[UnpackMe] Themida 2.2.6.0

[nProtect]

Hi all,

 

This file is compiled with Visual Studio 2010 (C++ Language) and protect one with VM_START/VM_END.

New themida version have new VM system so I have use FISH32 White VM to protect this file

 

 

 

Themida - Advanced Windows Software Protection System  [Version 2.2.6.0]Protection Options for ThemidaTest.exe
--------------------------------------Macros Information
------------------
VM Macros: 1
ENCRYPT Macros: 0
CLEAR Macros: 0
MUTATE Macros: 0
STR_ENCRYPT Macros: 0
CHECK_PROTECTION Macros: 0
CHECK_CODE_INTEGRITY Macros: 0
CHECK_VIRTUAL_PC Macros: 0
Protection Options
------------------
Anti-Debugger: Ultra
Anti-Dumpers: ENABLED
Entry Point Ofuscation: ENABLED
Resource Encryption: ENABLED
VMWare compatible: ENABLED
API-Wrapping Level: Level 2
Anti-Patching: File Patching
Metamorph Security: ENABLED
Memory Guard: ENABLED
When Debugger Found: Display Message
Application compression: ENABLED
Resources compression: ENABLED
SecureEngine compression: ENABLED
Anti-File Monitor: ENABLED
Anti-Registry Monitor: ENABLED
Delphi/BCB form protection: ENABLED
Virtual Machine Settings
------------------------
Automatic handling of Virtual Machines: DISABLED
Force Integrity Checks: ENABLED
Virtualize Protection Core with: FISH32 (White)
Virtualize old VM macros: FISH32 (White)
Virtual Machines Inserted:
--> FISH32 (White)
Advanced Protection Options
---------------------------
Encrypt Application: ENABLED
DLL plugin: DISABLED
Hide from PE scanners: Type 2
.NET assemblies: ENABLED
Active Context: DISABLED
Add Manifest: Don't add manifest
XBundler files
--------------
No files to bundle
 

 

 

ThemidaTest.rar

[LCF-AT]

Hi,

thanks for posting a new version.

Yes I see the new Tiger / Fish & Chips VM.

Ok so it was just a question of time till WL did change it.

Anyway.

greetz

ThemidaTest_Unpacked.rar

[nProtect]

wow so fast u decoded new VM?

 

how do you do that?

[wgz0001]

can you make a Tut ,thanks .

I use your script and can not unpack this target

[LCF-AT]

Hi,

 

here I made a little "simple" script for this UnpackMe.Just test it.

////////////////////////////////////////////////////////////////

// Little IAT Fixing Script for [UnpackMe] Themida 2.2.6.0

// http://forum.tuts4you.com/topic/33562-unpackme-themida-2260/

//

// Start Script at EP

// Using ELF Flag Switch Patch

// Basic Simple and Slow Direct API Check & Fixing

// Fix rest Direct APIs manually to IAT - See OllyScript Log

//

// LCF-AT

////////////////////////////////////////////////////////////////

pause

bphwc

bc

lc

lclr

bpmc

var OEP

var FLAG_ADDR

var MJ_1

var PREVENT

var EBP_CALL

var OLD_FLAG

var COUNT

var STORE_API_SEC

var STORE_API_SEC_2

var APIS

var SIGN

var BASE

gmi eip, MODULEBASE

mov BASE, $RESULT

mov OEP,       00001253+BASE   // Enter OEP

mov FLAG_ADDR, 0002BFDE+BASE   // Enter FLAG Check Address After

mov MJ_1,      000C7026+BASE   // Enter 1. Magic Jump Address

mov PREVENT,   000C65D3+BASE   // Enter Check Crasher Address

mov EBP_CALL,  000C70E2+BASE   // Enter Address to get right API ADDR

/////////////////////////////////

START:

bphws OEP

bpgoto OEP, OEP_STOP

bphws MJ_1

esto

bphwc eip

pusha

xor edi, edi

gci eip, DESTINATION

mov eax, $RESULT

mov ecx, eip

mov [ecx], #909090909090#

inc edi

cmp edi, 04

je ALL_MJS_NOPPED

/////////////////////////////////

MJ_SCAN:

find ecx, #0F84#

mov ecx, $RESULT

gci ecx, DESTINATION

mov ebx, $RESULT

cmp ebx, eax

je RIGHT_MJ

inc ecx

jmp MJ_SCAN

/////////////////////////////////

RIGHT_MJ:

mov [ecx], #909090909090#

inc edi

add ecx, 06

cmp edi, 04

jne MJ_SCAN

/////////////////////////////////

ALL_MJS_NOPPED:

