[Computer_Angel]

Well well, It seem I'm late from this unpackme ^.^.

By the way, after I receive Pm from Loveless, I decide to public my script for themida/winlic.

Hope you like that.

p/s: The base script is base on the one public in UnpackCN.

/*

Target: Themida & WinLicense 1900-2030

Author: Computer_Angel

http://www.reaonline.net

version 0.8 - 04.11.20098

Thanks to:

+ the CUG Team Members (fxyang,fly, okodo ... etc) - the base flow of script

+ 4VN Group

+ REA Team

History:

ver 0.8

+ Fix case 8930 mov dword ptr [eax], esi

ver 0.7

+ Support wl 2010

+ Fix case 8938 mov dword ptr [eax], edi

+ Fix bug IAT

ver 0.6

+ Support wl 1990

+ Fix bug in non-emulation api

ver 0.5

+ Support wl 1855,1900,1910,1920,1930,1940

+ Improve speed

ver 0.4

+ Optimize code

+ Fix bug when one ore moe import DLL : USER32 , KERNEL32, ADVAPI32 not used in protected program

ver 0.3

+ Fix flow for wl 1961,1950

ver 0.2

+ Optimize flow, support emulate/non emulate api

+ Stop at OEP

ver 0.1

+ Draft version for wl 1960 , just for emulate api

Things to improve:

+ Optimize the iat recover speed ??? Maybe inline asm will help

+ Support the prev version (<1855)

+ OEP Recover ???

*/

data:

var cbase

var csize

var dllimg

var dllsize

var mem

var getprocadd

var gatprocadd_2

var tmp

var temp

var tmppn

var tmpdir

var tmpefn

var atmp0

var atmp1

var atmp2

var crcmethod

cmp $VERSION, "1.52"

jb odbgver

#log

bphwcall

bpmc

gmi eip,CODEBASE

mov cbase,$RESULT

gmi eip,CODESIZE

mov csize,$RESULT

gmemi eip,MEMORYBASE //

Edited October 4, 2008 by Computer_Angel

[Loveless]

Hey computer, this is above and beyond Thanks a lot

[ZenLoren]

Computer_Angel:

Thanks for your script its rocks! Themida IAT rebuilding seems trival now

Well it gives error to me on this thread target but other 3 targets which i am studying it rebuilding successfully.

What's left for me for Themida study is to find stolen bytes, VM antidumps + Stack tricks & make the dump work.

I am digging already & will post results when i understand it completely. Till then keep rocking!

Cheers

Lorens!

[Computer_Angel]

In some small target it will fail if could not find the magic place. But I sure in almost case it's ok.

Hope you guy could fix it because I have little of time now.

In this target, my script is missing in here:

find_first_point:

find tmp,#8B9D????????#

cmp $RESULT,0

je error

mov tmp,$RESULT

add tmp,2

mov tmpoffset,[tmp],4

mov my_ebx,[ebp+tmpoffset]

cmp my_ebx,0

je found_first_point

cmp my_ebx,1

je found_first_point

add tmp,4

jmp find_first_point

Just add bold line and maybe it could found the magic point

Edited October 4, 2008 by Computer_Angel

[quosego]

Nice script,

Same method as me, However is it me or are you missing a lot of IAT writing points?? especially 89xx ones..

is there a place we can download your script or are you keeping it to yourself?

many thanks for any reply

Nope, It's still my opinion one should figure out antidump on his own.. Not use some script.

IAT scripts are now everywhere.. It should not be that hard if you search a bit analyse some releases and think a bit..

q.

[Computer_Angel]

Nice script,

Same method as me, However is it me or are you missing a lot of IAT writing points?? especially 89xx ones..

^.^ Yep, but all my target is OK. But it don't important because if other understand the script, they could fix it easy, right ?

I think your script is better than me now cause I'm quite busy with my job.

[LCF-AT]

Hello,

also a nice script Computer_Angel but I think you should include a better APIBASE check for more systems.

558BECFF7514FF7510FF750CFF75086AFFE--->809000000<---5DC21000...81B000000...
...884FFFFFF...
...878FFFFFF...
...809000000...
...804000000...
and
...8????????...  // <-- take the second found place for this.

So I have done this so in my script.

Now a question from me to this UnpackMe.So I have also unpack it but it has problems to load the

ThunderRT6CommandButton Class in the unpacked file and then the app ZwTerminate...

[Loveless]

Antidumps shouldn't be a problem in this unpackme, since there is only one VM'd thing, and even that can be rebuild by hand easily.

EDIT Nvm there is PE header antidump. But it shouldn't affect the target... should it?

Edited October 5, 2008 by Loveless

[ZenLoren]

Hi Loveless,

Jmp 40c446d is crossreference several places How did you come to know about below things that this is VM OEP ??

VM OEP:

0056DB1C 68 69C52507 PUSH 725C569

0056DB21 E9 4769F5FF JMP Themida_.004C446D

Is it bcos its the last one to go before near OEP of this target or through experience ??

To all of you :

Can anybody point me to a tutorial where an author has explain VM dumping + Anti Dumps tricks ??

I did checked but could not locate or its still a secret ?

Regards

Lorens

[Loveless]

u can tell thru experience. unpack enough themida apps and you will notice a pattern to getting to VM OEP... a pettern that u can put down in script and let do work for u

[Loveless]

To all of you :

Can anybody point me to a tutorial where an author has explain VM dumping + Anti Dumps tricks ??

I did checked but could not locate or its still a secret ?

It's private, and remains so for quite while, yes?

[Computer_Angel]

Hi Loveless,

Jmp 40c446d is crossreference several places How did you come to know about below things that this is VM OEP ??

VM OEP:

0056DB1C 68 69C52507 PUSH 725C569

0056DB21 E9 4769F5FF JMP Themida_.004C446D

Is it bcos its the last one to go before near OEP of this target or through experience ??

To all of you :

Can anybody point me to a tutorial where an author has explain VM dumping + Anti Dumps tricks ??

I did checked but could not locate or its still a secret ?

Regards

Lorens

I think because it's the nearest place to jmp to ThunkMain.

By the way, the target is VB, so it easy to recover OEP, no need to use VM OEP.

[Loveless]

By the way, the target is VB, so it easy to recover OEP, no need to use VM OEP.

yeah, but I like to use VM OEP cus it looks cooler

[ZenLoren]

Hi Computer_Angel & Loveless,

Thank you for all your clarifications. Just one more doubts to get cleared. Suppose in an Traget we find VM OEP we have to dump the target at VM OEP & we don't have to recover the stolen bytes ?

OR

We have to dump at OEP & then recover the stolen bytes ?

Cheers

Lorens!