Jump to content
Tuts 4 You

[UnpackMe] Themida 2.1.0.0 .NET


crypto

Recommended Posts

Good Luck (If you unpack it make a tutorial)

Everyone on this forum will benefit from it.

This is a place to learn. So, please share your techniques.

Without sharing, all of us will get nowhere. I've read alot about not sharing techniques on this board.

I think all of us are getting alittle tired of hearing this crap about I'm keeping my technique secret. I'm sick of it and I know other people are too. You can tell just by reading alot of the responses on this board to certain threads. Please help out the community if you know how to do something. Share it.

Thats it and good luck :)

I enabled all protections I could on it. I used the demo version Themida 2.1.0.0.

I threw in some functions in there that really don't do anything special. But I wanted something in there

to throw you guys off. So, there is a few secrets in there. :)

Edited by Loki
Links removed
Link to comment
NullPointerException
I enabled all protections I could on it. I used the demo version Themida 2.1.0.0

just curious. How did you get the 2.1 demo? oreans' last demo is 2.0.4

Many tuts are available for this version.

about sharing techniques there is not so much to say: just read all available tuts and, where they dont fits your unpackme, you need to work on your own.

I dont think that someone will give out secrets that oreans will fix as soon as they are released

Link to comment
But I wanted something in there

to throw you guys off.

Did you mean this popup ?

sshot1vp.png

Well it threw my off ^^

Well, I'm not sure about this error aka window. I didn't do anything with it. So, it must be something oreans put in place. If oreans put it in place. I'm sure you can get around it :)

Edited by crypto
Link to comment

Nothing is impossible...only more tricky because of the demo limitation.

And indeed it needs just none bytepatch to run...that's it:

immagineeh.png

Soon will arrive the unpacked...

Edited by EvOlUtIoN
Link to comment

Hehe evolution, fing nice work.. :)

We could patch the demo perhaps to disregard this box.. :)

Hmm this is doable actually.. hmmm

EDIT:

Except for the slight problem that the demo is 2.0.4.0...

Edited by quosego
Link to comment

0054A9CA /0F84 3D000000 JE 0054AA0D ; missionI.0054AA0D

here is address to patch for run it on all machines. Code is very very clear and NOT virtualized, i doubt it is really 2.1.0.0

Link to comment

0054A9CA /0F84 3D000000 JE 0054AA0D ; missionI.0054AA0D

here is address to patch for run it on all machines. Code is very very clear and NOT virtualized, i doubt it is really 2.1.0.0

I acquired the demo here

http://www.oreans.com/products.php

This is the download page it brings you too.

http://www.oreans.com/downloads.php

Then it says:

Demo Release: 2.0.4.0

31-Oct-2008

****, I'm sorry guys. I made a mistake. Thank you for pointing that out Evolution. O well, C for effort. Man, how disappointing.

Well, we learned how to get a program past that screen :)

If you look at the upside of things. lmao crap...

I'm sure any script will unpack it.

Why, wouldn't they sponsor 2.1.0.0 on there website as a demo.

Here is another one packet with the real Themida 2.1.0.0 .NET:


/>http://www.sendspace.com/file/lbe6ww
/>http://rapidshare.com/files/278816328/UnpackMe.rar.html
/>http://www.megaupload.com/?d=HSBIE3LB
/>http://www.mediafire.com/?sharekey=a1f3b5673068182bd6baebe61b361f7ce04e75f6e8ebb871

Edited by crypto
Link to comment
Here is another one packet with the real Themida 2.1.0.0 .NET:

I've unpacked it outta curiosity and as expected was disappointed by oreans again.

They definitely do NOT know how to protect .NET stuff... and I will not upload the file:

post-20979-125275889868_thumb.png

Link to comment
Here is another one packet with the real Themida 2.1.0.0 .NET:

I've unpacked it outta curiosity and as expected was disappointed by oreans again.

They definitely do NOT know how to protect .NET stuff... and I will not upload the file:

post-20979-125275889868_thumb.png

Can you give me some pointers on how you did it?

I want to know if you can unpack the dll's too.

Edited by crypto
Link to comment

i unpacked it already, not hard since themida can't protect .net, i will not post it because i post only unpackemes.

Well, Thanks for sharing :). I guess. Even know there is no information on how to unpack this one lmao.

Edited by crypto
Link to comment
Even know there is no information on how to unpack this one lmao.

Okay now quit whining, and search.


/>http://www.tuts4you.com/download.php?view.2676

Learn it like we do, try a bit read some tutorials, search a lot, try again and after a while you're done.

Link to comment
Even know there is no information on how to unpack this one lmao.

