Jump to content
Tuts 4 You

[unpackme]Themida 2.0.3.0 - UnpackME


Sp1d3rZ

Recommended Posts

Themida v2.0.3.0 - UnpackMe

Protection Level = V.HARD

I give u Protection Details for making ur unpack easy ;)

==Protection Options==

Anti-Debugger Detection = Ultra

Advanced API-Wrapping = Level2

Anti Dumpers = Enable

Anti- Patching = File Patch (Sign Support)

Entry Point Obfuscation = Enable

Metamorph Security = Enable

Resource Encryption = Enable

Memory Guard = Enable

VMWare/Virtual PC = Compatible

Compression = App/Res/Secure

Monitor Blockers = File Monitors/Registry Monitors

Delphi/BCB Form = Enable

When Debugger Found = Exit Silently

Code Replace = Enable

==Advanced Option==

Encrypt App = Enable

.NET ASM = Enable

Hide from PE = Type2

When U DID IT ;) Please write a tut.

Themida2.UnpackMe.rar

Link to comment
  • Replies 65
  • Created
  • Last Reply

Top Posters In This Topic

  • Computer_Angel

    6

  • Loveless

    12

  • Sp1d3rZ

    5

  • ZenLoren

    6

New stack antidump and new import routine... other stuff look simple. will recode script and dump later when i get time. no time now.

Link to comment

done. op check pm. for everyone else:

import routine write:

0057960A	8F00			   POP DWORD PTR DS:[EAX]
0057960C 8128 A654FC65 SUB DWORD PTR DS:[EAX],65FC54A6

vm oep

VM OEP:
0056DB1C 68 69C52507 PUSH 725C569
0056DB21 ^ E9 4769F5FF JMP Themida_.004C446D

iat

00401000  C6 91 79 72 39 08 79 72  Ƒyr9yr

00401008 E3 BC 76 72 FA 00 79 72

Link to comment

Not funny loveless... :)

I wanted to be the first :)

nice work.

Will unpack it also.

EDIT:

Ran straight through my script.. Nothing new..

(No updates necessary in my script :) )

Script Log Window
Address Message
7C901231 VM antidump redirector is used.
58F000 Modulebase: 00400000
58F000 Code & IAT Section: 00401000
7C809A8A VM is located in the Themida/Winlicense section.
7C90D4DE -------------
7C90D4DE IAT fixing started.
576D73 IAT loop detected and skipped at: 00576BB5
576DC4 Eax holds an API place detected at: 00576DC4
576DC4 Cmp eax,50 detected at: 00579AC0
4D3396 IAT fixing finished.
4D3396 -------------
4D3396 IAT start: 00400FFC
4D3396 IAT end: 00401074
4D3396 IAT Size: 00000078
4D3396 -------------
4D3396 Heap antidump and Stack antidump are redirected.(2)
401128 -------------
401128 Total CodeReplace functions: 00000000
401128 -------------
401128 PE Header antidump is located at: 004000E0
401128 Stack Antidump located at: 00415100
401128 Heap Antidump(1) located at: 00415104
401128 Heap Antidump(2) located at: 00415108
401128 -------------
401128 OEP or near OEP located at: 00401128

q.

Edited by quosego
Link to comment

Well, your script better then. Had to update mine AGAIN :(

Not funny loveless... smile.gif

I wanted to be the first smile.gif

nice work.

teeheehee thank you :)

Edited by Loveless
Link to comment

Sp1d3rZ says my exe doesn't run on his machine, so i guess quosego solved it first properly then :) i dont have other machine to test it on, so i dunno what i missed...

Edited by Loveless
Link to comment

Hi all Themida Experts,

Is the below script proper for IAT rebuilding & make call/jump address for this thread target ?

or there is some mistake

Lorens!

