[UnPackMe]Themida2100

[thisistest]

Protection Options for ok.exe

-----------------------------

Macros Information

------------------

VM Macros: 0

CodeReplace Macros: 0

ENCRYPT Macros: 0

CLEAR Macros: 0

CHECK_PROTECTION Macros: 0

CHECK_CODE_INTEGRITY Macros: 0

CHECK_VIRTUAL_PC Macros: 0

Protection Options

------------------

Anti-Debugger: Advanced

Anti-Dumpers: DISABLED

Entry Point Ofuscation: ENABLED

Resource Encryption: ENABLED

VMWare compatible: ENABLED

API-Wrapping Level: Level 2

Anti-Patching: File Patch (sign support)

Metamorph Security: ENABLED

Memory Guard: ENABLED

When Debugger Found: Display Message

Application compression: ENABLED

Resources compression: ENABLED

SecureEngine compression: ENABLED

Anti-File Monitor: ENABLED

Anti-Registry Monitor: ENABLED

Delphi/BCB form protection: ENABLED

Virtual Machine Settings

------------------------

Number of Virtual APIs wrapped: 0

API Virtualization Level: 3

Entry Point Virtualization: 15 instructions

Multi Branch Technology: DISABLED

Virtual Machine Processor: Mutable CISC processor

Number of CPUs: 1

Opcode Type: Metamorphic - Level 2

Dynamic Opcode: 20% Dynamic

Advanced Protection Options

---------------------------

Encrypt Application: ENABLED

DLL plugin: DISABLED

Hide from PE scanners: Standard

.NET assemblies: ENABLED

Active Context: DISABLED

Add Manifest: Don't add manifest

XBundler files

--------------

No files to bundle

this is test [unPackMe]

Themida2100 md5 fe715e2d6c58cf8e0359483bceef3585

Themida2100.rar

Edited November 4, 2009 by thisistest

[thisistest]

file http://www.plunder.com/Themida2100-rar-download-055fe9b2f2.htm

[r00t_H@ck3r]

OMG This hard,I hope anyone who unpack this can write a tut

seems like any script fails this and I dont know the method of manually unpacking it

[SunBeam]

^ ..and so you die..

[EvOlUtIoN]

Me can probably do it.

[Apakekdah]

Just trying begginer luck,

dunno if this can run in your machine..

http://www.zshare.net/download/679640760063834c/

[LCF-AT]

Hello,

here my unpacked file.Tested under XP & win2000.Should also work for you.

greetz

Themida2100_Unpacked.rar

[EvOlUtIoN]

Here is mine one.

I have to say that this is a very very easy target, cause nothing is virtualized or obfuscated except the oep. So i can rebuild oep and completely remove themida section. And also no antidump is really used here, so an unpackme can be done better.

Themida2100_unpacked.rar

[Sp1d3rZ]

Hello,

here my unpacked file.Tested under XP & win2000.Should also work for you.

greetz

LCF-AT You ROCKSSSSSSSSSSSSSS

[quosego]

Hmmm indeed not that special.. I wonder what has happend to the oreans people..

They used to be a lot more responsive.. Perhaps they are coding something new..

Because they sure as hell ain't investing their time in updates.

[EvOlUtIoN]

I can't see any difference from 2.0.8.0 to 2.1.0.0. Don't know on winlicense protection, but i don't think so.

[quosego]

Protection wise they obfuscated VM entry.. But that's about it... Which is about as useful as adding a please do not crack sign in the PE header.

[thisistest]

EvOlUtIoN ， LCF-at my friend！test Themida2100_Unpacked in My computer is running！

[r00t_H@ck3r]

Hmmm indeed not that special.. I wonder what has happend to the oreans people..

They used to be a lot more responsive.. Perhaps they are coding something new..

Because they sure as hell ain't investing their time in updates.

It is not that,they did some strange thing to themida,I cant find oep no longer.LCF-AT script does not work anymore

damn they must have change some stuff

[quosego]

Nah perhaps small changes to prevent LCF_AT's script from working. Nothing special.

Oep is still available using standard methods. VM_oeps as well.

Try to make your own more generic method of finding oeps.. Learn all known compiler ep's and stack interpretation and you can find all oeps manually in less than a few mins.

[EvOlUtIoN]

if you check appendixes of my EC tutorial, and use some brain, i'm sure you will find the OEP in few minutes. And if you like you can also rebuid all to obtain a clean file.

[LCF-AT]

@ Lithium

Sure is my script still working also on this 2100 UnpackMe.

If you have problems with the HWBP detection {follow the script step by step and check the breaks on the HWBPs / single step problem}

then you should better have a look on your system with IceSword SSDT hooks.Check this and restore all unknown hooks and then try

the script again.Script must still work and it should break here.

00405C50      53              PUSH EBX                         ; OEP or Near at OEP / Sub routine!

greetz

[thisistest]

test can run or no can run system~!

unpacked123_.rar

[LCF-AT]

Hi thisistest,

yes your unpacked file runs on my system. XP no SP-

greetz

[Ronar22]

this is my first shoot i hope it works for all

Unpacked.rar

[quosego]

Nice work, works fine here.. And most importantly you did not use an automated unpacker I know of..

[Ronar22]

there is no fun in using automated unpacker why i will use one then!

Edited February 12, 2010 by Ronar22