delldell Posted August 1, 2012 Posted August 1, 2012 Themida , ZProtect =Mix Unpackme = Delphi 7 Have Fun delldell_UnpackMe_Themida__ZProtect.rar 1
Pertic@n Posted August 2, 2012 Posted August 2, 2012 (edited) UnpakedLevel: 2 - 10Unpacked_By_PerTic@n.rar Edited August 2, 2012 by Pertic@n 1
delldell Posted August 2, 2012 Author Posted August 2, 2012 @ PerTic@nGreat !! Tested and Checked Working 100% Good! 1
yangkaiyin Posted February 21, 2013 Posted February 21, 2013 why can not runnning? videohttp://pan.baidu.com/share/link?shareid=320887&uk=4046366761 filehttp://pan.baidu.com/share/link?shareid=320890&uk=4046366761 unpacked filehttp://pan.baidu.com/share/link?shareid=320892&uk=4046366761-------------------------------------------------------------i think use you acript i not fix the vm oep code,but the APP can running,very very goog<>,you script,like this "Activate.exe",welcome to look the video for the lean unpacjing themida people,look here: videohttp://pan.baidu.com/share/link?shareid=320875&uk=4046366761 filehttp://pan.baidu.com/share/link?shareid=320877&uk=4046366761
GIV Posted February 22, 2013 Posted February 22, 2013 (edited) Themida OEP is 00620000 VA. Edited March 3, 2013 by GIV
Conquest Posted February 27, 2013 Posted February 27, 2013 Themida OEP is 00620000 VA. Put a HW BP there and then continue the Themida unpacking. Is this correct? have you managed to dump it at the themida entry point? tried so many times to use the lcf-at script to run at themida entry point and it keeps failing. can some1 post a hint about how to dump it at themida ep
GIV Posted February 27, 2013 Posted February 27, 2013 (edited) I was lost at that point. The script fails. The OEP i guess that can be reached by ZwFreeVirtualMemory API. Edited February 27, 2013 by GIV
LCF-AT Posted February 27, 2013 Posted February 27, 2013 Hi, so the script is only working from original EP so in that case you have to access the script manually.Yes you can also dump at the EP of TheMida.Just use the script [dpe "dump.exe", eip] but now you also fail to unpack the TM layer with the script so the codesection & TM sections are together in one section.Here you can split the codesection part and the TM part with LordPE if you recalc the new address and sizes.Give codesection a size of 0005A000 and adjust the other values manually and then save and load the file in Olly and unpack it.Don't forget to set the second section to writeable! Here my unpacked file from today.No special features used in this unpackme. greetzdelldell_UnpackMe_Themida__ZProtect_Unpacked.rar 1
Conquest Posted February 28, 2013 Posted February 28, 2013 Hi, so the script is only working from original EP so in that case you have to access the script manually.Yes you can also dump at the EP of TheMida.Just use the script [dpe "dump.exe", eip] but now you also fail to unpack the TM layer with the script so the codesection & TM sections are together in one section.Here you can split the codesection part and the TM part with LordPE if you recalc the new address and sizes.Give codesection a size of 0005A000 and adjust the other values manually and then save and load the file in Olly and unpack it.Don't forget to set the second section to writeable! Here my unpacked file from today.No special features used in this unpackme. greetz I have a question, i have seen people splitting combined/packed sections into separate ones but couldn't understand how they calculate it. Can you explain it in this case(how to split the sections in this unpack me)
LCF-AT Posted March 1, 2013 Posted March 1, 2013 @ ConquestAlmost very simple.Load the unpackme in Olly.First layer is ZP.Trace over first pushad then set HWBP access on [ESP] and run and you stop at call xy right after popad command.Now trace over the retrun commands til the start of the new EP of the TM layer.Here you can dump the TM layer.Just dump with Olly script or use PETools and make a raw dump of that file.Now check the dumped file with LordPE and check the sections and you see all VA RO = same & VS RS = same so this is important so this result you get if you dump via raw modus.Check sections: This you can see now..textbss.text.dataVA: 00001000 VS: 00221000 RO: 00001000 RS: 00221000VA: 00222000 VS: 00001000 RO: 00222000 RS: 00001000VA: 00223000 VS: 00144000 RO: 00223000 RS: 00144000Now you need a desired new size which you want to give the first section.So you can check the codesection if your target run where the TM code does start [round about xy size etc].So in that unpackme you can start with a size of 56000 for exsample.401000 + 56000 = 457000 VA = 57000 RVA = new VA of sections 2 later.Lets calc:---------------------------------------------NewVS VAsec1 NewVA of section 2 .text56000 + 00001000 = 00057000sec3 VA sec2 VA newVS of sec200223000 - 00057000 = 001CC000 VS VS RS sec1 VA RO sec2 VS RS sec2== 00056000 and 00057000 and 001CC000----------------------------------------------==VA: 00001000 VS: 00056000 RO: 00001000 RS: 00056000VA: 00057000 VS: 001CC000 RO: 00057000 RS: 001CC000Change VS & RS of sec1 to 00056000Change VA & RO of sec2 to 00057000Change VS & RS of sec2 to 001CC000Thats all.Now save and load this file in Olly and run.All working.Now we have just changed the address & sizes of the first & second section so that now the second section is larger than before and the codesection is smaller than before and now the TheMida code is in section two and no more in section one.So we just changed the borders and now you can also use a script etc.Its important for the most scripts that the protector etc section is stored in a own section and not in the codesection.PS: Also you have now to set the section 2 to writeable before you unpack it.greetz 1
Conquest Posted March 1, 2013 Posted March 1, 2013 @ ConquestAlmost very simple.Load the unpackme in Olly.First layer is ZP.Trace over first pushad then set HWBP access on [ESP] and run and you stop at call xy right after popad command.Now trace over the retrun commands til the start of the new EP of the TM layer.Here you can dump the TM layer.Just dump with Olly script or use PETools and make a raw dump of that file.Now check the dumped file with LordPE and check the sections and you see all VA RO = same & VS RS = same so this is important so this result you get if you dump via raw modus. k got it working finally, using [dpe "dump.exe", eip] script command. but i have 1 last question- i was looking for dumping using petools or lordpe/imprec but couldnt find anything like raw dumping. i am aware that we can directly dump from the memory(ram) but i think this isnt what you mean. so i was forced to use [dpe "dump.exe", eip] command. but can you please tell me how can i do it using a tool like petools or lordpe (raw dumping)
LCF-AT Posted March 1, 2013 Posted March 1, 2013 "RAW" <--- Look for this in the settings.Force raw mode.greetz
Conquest Posted March 2, 2013 Posted March 2, 2013 "RAW" <--- Look for this in the settings.Force raw mode.greetzThank you so much LCF-AT. This is just to share if some1 has failed to launch the exe even after using rawmode. make the .textbss section writable(petools keep it readable only )
icarusdc Posted September 26, 2016 Posted September 26, 2016 Is there anyone can help fixing the quote from @LCF-AT? It's kinda messup. I can't read the quote clearly. Salam.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now