Posted August 1, 201213 yr Themida , ZProtect =Mix Unpackme = Delphi 7 Have Fun delldell_UnpackMe_Themida__ZProtect.rar
August 2, 201213 yr UnpakedLevel: 2 - 10Unpacked_By_PerTic@n.rar Edited August 2, 201213 yr by Pertic@n
February 21, 201312 yr why can not runnning? videohttp://pan.baidu.com/share/link?shareid=320887&uk=4046366761 filehttp://pan.baidu.com/share/link?shareid=320890&uk=4046366761 unpacked filehttp://pan.baidu.com/share/link?shareid=320892&uk=4046366761-------------------------------------------------------------i think use you acript i not fix the vm oep code,but the APP can running,very very goog<>,you script,like this "Activate.exe",welcome to look the video for the lean unpacjing themida people,look here: videohttp://pan.baidu.com/share/link?shareid=320875&uk=4046366761 filehttp://pan.baidu.com/share/link?shareid=320877&uk=4046366761
February 27, 201312 yr Themida OEP is 00620000 VA. Put a HW BP there and then continue the Themida unpacking. Is this correct? have you managed to dump it at the themida entry point? tried so many times to use the lcf-at script to run at themida entry point and it keeps failing. can some1 post a hint about how to dump it at themida ep
February 27, 201312 yr I was lost at that point. The script fails. The OEP i guess that can be reached by ZwFreeVirtualMemory API. Edited February 27, 201312 yr by GIV
February 27, 201312 yr Hi, so the script is only working from original EP so in that case you have to access the script manually.Yes you can also dump at the EP of TheMida.Just use the script [dpe "dump.exe", eip] but now you also fail to unpack the TM layer with the script so the codesection & TM sections are together in one section.Here you can split the codesection part and the TM part with LordPE if you recalc the new address and sizes.Give codesection a size of 0005A000 and adjust the other values manually and then save and load the file in Olly and unpack it.Don't forget to set the second section to writeable! Here my unpacked file from today.No special features used in this unpackme. greetzdelldell_UnpackMe_Themida__ZProtect_Unpacked.rar
February 28, 201312 yr Hi, so the script is only working from original EP so in that case you have to access the script manually.Yes you can also dump at the EP of TheMida.Just use the script [dpe "dump.exe", eip] but now you also fail to unpack the TM layer with the script so the codesection & TM sections are together in one section.Here you can split the codesection part and the TM part with LordPE if you recalc the new address and sizes.Give codesection a size of 0005A000 and adjust the other values manually and then save and load the file in Olly and unpack it.Don't forget to set the second section to writeable! Here my unpacked file from today.No special features used in this unpackme. greetz I have a question, i have seen people splitting combined/packed sections into separate ones but couldn't understand how they calculate it. Can you explain it in this case(how to split the sections in this unpack me)
March 1, 201312 yr @ ConquestAlmost very simple.Load the unpackme in Olly.First layer is ZP.Trace over first pushad then set HWBP access on [ESP] and run and you stop at call xy right after popad command.Now trace over the retrun commands til the start of the new EP of the TM layer.Here you can dump the TM layer.Just dump with Olly script or use PETools and make a raw dump of that file.Now check the dumped file with LordPE and check the sections and you see all VA RO = same & VS RS = same so this is important so this result you get if you dump via raw modus.Check sections: This you can see now..textbss.text.dataVA: 00001000 VS: 00221000 RO: 00001000 RS: 00221000VA: 00222000 VS: 00001000 RO: 00222000 RS: 00001000VA: 00223000 VS: 00144000 RO: 00223000 RS: 00144000Now you need a desired new size which you want to give the first section.So you can check the codesection if your target run where the TM code does start [round about xy size etc].So in that unpackme you can start with a size of 56000 for exsample.401000 + 56000 = 457000 VA = 57000 RVA = new VA of sections 2 later.Lets calc:---------------------------------------------NewVS VAsec1 NewVA of section 2 .text56000 + 00001000 = 00057000sec3 VA sec2 VA newVS of sec200223000 - 00057000 = 001CC000 VS VS RS sec1 VA RO sec2 VS RS sec2== 00056000 and 00057000 and 001CC000----------------------------------------------==VA: 00001000 VS: 00056000 RO: 00001000 RS: 00056000VA: 00057000 VS: 001CC000 RO: 00057000 RS: 001CC000Change VS & RS of sec1 to 00056000Change VA & RO of sec2 to 00057000Change VS & RS of sec2 to 001CC000Thats all.Now save and load this file in Olly and run.All working.Now we have just changed the address & sizes of the first & second section so that now the second section is larger than before and the codesection is smaller than before and now the TheMida code is in section two and no more in section one.So we just changed the borders and now you can also use a script etc.Its important for the most scripts that the protector etc section is stored in a own section and not in the codesection.PS: Also you have now to set the section 2 to writeable before you unpack it.greetz
March 1, 201312 yr @ ConquestAlmost very simple.Load the unpackme in Olly.First layer is ZP.Trace over first pushad then set HWBP access on [ESP] and run and you stop at call xy right after popad command.Now trace over the retrun commands til the start of the new EP of the TM layer.Here you can dump the TM layer.Just dump with Olly script or use PETools and make a raw dump of that file.Now check the dumped file with LordPE and check the sections and you see all VA RO = same & VS RS = same so this is important so this result you get if you dump via raw modus. k got it working finally, using [dpe "dump.exe", eip] script command. but i have 1 last question- i was looking for dumping using petools or lordpe/imprec but couldnt find anything like raw dumping. i am aware that we can directly dump from the memory(ram) but i think this isnt what you mean. so i was forced to use [dpe "dump.exe", eip] command. but can you please tell me how can i do it using a tool like petools or lordpe (raw dumping)
March 2, 201312 yr "RAW" <--- Look for this in the settings.Force raw mode.greetzThank you so much LCF-AT. This is just to share if some1 has failed to launch the exe even after using rawmode. make the .textbss section writable(petools keep it readable only )
September 26, 20168 yr Is there anyone can help fixing the quote from @LCF-AT? It's kinda messup. I can't read the quote clearly. Salam.
Create an account or sign in to comment