Okay now quit whining, and search.


/>http://www.tuts4you.com/download.php?view.2676

Learn it like we do, try a bit read some tutorials, search a lot, try again and after a while you're done.

ya i've read that one, but dont understand this part:

Fixing Sections – General Theory:

In general .NET programs have 3 sections as follows:

.text Characteristics 60000020

.rsrc Characteristics 40000040

.reloc Characteristics 42000040 Virtual Size 0000000C

Some of .NET programs have also an “.sdata” section after the “.text” section:

.sdata Characteristics C0000040

It should be noted that Themida kills the “.reloc” section so you will see only 2 or 3 sections (we will

cover “fixing the relocations later in this tutorial). First we will fix the names and characteristics of

these 2 or 3 sections.

Fixing the Raw Address of Sections:

The raw address of first section should be 00001000 but has other value (probable 00002000), <-- its not 2000?

subtract from actual value 1000 (2000-10000 = 1000). <-- Where are they getting 10,000?

Now fix raw offset of sections:

subtract the difference calculated before from raw offset of first section <--What is the raw offset?

subtract the difference calculated before from raw offset of second section

also subtract the difference from any other section - if any (usually not) <--Mine isn't sdata, its idata?

I have six sections

blank virtual size = 1A000 & Characteristics = E0000040 <-- Most likely the .text section correct?

.rsrc virtual size = 11F4 & Characteristics = C0000040

.idata virtual size = 2000 & Characteristics = C0000040

blank virtual size = F2000 & Characteristics = E0000040 <-- Most likely the .reloc section correct?

enhuxwyj virtual size = BC000 & Characteristics = E0000040 <-- This section is themdias junk right?

gnytvifo virtual size = 2000 & Characteristics = E0000040 <-- Same here?

So with these numbers, what I'm I suppose to do cause I dont get it?

So on the 2 or 3 i'm suppose to fix in this step would be .rsrc and idata only?

---------------------------------------------------------------------------------------------------------------------

Also:

Is there a tutorial on the board close to what you did to get it unpacked? I've done these tutorials.

Photo Sorter (Kurapica)

Property Grid (Kurapica)

Setup (.net reversing tips install.. I've read everything in there(14 pdfs))<-- Thats by Kurapica

I've read (Unpacking_Themida_.NET_v1.9.x_2.x_SND.pdf) by CodeRipper <-- Inless this one works.. Which we will see... But I highly doubt it.

Watched (themida .net unpacking.swf) by Predator

Those are the only tutorials on .net for Themida I have came across on a few forums.

I can't unpack this program by any of those techniques. All the steps dont apply.

-------------------------------------------------------------------------------------------------------------------

I've been up and down these forums and the downloads sections.. I have like 20 tutorials on themdia and winlisence

only the ones mentioned above are for .net!!!

Do you know of any more??

-------------------------------------------------------------------------------------------------------------------

Also:

I've even ripped apart the odbscripts line by line... that I found on themdia and winlisence..

I used the ODbgScript.1.67.3.VC6 Readme.txt to find all the commands and what they mean and walked thru them all.

I have 36 scripts on themdia and winlisence none of them work. I even spent 3 weeks logging notes...

-------------------------------------------------------------------------------------------------------------------

I've been working on unpacking this program for over a month now. Seems to me like i've done alot of homework...

The advanced ppl on this forum think I have an attitude and no drive to learn. Well I do guys and I'm tired of being

**** on. Excuse my language but thats how I feel. Everytime I ask a question on here its go find it yourself.. You didn't look hard enough its right here. Blah Blah Blah... The same crap..

I've been on this board a year and half... look at my joined date... And I still havn't recieved a damn thing for learning on here. This place is becoming a joke to me.

I gave this place a year and half... but who cares right????? I'm sure your going well your not doing something right well no ****.. I'm not getting any help.

Edited by crypto
Link to comment

Aha okay that thankfully proves I'm wrong about you.

Seems you did do a lot of tutorial reading but are unable to put everything together to make something generic.

Could be smart to next time ask the above question first before requesting a tutorial.

It really was starting to look like you where just wanting to be spoon fed.

Difference in section can be due to the options used in Themida,

PE header obfu = +1 section

Some have 2 TM data sections

An extra section already there before packing.

blank virtual size = 1A000 & Characteristics = E0000040 <-- Most likely the .text section correct?

