Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Posted

This is a C++ application packed with latest Themida versions and its using one VM_START/VM_STOP


if you unpack it please provide a how-to


note: added win2k and winxp compatibility even though it was compiled using VS2012



Themida - Advanced Windows Software Protection System [Version 2.2.4.0] Protection Options for NetworkBrowser.exe
----------------------------------------- Macros Information
------------------
VM Macros: 1
CodeReplace Macros: 0
ENCRYPT Macros: 0
CLEAR Macros: 0
MUTATE Macros: 0
STR_ENCRYPT Macros: 0
CHECK_PROTECTION Macros: 0
CHECK_CODE_INTEGRITY Macros: 0
CHECK_VIRTUAL_PC Macros: 0
Protection Options
------------------
Anti-Debugger: Ultra
Anti-Dumpers: ENABLED
Entry Point Ofuscation: ENABLED
Resource Encryption: ENABLED
VMWare compatible: ENABLED
API-Wrapping Level: Level 2
Anti-Patching: File Patch (sign support)
Metamorph Security: ENABLED
Memory Guard: ENABLED
When Debugger Found: Display Message
Application compression: ENABLED
Resources compression: ENABLED
SecureEngine compression: ENABLED
Anti-File Monitor: ENABLED
Anti-Registry Monitor: ENABLED
Delphi/BCB form protection: ENABLED
Virtual Machine Settings
------------------------
Number of Virtual APIs wrapped: 0
API Virtualization Level: 3
Entry Point Virtualization: 0 instructions
Multi Branch Technology: DISABLED
Virtual Machine Processor: Mutable CISC processor
Number of CPUs: 1
Opcode Type: Metamorphic - Level 2
Dynamic Opcode: 20% Dynamic
Advanced Protection Options
---------------------------
Encrypt Application: ENABLED
DLL plugin: DISABLED
Hide from PE scanners: Type 5
.NET assemblies: ENABLED
Active Context: DISABLED
Add Manifest: Don't add manifest
XBundler files
--------------
No files to bundle

NetworkBrowser.rar

Edited by Klinzter

Hi,

ok here my unpacked file so test and tell whether it works so I don't have test it now under a other OS.

So I see there was changed some little small things. :)

greetz

NetworkBrowser_Unpacked_x2.rar

Hi LCF-AT


When your script to unpack Themida will support the latest version?

  • Author

Hi,

ok here my unpacked file so test and tell whether it works so I don't have test it now under a other OS.

So I see there was changed some little small things. :)

greetz

 

thats it.. nicely done!! care to show us how u did it?

Edited by Klinzter

@ converse

So the unpack process is still the same there are only 2 deviations about the sequence which does use the Multi Pro script.First the stop counter at ZwAllocateVirtualMemory API does no more match and is shorter and second you need to add a second scan pattern [CMP EAX,10000 5 bytes is here CMP EDX,10000 6 bytes].This you can change manually a little in the script and then you can also unpack that file as always.You just could also add a little better pre scan etc [to less to make a update].If you can script a little then it should be no big deal for you.So my new script will handle this of course so there I use mostly direct code patches instead of script pattern scan & stops to make it working faster but at the moment there is no release date in outlook.Maybe this year or not,no idea [need more diffrent protected normal - advanced test unpackmes] to lazy at the moment too to start checking the whole big script for possible bugs etc.

@ Klinzter

As I tols already above the unpack process is almost the same if you use the script or if you do it manually then it's the same.

greetz

I can't unpack it


  • 4 months later...

haha, I will try


So after doing some manual analysis i found these info only. i need to write a script to automate the process of iat fixing- Correct me if anyone finds anything else



00404000 02770000 <<IAT start $+588 >78647113 mfc90.#1276
$+58C >00000000 << IAT end -------------------------------------------------------------------------------------------------------------------
Breaks on Code Section At The following address-
004039B8 /$8BFF MOV EDI,EDI (Near OEP)
Stack points at ->
0012FF80 0040353C NetworkB.0040353C (return Address || 1 address up= real OEP)
This is standard Visual studio Entry point
-------------------------------------------------------------------------------------------------------------------
Api logger was wrong

Edited by Conquest

Seems my concept about themida API redirection was flawed and after looking at the latest LCF-At tuts it got worse. Anyway I hope the following addresses are proper this time but some verification from LCF-AT will be better



004F71D5                      /0F84 D1000000    JE NetworkB.004F72AC << RAW Api in EAX // Read Api address for simple script made by LCFAT on latest Themida tut 004F72CD FFD3 CALL EBX << Gets Real Api (Actually it does something else but lets think it the way LCF-AT told us)

Rest is easy.


Finding how the API redirection works was the biggest hurdle for me since nothing clear was ever written on it  (apart from everyone doing the DEC R32 binary search to find the API redirection spot)


Edited by Conquest

  • 2 months later...

could you give me a download link of Themida 2.2.6.0?


unpacked by kGe.zip

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.