Jump to content
Tuts 4 You

[UnpackMe] Themida ZProtect Mix


delldell

Recommended Posts

  • 6 months later...

why can not runnning?


 


video
http://pan.baidu.com/share/link?shareid=320887&uk=4046366761


 

file
http://pan.baidu.com/share/link?shareid=320890&uk=4046366761


 

unpacked file
http://pan.baidu.com/share/link?shareid=320892&uk=4046366761
-------------------------------------------------------------
i think use you acript i not fix the vm oep code,but the APP can running,very very goog<>,you script,like this "Activate.exe",welcome to look the video for the lean unpacjing themida people,look here:


 

 


 

video
http://pan.baidu.com/share/link?shareid=320875&uk=4046366761


 


 


 

file
http://pan.baidu.com/share/link?shareid=320877&uk=4046366761

Link to comment

Themida OEP is 00620000 VA.

Put a HW BP there and then continue the Themida unpacking.

Is this correct?

have you managed to dump it at the themida entry point? tried so many times to use the lcf-at script to run at themida entry point and it keeps failing. can some1 post a hint about how to dump it at themida ep

Link to comment

I was lost at that point. The script fails. 


The OEP i guess that can be reached by 


 



ZwFreeVirtualMemory
 

 


 API.


Edited by GIV
Link to comment

Hi,


 


so the script is only working from original EP so in that case you have to access the script manually.Yes you can also dump at the EP of TheMida.Just use the script [dpe "dump.exe", eip] but now you also fail to unpack the TM layer with the script so the codesection & TM sections are together in one section.Here you can split the codesection part and the TM part with LordPE if you recalc the new address and sizes.Give codesection a size of 0005A000 and adjust the other values manually and then save and load the file in Olly and unpack it.Don't forget to set the second section to writeable!


 


Here my unpacked file from today.No special features used in this unpackme.


 


greetz


delldell_UnpackMe_Themida__ZProtect_Unpacked.rar

  • Like 1
Link to comment

Hi,

 

so the script is only working from original EP so in that case you have to access the script manually.Yes you can also dump at the EP of TheMida.Just use the script [dpe "dump.exe", eip] but now you also fail to unpack the TM layer with the script so the codesection & TM sections are together in one section.Here you can split the codesection part and the TM part with LordPE if you recalc the new address and sizes.Give codesection a size of 0005A000 and adjust the other values manually and then save and load the file in Olly and unpack it.Don't forget to set the second section to writeable!

 

Here my unpacked file from today.No special features used in this unpackme.

 

greetz

I have a question, i have seen people splitting combined/packed sections into separate ones but couldn't understand how they calculate it. Can you explain it in this case(how to split the sections in this unpack me)

Link to comment

@ Conquest

Almost very simple.

Load the unpackme in Olly.First layer is ZP.Trace over first pushad then set HWBP access on [ESP] and run and you stop at call xy right after popad command.Now trace over the retrun commands til the start of the new EP of the TM layer.Here you can dump the TM layer.Just dump with Olly script or use PETools and make a raw dump of that file.Now check the dumped file with LordPE and check the sections and you see all VA RO = same & VS RS = same so this is important so this result you get if you dump via raw modus.

Check sections: This you can see now.

.textbss.text.dataVA: 00001000  VS: 00221000  RO: 00001000  RS: 00221000VA: 00222000  VS: 00001000  RO: 00222000  RS: 00001000VA: 00223000  VS: 00144000  RO: 00223000  RS: 00144000Now you need a desired new size which you want to give the first section.So you can check the codesection if your target run where the TM code does start [round about xy size etc].So in that unpackme you can start with a size of 56000 for exsample.401000 + 56000 = 457000 VA = 57000 RVA = new VA of sections 2 later.Lets calc:---------------------------------------------NewVS   VAsec1    NewVA of section 2 .text56000 + 00001000 = 00057000sec3 VA    sec2 VA    newVS of sec200223000 - 00057000 = 001CC000 VS   VS RS sec1    VA RO sec2    VS RS sec2== 00056000   and 00057000 and 001CC000----------------------------------------------==VA: 00001000  VS: 00056000  RO: 00001000  RS: 00056000VA: 00057000  VS: 001CC000  RO: 00057000  RS: 001CC000Change VS & RS of sec1 to  00056000Change VA & RO of sec2 to  00057000Change VS & RS of sec2 to  001CC000
Thats all.Now save and load this file in Olly and run.All working.Now we have just changed the address & sizes of the first & second section so that now the second section is larger than before and the codesection is smaller than before and now the TheMida code is in section two and no more in section one.So we just changed the borders and now you can also use a script etc.Its important for the most scripts that the protector etc section is stored in a own section and not in the codesection.

PS: Also you have now to set the section 2 to writeable before you unpack it.

greetz

  • Like 1
Link to comment

@ Conquest

Almost very simple.

Load the unpackme in Olly.First layer is ZP.Trace over first pushad then set HWBP access on [ESP] and run and you stop at call xy right after popad command.Now trace over the retrun commands til the start of the new EP of the TM layer.Here you can dump the TM layer.Just dump with Olly script or use PETools and make a raw dump of that file.Now check the dumped file with LordPE and check the sections and you see all VA RO = same & VS RS = same so this is important so this result you get if you dump via raw modus.

 

k got it working finally, using [dpe "dump.exe", eip] script command. but i have 1 last question- i was looking for dumping using petools or lordpe/imprec but couldnt find anything like raw dumping. i am aware that we can directly dump from the memory(ram) but i think this isnt what you mean. so i was forced to use [dpe "dump.exe", eip] command. but can you please tell me how can i do it using a tool like petools or lordpe (raw dumping)

Link to comment

"RAW" <--- Look for this in the settings.Force raw mode.

greetz

Thank you so much LCF-AT. This is just to share if some1 has failed to launch the exe even after using rawmode. make the .textbss section writable(petools keep it readable only )

Link to comment
  • 3 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...