Jump to content
Tuts 4 You

[UnPackMe]Themida2100


thisistest

Recommended Posts

Protection Options for ok.exe

-----------------------------

Macros Information

------------------

VM Macros: 0

CodeReplace Macros: 0

ENCRYPT Macros: 0

CLEAR Macros: 0

CHECK_PROTECTION Macros: 0

CHECK_CODE_INTEGRITY Macros: 0

CHECK_VIRTUAL_PC Macros: 0

Protection Options

------------------

Anti-Debugger: Advanced

Anti-Dumpers: DISABLED

Entry Point Ofuscation: ENABLED

Resource Encryption: ENABLED

VMWare compatible: ENABLED

API-Wrapping Level: Level 2

Anti-Patching: File Patch (sign support)

Metamorph Security: ENABLED

Memory Guard: ENABLED

When Debugger Found: Display Message

Application compression: ENABLED

Resources compression: ENABLED

SecureEngine compression: ENABLED

Anti-File Monitor: ENABLED

Anti-Registry Monitor: ENABLED

Delphi/BCB form protection: ENABLED

Virtual Machine Settings

------------------------

Number of Virtual APIs wrapped: 0

API Virtualization Level: 3

Entry Point Virtualization: 15 instructions

Multi Branch Technology: DISABLED

Virtual Machine Processor: Mutable CISC processor

Number of CPUs: 1

Opcode Type: Metamorphic - Level 2

Dynamic Opcode: 20% Dynamic

Advanced Protection Options

---------------------------

Encrypt Application: ENABLED

DLL plugin: DISABLED

Hide from PE scanners: Standard

.NET assemblies: ENABLED

Active Context: DISABLED

Add Manifest: Don't add manifest

XBundler files

--------------

No files to bundle

this is test [unPackMe]

Themida2100 md5 fe715e2d6c58cf8e0359483bceef3585

Themida2100.rar

Edited by thisistest
Link to comment

OMG This hard,I hope anyone who unpack this can write a tut

seems like any script fails this and I dont know the method of manually unpacking it

Link to comment

Here is mine one.

I have to say that this is a very very easy target, cause nothing is virtualized or obfuscated except the oep. So i can rebuild oep and completely remove themida section. And also no antidump is really used here, so an unpackme can be done better.

Themida2100_unpacked.rar

Link to comment

Hmmm indeed not that special.. I wonder what has happend to the oreans people..

They used to be a lot more responsive.. Perhaps they are coding something new..

Because they sure as hell ain't investing their time in updates.

Link to comment

Protection wise they obfuscated VM entry.. But that's about it... Which is about as useful as adding a please do not crack sign in the PE header.

Link to comment

Hmmm indeed not that special.. I wonder what has happend to the oreans people..

They used to be a lot more responsive.. Perhaps they are coding something new..

Because they sure as hell ain't investing their time in updates.

It is not that,they did some strange thing to themida,I cant find oep no longer.LCF-AT script does not work anymore :(

damn they must have change some stuff

Link to comment

Nah perhaps small changes to prevent LCF_AT's script from working. Nothing special.

Oep is still available using standard methods. VM_oeps as well.

Try to make your own more generic method of finding oeps.. Learn all known compiler ep's and stack interpretation and you can find all oeps manually in less than a few mins.

Link to comment

if you check appendixes of my EC tutorial, and use some brain, i'm sure you will find the OEP in few minutes. And if you like you can also rebuid all to obtain a clean file.

Link to comment

@ Lithium

Sure is my script still working also on this 2100 UnpackMe.

If you have problems with the HWBP detection {follow the script step by step and check the breaks on the HWBPs / single step problem}

then you should better have a look on your system with IceSword SSDT hooks.Check this and restore all unknown hooks and then try

the script again.Script must still work and it should break here.

00405C50      53              PUSH EBX                         ; OEP or Near at OEP / Sub routine!

greetz

Link to comment
  • 1 month later...
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...