.rsrc virtual size = 11F4 & Characteristics = C0000040

.idata virtual size = 2000 & Characteristics = C0000040

blank virtual size = F2000 & Characteristics = E0000040 <-- Most likely the .reloc section correct?

enhuxwyj virtual size = BC000 & Characteristics = E0000040 <-- This section is themdias junk right?

gnytvifo virtual size = 2000 & Characteristics = E0000040 <-- Same here?

first one is indeed the text section

.reloc is wiped according to coderipper so the last three are usually 2 Themida data sections and one PE header obfu.

10000 is just a typo should be 1000 (2000-x=1000 x=1000)

Raw offset is the offset on disk. Virtual offset is the offset in memory.

Also Coderipper is talking about the original .net file not the packed I think.

Edited by quosego
Link to comment

I have a few questions:

1st Question:

Are these correct?


RAW ADDRESS .TEXT
2000 - 1000 = (1000); RAW ADDRESS .RSRC
FFFF - 1000 = (EFFF); RAW ADDRESS .IDATA
F000 - 1000 = (E000);

Here are my values for the exe after its dumped from ram:

(Blank) Raw Address is 00002000

.rsrc Raw Address is FFFFFFFF

.idata Raw Address is 0000F000

(Blank) Raw Address is 00010000

---------------------------------------------------------------------------------------------------------------------

The next part in the tutorial is:

Removing useless data and fix SizeOfImage from Optional Header:
For removing useless data from Raw Address of ‘.rsrc’ + Raw size of ‘.rsrc’ + 4 until at the end of file
I’ve used a strange method by efficient one (with CFF Explorer VII):
I’ve added a new section using “Add Section (Empty Space)” command
I’ve removed the section using “Delete Section (Header and Data)” command
now we have a little file and this also will fix SizeOfImage from Optional Header

2nd Question:

I dont understand why he specified this line in his tutorial?

For removing useless data from Raw Address of ‘.rsrc’ + Raw size of ‘.rsrc’ + 4 until at the end of file

It sounds like to me, it is useless....because he gives you the steps to fix the SizeOfImage by these Steps:

 I’ve used a strange method by efficient one (with CFF Explorer VII):
I’ve added a new section using “Add Section (Empty Space)” command
I’ve removed the section using “Delete Section (Header and Data)” command
now we have a little file and this also will fix SizeOfImage from Optional Header

---------------------------------------------------------------------------------------------------------------------

Also when you make a new section with the step above(See Question 3):

I’ve added a new section using “Add Section (Empty Space)” command

3rd Question:

It asks for a size. What size do I use?

---------------------------------------------------------------------------------------------------------------------

4th Question:

When I reach this point in the tutorial "_CorExeMain" is nowhere to be found. Why?

You can find it by searching for the ASCII string “_CorExeMain”; you will see something like this:    00043490 00 00 5F 43 6F 72 45 78 65 4D 61 69 6E 00 6D 73 .._CorExeMain.ms
000434A0 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 coree.dll.....ÿ%
000434B0 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 . @.............Now convert the file offset of value highlighted in red to its RVA (I will now refer to this as RVA1)The contents of ‘.reloc’ will look like this:
RVA1 (but with last 3 hex numbers 0) ABSOLUTE
+ 0C000000 constant value
+ RVA1 HIGHLOWExample of dword values (but you should notice that these must be in byte reverse order):
00085000, 0000000C, 00085CB6Memory contents of ‘reloc’ section will then look as follows:
00500800 0C000000 B65C0800Last step to do under ‘reloc’ is to fix items from relocation table by setting red values:
Item RVA Type
3760 0059760 HIGHLOW
0000 0059000 ABSOLUTENow for Themida 1.9.x versions the file is unpacked and ready to use!

---------------------------------------------------------------------------------------------------------------------

I really dont understand this part of the tutorial:

Example of dword values (but you should notice that these must be in byte reverse order)

00085000, 0000000C, 00085CB6

My values come nowhere near theres.

If I find _CorExeMain, before I do anything in the tutorial I have (00 20 40 00). Just like he does.

Well when I try and get RVA1 mine is:

00402000 = RVA1?

Then it says these values are:

The contents of ‘.reloc’ will look like this:

RVA1 (but with last 3 hex numbers 0) ABSOLUTE

+ 0C000000 constant value

+ RVA1 HIGHLOW

5th Question:

How do you figure out the constant value and highlow?

6th Question:

I'm I suppose to do this at this step in the tutorial to get the right values?

00402000 + 0C000000 = constant value?

00402000 + 00402000 = HIGHLOW?

Edited by crypto
Link to comment

/bump reedited alot and took out 3 of my replies :)

Please give answers to the questions above. Thank you!

