[UnpackMe] Themida 2.2.4.0

[Klinzter]

This is a C++ application packed with latest Themida versions and its using one VM_START/VM_STOP

if you unpack it please provide a how-to

note: added win2k and winxp compatibility even though it was compiled using VS2012

Themida - Advanced Windows Software Protection System  [Version 2.2.4.0]
Protection Options for NetworkBrowser.exe

-----------------------------------------
Macros Information

------------------

VM Macros: 1

CodeReplace Macros: 0

ENCRYPT Macros: 0

CLEAR Macros: 0

MUTATE Macros: 0

STR_ENCRYPT Macros: 0

CHECK_PROTECTION Macros: 0

CHECK_CODE_INTEGRITY Macros: 0

CHECK_VIRTUAL_PC Macros: 0

Protection Options

------------------

Anti-Debugger: Ultra

Anti-Dumpers: ENABLED

Entry Point Ofuscation: ENABLED

Resource Encryption: ENABLED

VMWare compatible: ENABLED

API-Wrapping Level: Level 2

Anti-Patching: File Patch (sign support)

Metamorph Security: ENABLED

Memory Guard: ENABLED

When Debugger Found: Display Message

Application compression: ENABLED

Resources compression: ENABLED

SecureEngine compression: ENABLED

Anti-File Monitor: ENABLED

Anti-Registry Monitor: ENABLED

Delphi/BCB form protection: ENABLED

Virtual Machine Settings

------------------------

Number of Virtual APIs wrapped: 0

API Virtualization Level: 3

Entry Point Virtualization: 0 instructions

Multi Branch Technology: DISABLED

Virtual Machine Processor: Mutable CISC processor

Number of CPUs: 1

Opcode Type: Metamorphic - Level 2

Dynamic Opcode: 20% Dynamic

Advanced Protection Options

---------------------------

Encrypt Application: ENABLED

DLL plugin: DISABLED

Hide from PE scanners: Type 5

.NET assemblies: ENABLED

Active Context: DISABLED

Add Manifest: Don't add manifest

XBundler files

--------------

No files to bundle

NetworkBrowser.rar

Edited April 17, 2013 by Klinzter

[LCF-AT]

Hi,

ok here my unpacked file so test and tell whether it works so I don't have test it now under a other OS.

So I see there was changed some little small things.

greetz

NetworkBrowser_Unpacked_x2.rar

[converse]

Hi LCF-AT

When your script to unpack Themida will support the latest version?

[Klinzter]

Hi,

ok here my unpacked file so test and tell whether it works so I don't have test it now under a other OS.

So I see there was changed some little small things.

greetz

 

thats it.. nicely done!! care to show us how u did it?

Edited April 17, 2013 by Klinzter

[LCF-AT]

@ converse

So the unpack process is still the same there are only 2 deviations about the sequence which does use the Multi Pro script.First the stop counter at ZwAllocateVirtualMemory API does no more match and is shorter and second you need to add a second scan pattern [CMP EAX,10000 5 bytes is here CMP EDX,10000 6 bytes].This you can change manually a little in the script and then you can also unpack that file as always.You just could also add a little better pre scan etc [to less to make a update].If you can script a little then it should be no big deal for you.So my new script will handle this of course so there I use mostly direct code patches instead of script pattern scan & stops to make it working faster but at the moment there is no release date in outlook.Maybe this year or not,no idea [need more diffrent protected normal - advanced test unpackmes] to lazy at the moment too to start checking the whole big script for possible bugs etc.

@ Klinzter

As I tols already above the unpack process is almost the same if you use the script or if you do it manually then it's the same.

greetz

[Rooking]

I can't unpack it

[jakeycheng]

haha, I will try

[Conquest]

So after doing some manual analysis i found these info only. i need to write a script to automate the process of iat fixing- Correct me if anyone finds anything else

00404000                    02770000                                                   <<IAT start
$+588                       >78647113         mfc90.#1276

$+58C                       >00000000                                                  << IAT end
-------------------------------------------------------------------------------------------------------------------

Breaks on Code Section At The following address-

004039B8                    /$8BFF           MOV EDI,EDI                               (Near OEP)

Stack points at -> 

0012FF80                    0040353C         NetworkB.0040353C                         (return Address || 1 address up= real OEP)

This is standard Visual studio Entry point

-------------------------------------------------------------------------------------------------------------------

Api logger was wrong

Edited September 13, 2013 by Conquest

[Conquest]

Seems my concept about themida API redirection was flawed and after looking at the latest LCF-At tuts it got worse. Anyway I hope the following addresses are proper this time but some verification from LCF-AT will be better

004F71D5                      /0F84 D1000000            JE NetworkB.004F72AC     << RAW Api in EAX // Read Api address for simple script made by LCFAT on latest Themida tut
004F72CD                       FFD3                    CALL EBX                  << Gets Real Api (Actually it does something else but lets think it the way LCF-AT told us)

Rest is easy.

Finding how the API redirection works was the biggest hurdle for me since nothing clear was ever written on it  (apart from everyone doing the DEC R32 binary search to find the API redirection spot)

Edited September 13, 2013 by Conquest

[yangkaiyinpojie]

could you give me a download link of Themida 2.2.6.0?

unpacked by kGe.zip

[GIV]

could you give me a download link of Themida 2.2.6.0?

http://forum.tuts4you.com/topic/33562-unpackme-themida-2260/