Jump to content
Tuts 4 You

[unpackme]UnPackMe_Themida 1.9.1.0.all protections

thisistest

By thisistest
in UnPackMe

 Share

Recommended Posts

thisistest

thisistest

Posted
Posted (edited) 
00C48A0A    3985 010A1B07   cmp     dword ptr [ebp+0x71B0A01], eax
00C48A10    0F84 98000000   je      00C48AAE                         ; jmp
00C48A16    E9 06000000     jmp     00C48A21
00C48A1B    C2 BEF3         retn    0xF3BE00C491E5    A9 0C1B0701     test    eax, 0x1071B0C
00C491EA    0F84 EE000000   je      00C492DE                         ; 1
00C491F0    0F80 01000000   jo      00C491F7
00C491F6    FC              cld
00C491F7    3B8D 1D0C1B07   cmp     ecx, dword ptr [ebp+0x71B0C1D]
00C491FD    0F84 DB000000   je      00C492DE                         ; 2
00C49203    E9 12000000     jmp     00C4921A
00C49208    0AD9            or      bl, cl
00C4920A    68 1DA51D40     push    0x401DA51D
00C4920F    A1 F80D6F7C     mov     eax, dword ptr [0x7C6F0DF8]
00C49214    DB              ???                                      ; Unknown command
00C49215    8A06            mov     al, byte ptr [esi]
00C49217    92              xchg    eax, edx
00C49218    20D0            and     al, dl
00C4921A    3B8D 45231B07   cmp     ecx, dword ptr [ebp+0x71B2345]
00C49220    0F84 B8000000   je      00C492DE                         ; 3
00C49226    60              pushad
00C49227    60              pushad
00C49228    B7 D8           mov     bh, 0xD8
00C4922A    61              popad
00C4922B    66:BF 3187      mov     di, 0x8731
00C4922F    61              popad
00C49230    60              pushad
00C49231    E8 0D000000     call    00C49243
00C49236    27              daa
00C49237    4D              dec     ebp
00C49238    ED              in      eax, dx
00C49239    88DD            mov     ch, bl
00C4923B    CF              iretd
00C4923C  - E9 61DE0329     jmp     29C870A2
00C49241    AB              stos    dword ptr es:[edi]
00C49242    3366 BA         xor     esp, dword ptr [esi-0x46]
00C49245    CF              iretd
00C49246    EB 59           jmp     short 00C492A1
00C49248    66:B8 76C9      mov     ax, 0xC976
00C4924C    61              popad
00C4924D    3B8D E91F1B07   cmp     ecx, dword ptr [ebp+0x71B1FE9]
00C49253    0F84 85000000   je      00C492DE                         ; 4
00C49259    60              pushad004272F4    6A 00           push    0x0         hw breakpoints
004272F6    90              nop
004272F7    E8 17922703     call    036A0513
004272FC    50              push    eax55 8B EC 6A FF 68 60 0E 45 00 68 C8 92 42 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 C4 A8
53 56 57 89 65 E8 FF 15 90 9C 46 00 33 D2 8A D4 89 15 34 E6 45 00 8B C8 81 E1 FF 00 00 00 89 0D
30 E6 45 00 C1 E1 08 03 CA 89 0D 2C E6 45 00 C1 E8 10 A3 28 E6 45 00 E8 94 21 00 00 85 C0 75 0A
6A 1C E8 49 01 00 00 83 C4 04 E8 D1 2F 00 00 85 C0 75 0A 6A 10 E8 36 01 00 00 83 C4 04 C7 45 FC
00 00 00 00 E8 87 2B 00 00 E8 12 11 00 00 FF 15 F0 9C 46 00 A3 D8 EB 45 00 E8 32 94 00 00 A3 10
E6 45 00 85 C0 74 09 A1 D8 EB 45 00 85 C0 75 0A 6A FF E8 49 0B 00 00 83 C4 04 E8 61 91 00 00 E8
6C 90 00 00 E8 07 0B 00 00 8B 35 D8 EB 45 00 89 75 9C 80 3E 22 0F 85 BE 00 00 00 46 89 75 9C 8A
06 3C 22 74 1C 84 C0 74 18 25 FF 00 00 00 50 E8 DC 8F 00 00 83 C4 04 85 C0 74 E0 46 89 75 9C EB
DA 80 3E 22 75 04 46 89 75 9C 8A 06 84 C0 74 0A 3C 20 77 06 46 89 75 9C EB F0 C7 45 D0 00 00 00
00 8D 45 A4 50 FF 15 F4 9C 46 00 F6 45 D0 01 74 0A 8B 45 D4 25 FF FF 00 00 EB 05 B8 0A 00 00 00
50 56 6A 00oep


/>http://www.multiupload.com/UCE2ZPZ24H file1
/>http://www.plunder.com/UnPackMe-Themida-1-9-1-0-all-protections-rar-download-5d5682ad85.htm file2

UnPackMe_Themida 1.9.1.0.all protections.rar

Edited by Teddy Rogers
Added attachment to the topic...
LCF-AT

LCF-AT

Posted
Posted

Hi,

so your unpacked file does not run because you have forgotten to dump some VM sections which you have to add on your unpacked file.Its a RISC file.

So if you dump & add the extra VM then you have a working file like me.

Info: If you not find the VM OEP and break in the codesection some routines later then do not forget to change one bytes 1 to 0 before a Sleep API in a extra VM section.If you not change this then your unpacked file runs in a endless mode without to start.Just as info.

greetz

thisistest

thisistest

Posted
  • Author
Posted

thanks LCF-AT

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...