If your willing to show me on teamviewer that would awesome too :)

Edited by crypto
Link to comment

Relocations adjust is in my opinion the hardest thing to rebuild...needs some brain. Just find a good place to put it, since themida deleted because it jumps dirrectly to api, and relocations are anly needed for the first jmp.

Link to comment

Well, I asked six questions. I didn’t get an answer to any of them yet. Why?????

I've watched many of the advanced members read my questions and then leave without a word.

I've watched quosego and evolution read them and leave. Even know evolution posted. He didn't answer 1 question of mine. I don't understand it.

Questions in able us to learn. That is why they are questions. Without questions none of us would be here in the first place. Because all of us and I mean ALL OF US. Have to ask questions to learn.

Edited by crypto
Link to comment

Crypto,

Let me ask you a questions. Do you understand meaning of VA & RVA if yes without reading or searching the web explain us? Don't cheat ok?

Do you understand PE File Format properly ? You are working with .NET PE File so do you know an .net pe file format properly ? If your answer is NO you have wasted precious 18 months.

Cheers, Lorens

Edited by ZenLoren
Link to comment

Crypto,

Let me ask you a questions. Do you understand meaning of VA & RVA if yes without reading or searching the web explain us? Don't cheat ok?

Do you understand PE File Format properly ? You are working with .NET PE File so do you know an .net pe file format properly ? If your answer is NO you have wasted precious 18 months.

Cheers, Lorens

the virtual address is the address in memory.. the ones you see in disassebmlers to the left. the rva is the offset to it. so if you had a va of

00401000 the rva is 1000...

with the .net pe file. i dont fully understand it because i'm not a coder but I do have diagrams and documents that explain it to its full content.

Link to comment

Great, read it thoroughly & understand, it to its fullest. Each & everything should be Precisely clear in your head there should be NO half hearted knowings. Exports, Imports, Relocations ..... Spend sufficient of yours on it don't try to hurry up in things. Once done & you are confident come & read your posting.

Make your Base Strong don't be like butterflies jumping everywhere, be worms stick to one & master it. If you like .NET RE stick to it & Master it. If you like .PE RE stick to it & Master it.

Master the file format understanding is extremely necessary before you start of any RE.

Cheers, Lorens

Link to comment

Great, read it thoroughly & understand, it to its fullest. Each & everything should be Precisely clear in your head there should be NO half hearted knowings. Exports, Imports, Relocations ..... Spend sufficient of yours on it don't try to hurry up in things. Once done & you are confident come & read your posting.

Make your Base Strong don't be like butterflies jumping everywhere, be worms stick to one & master it. If you like .NET RE stick to it & Master it. If you like .PE RE stick to it & Master it.

Master the file format understanding is extremely necessary before you start of any RE.

Cheers, Lorens

I have a pretty good understanding of the .net pe format. I also know that most of these tutorials says its MSIL when really that is the old format. Its new abbreviation is CIL. There just calling it Common Intermediate Language now. Instead of Microsoft Intermediate Language.

I will go back however and reread my post and see if I can understand it any better then the first 20 times I have already looked at it :)

I still need my questions answered tho, that is why they are questions. :)

I think I figured out what this is saying now tho. :)

---------------------------------------------------------------------------------------------------------------------

The next part in the tutorial is:

Removing useless data and fix SizeOfImage from Optional Header:
For removing useless data from Raw Address of ‘.rsrc’ + Raw size of ‘.rsrc’ + 4 until at the end of file
I’ve used a strange method by efficient one (with CFF Explorer VII):
I’ve added a new section using “Add Section (Empty Space)” command
I’ve removed the section using “Delete Section (Header and Data)” command
now we have a little file and this also will fix SizeOfImage from Optional Header

2nd Question:

I dont understand why he specified this line in his tutorial?

For removing useless data from Raw Address of ‘.rsrc’ + Raw size of ‘.rsrc’ + 4 until at the end of file

It sounds like to me, it is useless....because he gives you the steps to fix the SizeOfImage by these Steps:

 I’ve used a strange method by efficient one (with CFF Explorer VII):
I’ve added a new section using “Add Section (Empty Space)” command
I’ve removed the section using “Delete Section (Header and Data)” command
now we have a little file and this also will fix SizeOfImage from Optional Header

---------------------------------------------------------------------------------------------------------------------

The way I see this is :

For removing useless data from:

Raw Address of ‘.rsrc’ and

Raw size of ‘.rsrc’ and

4 until at the end of file...... to use these steps...

I’ve added a new section using “Add Section (Empty Space)” command

I’ve removed the section using “Delete Section (Header and Data)” command

I think what confused me when I read this part is the +'s... I hope I am correct in reading this?

Edited by crypto
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...