// Thanks Quesego i am manipulating his original script :)var prevadrr
var first
var oldaddr
var zero1
var zero2
var IATvar save_edi // Variable to save EDI var pAddr // address where the jump should be assembled
var pJumpTarget // Target Address of above jump bphws 00401128, "x" // Hardware BreakPoint on Execution at OEP
bphws 00576FBA, "x" // Hardware BreakPoint on Address instruction
// 00576fBA mov ebx,dword ptr ss:[ebp+71B2A1D] real & EAX=Real API
LABEL_02:esto
bpwm 401000, 12000 // Break-point on Memory Code Section
cmp eip, 00401128 // Did we reach OEP or Near OEP ?
je END // go to END of scriptmov temp, eip // Save eip in temp variable
mov temp, [temp]
and temp, 0ffffcmp temp, 09D8B
jne LABEL_04mov IAT, eax
jmp LABEL_02LABEL_04:
cmp temp, 0008f // our check to save real api
je LABEL_01cmp temp, 5788 // check Just to skip breakpoint
je just_skipcmp temp, 0FAA // Use of this check is for saving EDI where the jump/call will be assemble
je just_skip_0FAA cmp temp, 0E9AB // Now we should make our call/jump things
je LABEL_07jmp LABEL_02LABEL_01: // SAVE real Address
cmp [eax], 0 // IAT is 00 API's 90909090
jne LABEL_07 // <-- I guess we should remove this check for this target
sti
sti
mov [eax],IAT // write the api into the IAT
jmp LABEL_02LABEL_07: // Make our call/jump
sti
push edi
mov edi, save_edi // saved edi now in edimov oldaddr, IAT // calculation of api location..
sub oldaddr, edi
sub oldaddr, 4
mov [edi],oldaddr // write the api into an direct jmp/callpop edijmp LABEL_02just_skip:
sti
jmp LABEL_02
just_skip_0FAA: // Saving EDI address
stimov save_edi, edi // here saving it in var save_edi
jmp LABEL_02END:
ret
Link to comment
Computer_Angel

Well well, It seem I'm late from this unpackme ^.^.

By the way, after I receive Pm from Loveless, I decide to public my script for themida/winlic.

Hope you like that.

p/s: The base script is base on the one public in UnpackCN.

/*

Target: Themida & WinLicense 1900-2030

Author: Computer_Angel

http://www.reaonline.net

version 0.8 - 04.11.20098

Thanks to:

+ the CUG Team Members (fxyang,fly, okodo ... etc) - the base flow of script

+ 4VN Group

+ REA Team

History:

ver 0.8

+ Fix case 8930 mov dword ptr [eax], esi

ver 0.7

+ Support wl 2010

+ Fix case 8938 mov dword ptr [eax], edi

+ Fix bug IAT

ver 0.6

+ Support wl 1990

+ Fix bug in non-emulation api

ver 0.5

+ Support wl 1855,1900,1910,1920,1930,1940

+ Improve speed

ver 0.4

+ Optimize code

+ Fix bug when one ore moe import DLL : USER32 , KERNEL32, ADVAPI32 not used in protected program

ver 0.3

+ Fix flow for wl 1961,1950

ver 0.2

+ Optimize flow, support emulate/non emulate api

+ Stop at OEP

ver 0.1

+ Draft version for wl 1960 , just for emulate api

Things to improve:

+ Optimize the iat recover speed ??? Maybe inline asm will help

+ Support the prev version (<1855)

+ OEP Recover ???

*/

data:

var cbase

var csize

var dllimg

var dllsize

var mem

var getprocadd

var gatprocadd_2

var tmp

var temp

var tmppn

var tmpdir

var tmpefn

var atmp0

var atmp1

var atmp2

var crcmethod

cmp $VERSION, "1.52"

jb odbgver

#log

bphwcall

bpmc

gmi eip,CODEBASE

mov cbase,$RESULT

gmi eip,CODESIZE

mov csize,$RESULT

gmemi eip,MEMORYBASE //

Edited by Computer_Angel
Link to comment

Computer_Angel:

Thanks for your script its rocks! Themida IAT rebuilding seems trival now :)

Well it gives error to me on this thread target but other 3 targets which i am studying it rebuilding successfully.

What's left for me for Themida study is to find stolen bytes, VM antidumps + Stack tricks & make the dump work.

I am digging already & will post results when i understand it completely. Till then keep rocking!

