Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[UnpackMe] Themida 2.1.3.32 with XBundler files

morfej
morfej
in UnPackMe

Featured Replies

Posted
  1. WinLicense - Professional Software Protection and Licensing Management [Version 2.1.3.32]

  2.  

Protection Options for Software: WL-TM.2.1.3.32

---------------------------------------

 

Macros Information

------------------

VM Macros: 0

CodeReplace Macros: 0

ENCRYPT Macros: 0

CLEAR Macros: 0

MUTATE Macros: 0

STR_ENCRYPT Macros: 0

RegisteredVM Macros: 0

CHECK_PROTECTION Macros: 0

CHECK_CODE_INTEGRITY Macros: 0

CHECK_REGISTRATION Macros: 0

CHECK_VIRTUAL_PC Macros: 0

 

 

Protection Options

------------------

Anti-Debugger: ADVANCE

Anti-Dumpers: ENABLED

Entry Point Obfuscation: ENABLED

Resource Encryption: ENABLED

VMWare compatible: ENABLED

API-Wrapping Level: Level 2

Anti-Patching: NONE

Metamorph Security: ENABLED

Memory Guard: ENABLED

When Debugger Found: Display Message

Application compression: ENABLED

Resources compression: ENABLED

SecureEngine compression: ENABLED

Anti-File Monitor: ENABLED

Anti-Registry Monitor: ENABLED

Delphi/BCB form protection: DISABLED

Ring-0 Protection: DISABLED

 

 

Virtual Machine Settings

------------------------

Number of Virtual APIs wrapped: 1

API Virtualization Level: 3

Entry Point Virtualization: 0 instructions

Multi Branch Technology: DISABLED

Virtual Machine Processor: Mutable CISC processor

Number of CPUs: 1

Opcode Type: Metamorphic - Level 2

Dynamic Opcode: 20%

 

 

Advanced Protection Options

---------------------------

Encrypt Application: ENABLED

DLL plugin: DISABLED

Export Generators: ENABLED

Keep Trial Running: DISABLED

Hide from PE scanners: Standard

.NET assemblies: ENABLED

Active Context: DISABLED

Custom Event:

Add Manifest: Don't add manifest

Launch Application:

 

 

XBundler files

--------------

1 bundled dll

 

I hope someone have an idea how to extract (unpack)  bundled dll in case when it is not used (loaded or for example you can not get easily to the point in the main exectuable that external bundled dll would be loaded) directly from main executable when you run it. 

 

I don't want only main executable to be extracted.

UnPackMe.rar

Edited by morfej

    • Like 1

    @ morfej

    Why using a NetFrameWork file?If you can then create the same UnpackMe again as nomral PE32 file if possbile.

    greetz

    •
    • Like 1

    Doesn't appear the file does anything, button code is empty. References an external lib that isn't used.


     


    Attached is the unpacked file.


    Unpacked.7z

    •
    • Like 1

    Here are two methods of unpacking....


    Unpacking.rar

    Second method.rar

    Edited by GIV

    • Like 1
    • Thanks 1
    • Author

    @atom0s, @GIV : My intention is to find a method to get XBundled DLL (especially when you can't get to the point where dll is loaded inside main executable  or not even used at all), not to unpack main executable.


     


    Both of you didn't unpack the XBundled DLL file. 


     


     


    @LCF-AT: I wan't to find a way for .net.  Can your script for unpacking normal PE32 themida executable with XBunlded files help for .net executable?


    Edited by morfej

    From where the bundled dll is called?


    my unpacked file


    unpacked.rar

    • Author

    @GIV: That's the whole point!  It is not called anywhere. So how to extract than the bundled DLL ?


    If is not used/called what is the logic?


    • Author

    Ok than predict that you can't not get to the point inside main executable where the dll is called.... which is technically the same thing.


     


    In case if I need that bundled DLL.


     


    My idea is to inject code to the unpackme.exe, for example to the button click event in a way that injected code would couse loading of that external dll (Xbundled dll) so than the dll would be unpacked as well, when you try to unpack it. (I know what probbably include Bootstrap DLL).


    Edited by morfej

    Quick tutorial


     


    The main idea is to make a dummy call to the dll so that we can trick the packer to load the dll and decrypt it since it is not accessed


     


    Stop here



    
004902AB    60              PUSHAD

    EAX = encrypted string of ExternalLib.dll followed by encrypted file


     


    let execute this procedure will decrypt this string


     


    go to this procedure where it extracts stuff



    
004837F3    55              PUSH EBP

    Stop here



    
0048384C    E8 E4F1FFFF     CALL UnPackMe.00482A35

    on stack you can replace whatever dll is in



    
$ ==>    > 003533F8  |Arg1 = 003533F8 ASCII "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll"

    with the string from externallib.dll



    
0048E924  = ExternalLib.dll

    execute this call after you have replaced the dll pointer


     


    after you executed this call you will have in eax this



    
EAX = pointer to dll info
[EAX+4] = DWORD to encrypted bundled file

    follow [EAX+4] in dump window


     


    0048E938 here you should be which is the start of encrypted bundled file


     


    now just execute till here



    
0048389E    59              POP ECX

    There you can see the Dll decrypted and you can dump it.


     


    Here is the dumped dll.


    ExternalLib_Dumped.rar

    Edited by Lostin

    • Like 5

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.