Klinzter Posted April 17, 2013 Posted April 17, 2013 (edited) This is a C++ application packed with latest Themida versions and its using one VM_START/VM_STOPif you unpack it please provide a how-tonote: added win2k and winxp compatibility even though it was compiled using VS2012 Themida - Advanced Windows Software Protection System [Version 2.2.4.0] Protection Options for NetworkBrowser.exe ----------------------------------------- Macros Information ------------------ VM Macros: 1 CodeReplace Macros: 0 ENCRYPT Macros: 0 CLEAR Macros: 0 MUTATE Macros: 0 STR_ENCRYPT Macros: 0 CHECK_PROTECTION Macros: 0 CHECK_CODE_INTEGRITY Macros: 0 CHECK_VIRTUAL_PC Macros: 0 Protection Options ------------------ Anti-Debugger: Ultra Anti-Dumpers: ENABLED Entry Point Ofuscation: ENABLED Resource Encryption: ENABLED VMWare compatible: ENABLED API-Wrapping Level: Level 2 Anti-Patching: File Patch (sign support) Metamorph Security: ENABLED Memory Guard: ENABLED When Debugger Found: Display Message Application compression: ENABLED Resources compression: ENABLED SecureEngine compression: ENABLED Anti-File Monitor: ENABLED Anti-Registry Monitor: ENABLED Delphi/BCB form protection: ENABLED Virtual Machine Settings ------------------------ Number of Virtual APIs wrapped: 0 API Virtualization Level: 3 Entry Point Virtualization: 0 instructions Multi Branch Technology: DISABLED Virtual Machine Processor: Mutable CISC processor Number of CPUs: 1 Opcode Type: Metamorphic - Level 2 Dynamic Opcode: 20% Dynamic Advanced Protection Options --------------------------- Encrypt Application: ENABLED DLL plugin: DISABLED Hide from PE scanners: Type 5 .NET assemblies: ENABLED Active Context: DISABLED Add Manifest: Don't add manifest XBundler files -------------- No files to bundleNetworkBrowser.rar Edited April 17, 2013 by Klinzter
LCF-AT Posted April 17, 2013 Posted April 17, 2013 Hi, ok here my unpacked file so test and tell whether it works so I don't have test it now under a other OS. So I see there was changed some little small things. greetz NetworkBrowser_Unpacked_x2.rar 1
converse Posted April 17, 2013 Posted April 17, 2013 Hi LCF-ATWhen your script to unpack Themida will support the latest version?
Klinzter Posted April 17, 2013 Author Posted April 17, 2013 (edited) Hi, ok here my unpacked file so test and tell whether it works so I don't have test it now under a other OS. So I see there was changed some little small things. greetz thats it.. nicely done!! care to show us how u did it? Edited April 17, 2013 by Klinzter
LCF-AT Posted April 17, 2013 Posted April 17, 2013 @ converseSo the unpack process is still the same there are only 2 deviations about the sequence which does use the Multi Pro script.First the stop counter at ZwAllocateVirtualMemory API does no more match and is shorter and second you need to add a second scan pattern [CMP EAX,10000 5 bytes is here CMP EDX,10000 6 bytes].This you can change manually a little in the script and then you can also unpack that file as always.You just could also add a little better pre scan etc [to less to make a update].If you can script a little then it should be no big deal for you.So my new script will handle this of course so there I use mostly direct code patches instead of script pattern scan & stops to make it working faster but at the moment there is no release date in outlook.Maybe this year or not,no idea [need more diffrent protected normal - advanced test unpackmes] to lazy at the moment too to start checking the whole big script for possible bugs etc.@ KlinzterAs I tols already above the unpack process is almost the same if you use the script or if you do it manually then it's the same.greetz
Conquest Posted September 12, 2013 Posted September 12, 2013 (edited) So after doing some manual analysis i found these info only. i need to write a script to automate the process of iat fixing- Correct me if anyone finds anything else 00404000 02770000 <<IAT start $+588 >78647113 mfc90.#1276 $+58C >00000000 << IAT end ------------------------------------------------------------------------------------------------------------------- Breaks on Code Section At The following address- 004039B8 /$8BFF MOV EDI,EDI (Near OEP) Stack points at -> 0012FF80 0040353C NetworkB.0040353C (return Address || 1 address up= real OEP) This is standard Visual studio Entry point ------------------------------------------------------------------------------------------------------------------- Api logger was wrong Edited September 13, 2013 by Conquest
Conquest Posted September 13, 2013 Posted September 13, 2013 (edited) Seems my concept about themida API redirection was flawed and after looking at the latest LCF-At tuts it got worse. Anyway I hope the following addresses are proper this time but some verification from LCF-AT will be better 004F71D5 /0F84 D1000000 JE NetworkB.004F72AC << RAW Api in EAX // Read Api address for simple script made by LCFAT on latest Themida tut 004F72CD FFD3 CALL EBX << Gets Real Api (Actually it does something else but lets think it the way LCF-AT told us)Rest is easy.Finding how the API redirection works was the biggest hurdle for me since nothing clear was ever written on it (apart from everyone doing the DEC R32 binary search to find the API redirection spot) Edited September 13, 2013 by Conquest
yangkaiyinpojie Posted November 22, 2013 Posted November 22, 2013 could you give me a download link of Themida 2.2.6.0?unpacked by kGe.zip
GIV Posted November 22, 2013 Posted November 22, 2013 could you give me a download link of Themida 2.2.6.0? http://forum.tuts4you.com/topic/33562-unpackme-themida-2260/
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now