[UnpackMe] Themida 2.2.3.0

[nProtect]

Compiler : Visual Basic 6.0

 

here is protection options

 

 Themida - Advanced Windows Software Protection System  [Version 2.2.3.0]Protection Options for UnpackMe_Themida.exe
-------------------------------------------Macros Information
------------------
VM Macros: 0
CodeReplace Macros: 0
ENCRYPT Macros: 0
CLEAR Macros: 0
MUTATE Macros: 0
STR_ENCRYPT Macros: 0
CHECK_PROTECTION Macros: 0
CHECK_CODE_INTEGRITY Macros: 0
CHECK_VIRTUAL_PC Macros: 0
Protection Options
------------------
Anti-Debugger: Ultra
Anti-Dumpers: ENABLED
Entry Point Ofuscation: ENABLED
Resource Encryption: ENABLED
VMWare compatible: ENABLED
API-Wrapping Level: Level 2
Anti-Patching: File Patching
Metamorph Security: ENABLED
Memory Guard: ENABLED
When Debugger Found: Display Message
Application compression: ENABLED
Resources compression: ENABLED
SecureEngine compression: ENABLED
Anti-File Monitor: ENABLED
Anti-Registry Monitor: ENABLED
Delphi/BCB form protection: ENABLED
Virtual Machine Settings
------------------------
Number of Virtual APIs wrapped: 0
API Virtualization Level: 3
Entry Point Virtualization: 0 instructions
Multi Branch Technology: ENABLED
Virtual Machine Processor: Mutable CISC processor
Number of CPUs: 1
Opcode Type: Metamorphic - Level 2
Dynamic Opcode: 20% Dynamic
Advanced Protection Options
---------------------------
Encrypt Application: ENABLED
DLL plugin: DISABLED
Hide from PE scanners: Type 2
.NET assemblies: ENABLED
Active Context: DISABLED
Add Manifest: Don't add manifest
XBundler files
--------------
No files to bundle
 

 

UnpackMe_Themida2230.rar

[LCF-AT]

@ nProtect

Not very well protected.

greetz

UnpackMe_Themida 2.2.3.0_Unpacked.rar

[nProtect]

WOW so fast

 

can u make a tutorial?

[GIV]

WOW so fast

 

can u make a tutorial?

 

Here it is attached.

Used LCF-AT script, of course....

Stripped from the video the Themida sections removal and file rebuilding with LordPE

 

P.S.

You can see the jump to ThunRtMain at 401128 with is a common place for this jump for VB programs.

Unpacking.rar

Edited February 5, 2013 by GIV

[nProtect]

oh thanks

any better solutions? use with VM_START and VM_END ?

[GIV]

any better solutions?

 

I do not understant what is a "better" solution for you? Please rephrase....

 

Here is a method for reaching OEP of your file.

 

OEP find.rar

Edited February 5, 2013 by GIV

[rwkeith]

If you want to make it harder use the RISC vm, and Entry point virtualization.

Edited February 5, 2013 by rwkeith

[HellSpider]

oh thanks

any better solutions? use with VM_START and VM_END ?

 

Yes, that's a good start. Only the weakest protection options were enabled in your file.

 

Add different markers to make the stuff more interesting:

CODEREPLACE_START

CODEREPLACE_END

ENCODE_START

ENCODE_END

CLEAR_START

CLEAR_END

VM_START

VM_END

[yangkaiyin]

who can try this:http://pan.baidu.com/share/link?shareid=315786&uk=4046366761

Edited February 15, 2013 by yangkaiyin

[yangkaiyin]

and this is my unpacked file:

http://pan.baidu.com/share/link?shareid=315788&uk=4046366761