Cheers

Lorens!

Link to comment
Computer_Angel

In some small target it will fail if could not find the magic place. But I sure in almost case it's ok.

Hope you guy could fix it because I have little of time now.

In this target, my script is missing in here:

find_first_point:

find tmp,#8B9D????????#

cmp $RESULT,0

je error

mov tmp,$RESULT

add tmp,2

mov tmpoffset,[tmp],4

mov my_ebx,[ebp+tmpoffset]

cmp my_ebx,0

je found_first_point

cmp my_ebx,1

je found_first_point

add tmp,4

jmp find_first_point

Just add bold line and maybe it could found the magic point

Edited by Computer_Angel
Link to comment

Nice script,

Same method as me, However is it me or are you missing a lot of IAT writing points?? especially 89xx ones..

is there a place we can download your script or are you keeping it to yourself?

many thanks for any reply

Nope, It's still my opinion one should figure out antidump on his own.. Not use some script.

IAT scripts are now everywhere.. It should not be that hard if you search a bit analyse some releases and think a bit..

q.

Link to comment
Computer_Angel
Nice script,

Same method as me, However is it me or are you missing a lot of IAT writing points?? especially 89xx ones..

^.^ Yep, but all my target is OK. But it don't important because if other understand the script, they could fix it easy, right ?

I think your script is better than me now cause I'm quite busy with my job.

Link to comment

Hello,

also a nice script Computer_Angel but I think you should include a better APIBASE check for more systems. ;)

558BECFF7514FF7510FF750CFF75086AFFE--->809000000<---5DC21000...81B000000...
...884FFFFFF...
...878FFFFFF...
...809000000...
...804000000...
and
...8????????... // <-- take the second found place for this.

So I have done this so in my script.

Now a question from me to this UnpackMe.So I have also unpack it but it has problems to load the

ThunderRT6CommandButton Class in the unpacked file and then the app ZwTerminate...

Link to comment

Antidumps shouldn't be a problem in this unpackme, since there is only one VM'd thing, and even that can be rebuild by hand easily.

EDIT Nvm there is PE header antidump. But it shouldn't affect the target... should it?

Edited by Loveless
Link to comment

Hi Loveless,

Jmp 40c446d is crossreference several places How did you come to know about below things that this is VM OEP ??

VM OEP:

0056DB1C 68 69C52507 PUSH 725C569

0056DB21 E9 4769F5FF JMP Themida_.004C446D

Is it bcos its the last one to go before near OEP of this target or through experience ??

To all of you :

Can anybody point me to a tutorial where an author has explain VM dumping + Anti Dumps tricks ??

I did checked but could not locate or its still a secret ?

Regards

Lorens

Link to comment

u can tell thru experience. unpack enough themida apps and you will notice a pattern to getting to VM OEP... a pettern that u can put down in script and let do work for u :)

Link to comment
To all of you :

Can anybody point me to a tutorial where an author has explain VM dumping + Anti Dumps tricks ??

I did checked but could not locate or its still a secret ?

It's private, and remains so for quite while, yes?

Link to comment
Computer_Angel
Hi Loveless,

Jmp 40c446d is crossreference several places How did you come to know about below things that this is VM OEP ??

VM OEP:

0056DB1C 68 69C52507 PUSH 725C569

0056DB21 E9 4769F5FF JMP Themida_.004C446D

Is it bcos its the last one to go before near OEP of this target or through experience ??

To all of you :

Can anybody point me to a tutorial where an author has explain VM dumping + Anti Dumps tricks ??

I did checked but could not locate or its still a secret ?

Regards

Lorens

I think because it's the nearest place to jmp to ThunkMain.

By the way, the target is VB, so it easy to recover OEP, no need to use VM OEP.

Link to comment

Hi Computer_Angel & Loveless,

Thank you for all your clarifications. Just one more doubts to get cleared. Suppose in an Traget we find VM OEP we have to dump the target at VM OEP & we don't have to recover the stolen bytes ?

OR

We have to dump at OEP & then recover the stolen bytes ?

Cheers

Lorens!

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...