Jump to content
Tuts 4 You

[UnpackMe] Themida


Recommended Posts

This is a C++ application packed with latest Themida versions and its using one VM_START/VM_STOP

if you unpack it please provide a how-to

note: added win2k and winxp compatibility even though it was compiled using VS2012

Themida - Advanced Windows Software Protection System [Version] Protection Options for NetworkBrowser.exe
----------------------------------------- Macros Information
VM Macros: 1
CodeReplace Macros: 0
ENCRYPT Macros: 0
CLEAR Macros: 0
MUTATE Macros: 0
Protection Options
Anti-Debugger: Ultra
Anti-Dumpers: ENABLED
Entry Point Ofuscation: ENABLED
Resource Encryption: ENABLED
VMWare compatible: ENABLED
API-Wrapping Level: Level 2
Anti-Patching: File Patch (sign support)
Metamorph Security: ENABLED
Memory Guard: ENABLED
When Debugger Found: Display Message
Application compression: ENABLED
Resources compression: ENABLED
SecureEngine compression: ENABLED
Anti-File Monitor: ENABLED
Anti-Registry Monitor: ENABLED
Delphi/BCB form protection: ENABLED
Virtual Machine Settings
Number of Virtual APIs wrapped: 0
API Virtualization Level: 3
Entry Point Virtualization: 0 instructions
Multi Branch Technology: DISABLED
Virtual Machine Processor: Mutable CISC processor
Number of CPUs: 1
Opcode Type: Metamorphic - Level 2
Dynamic Opcode: 20% Dynamic
Advanced Protection Options
Encrypt Application: ENABLED
Hide from PE scanners: Type 5
.NET assemblies: ENABLED
Active Context: DISABLED
Add Manifest: Don't add manifest
XBundler files
No files to bundle


Edited by Klinzter
Link to comment
Share on other sites


ok here my unpacked file so test and tell whether it works so I don't have test it now under a other OS.

So I see there was changed some little small things. :)



thats it.. nicely done!! care to show us how u did it?

Edited by Klinzter
Link to comment
Share on other sites

@ converse

So the unpack process is still the same there are only 2 deviations about the sequence which does use the Multi Pro script.First the stop counter at ZwAllocateVirtualMemory API does no more match and is shorter and second you need to add a second scan pattern [CMP EAX,10000 5 bytes is here CMP EDX,10000 6 bytes].This you can change manually a little in the script and then you can also unpack that file as always.You just could also add a little better pre scan etc [to less to make a update].If you can script a little then it should be no big deal for you.So my new script will handle this of course so there I use mostly direct code patches instead of script pattern scan & stops to make it working faster but at the moment there is no release date in outlook.Maybe this year or not,no idea [need more diffrent protected normal - advanced test unpackmes] to lazy at the moment too to start checking the whole big script for possible bugs etc.

@ Klinzter

As I tols already above the unpack process is almost the same if you use the script or if you do it manually then it's the same.


Link to comment
Share on other sites

  • 4 months later...

So after doing some manual analysis i found these info only. i need to write a script to automate the process of iat fixing- Correct me if anyone finds anything else

00404000 02770000 <<IAT start $+588 >78647113 mfc90.#1276
$+58C >00000000 << IAT end -------------------------------------------------------------------------------------------------------------------
Breaks on Code Section At The following address-
004039B8 /$8BFF MOV EDI,EDI (Near OEP)
Stack points at ->
0012FF80 0040353C NetworkB.0040353C (return Address || 1 address up= real OEP)
This is standard Visual studio Entry point
Api logger was wrong

Edited by Conquest
Link to comment
Share on other sites

Seems my concept about themida API redirection was flawed and after looking at the latest LCF-At tuts it got worse. Anyway I hope the following addresses are proper this time but some verification from LCF-AT will be better

004F71D5                      /0F84 D1000000    JE NetworkB.004F72AC << RAW Api in EAX // Read Api address for simple script made by LCFAT on latest Themida tut 004F72CD FFD3 CALL EBX << Gets Real Api (Actually it does something else but lets think it the way LCF-AT told us)

Rest is easy.

Finding how the API redirection works was the biggest hurdle for me since nothing clear was ever written on it  (apart from everyone doing the DEC R32 binary search to find the API redirection spot)

Edited by Conquest
Link to comment
Share on other sites

  • 2 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...