popa

alloc 2000

mov STORE_API_SEC, $RESULT

mov STORE_API_SEC_2, $RESULT

mov [PREVENT], #90E9#, 02

bphws FLAG_ADDR

bpgoto FLAG_ADDR, FLAG_STOP

bphwc MJ_1

bphws EBP_CALL

bpgoto EBP_CALL, MJ_STOP

esto

/////////////////////////////////

MJ_STOP:

bphws FLAG_ADDR

bphwc EBP_CALL

mov [STORE_API_SEC], eax

add STORE_API_SEC, 04

inc APIS

esto

/////////////////////////////////

FLAG_STOP:

cmp COUNT, 01

je RE_FLAG

mov OLD_FLAG, [esp]

mov [esp], 287

inc COUNT

esto

/////////////////////////////////

RE_FLAG:

mov [esp], OLD_FLAG

bphwc FLAG_ADDR

bphws EBP_CALL

mov COUNT, 00

esto

/////////////////////////////////

OEP_STOP:

bphwc

gmemi eip, MEMORYBASE

mov CODE, $RESULT

mov CODE_BAK, $RESULT

gmi eip, MODULESIZE

mov SIZE, $RESULT

add SIZE, CODE

pusha

mov edi, STORE_API_SEC_2

mov esi, CODE

cmp [edi], 00

je APIS_END

mov eax, esi

/////////////////////////////////

FIND_CALLERS:

find eax, #E8#

cmp $RESULT, 00

je CALLS_END

mov eip, $RESULT

mov eax, $RESULT

gci eip, SIZE

cmp $RESULT, 05

inc eax

jne FIND_CALLERS

dec eax

mov ecx, [eip+1]

add ecx, eip

add ecx, 05

inc eax

cmp ecx, SIZE

ja IS_API

cmp ecx, CODE

ja FIND_CALLERS

/////////////////////////////////

TENG:

dec eax

call FIND_STORE

cmp ecx, -1

je FIND_CALLERS

call FIND_API_IAT

cmp [eip+05], 90, 01

je N_FIX_A

dec eip

mov [eip], #909090909090#

/////////////////////////////////

N_FIX_A:

eval "call dword [{edx}]"

asm eip, $RESULT

add eax, 06

jmp FIND_CALLERS

/////////////////////////////////

IS_API:

jmp TENG

/////////////////////////////////

CALLS_END:

mov eax, esi

/////////////////////////////////

FIND_JUMPERS:

mov SIGN, 8

find eax, #E9#

cmp $RESULT, 00

je JUMPS_END

mov eip, $RESULT

mov eax, $RESULT

gci eip, SIZE

cmp $RESULT, 05

inc eax

jne FIND_JUMPERS

dec eax

mov ecx, [eip+1]

add ecx, eip

add ecx, 05

inc eax

cmp ecx, SIZE

ja IS_API_2

cmp ecx, CODE

ja FIND_JUMPERS

/////////////////////////////////

SENG:

dec eax

call FIND_STORE

cmp ecx, -1

je FIND_JUMPERS

call FIND_API_IAT

cmp [eip+05], 90, 01

je N_FIX

dec eip

mov [eip], #909090909090#

/////////////////////////////////

N_FIX:

eval "jmp dword [{edx}]"

asm eip, $RESULT

add eax, 06

jmp FIND_JUMPERS

/////////////////////////////////

FIND_STORE:

mov edi, STORE_API_SEC_2

/////////////////////////////////

FIND_STORE_A:

cmp [edi], 00

je API_OVERS

cmp [edi], ecx

je FOUND_APIS

add edi, 04

jmp FIND_STORE_A

/////////////////////////////////

FOUND_APIS:

ret

/////////////////////////////////

API_OVERS:

mov edi, STORE_API_SEC_2

inc eax

gn ecx

cmp $RESULT_2, 00

jne IS_SOME_API

mov ecx, -1

ret

/////////////////////////////////

IS_SOME_API:

eval "Found not this possible API in ecx in IAT LOG-Section! \r\n\r\nFix this one manually later! \r\n\r\nLCF-AT"

msg $RESULT

log ""

log "API to fix manually because API not logged!"

log "----------------------"

log eip, ""

log ecx

log "----------------------"

log ""

mov ecx, -1

ret

/////////////////////////////////

FIND_API_IAT:

find CODE, ecx

/////////////////////////////////

TOK:

cmp $RESULT, 00

jne FOUND_IT

eval "Found not this API in ecx in codesection!Its a Olly script bug! \r\n\r\nFix this one manually later! \r\n\r\nLCF-AT"

msg $RESULT

log ""

log "API to fix manually because Olly Script Plugin bug!"

log "----------------------"

log eip, ""

log ecx

log "----------------------"

log ""

inc eax

cret

cmp SIGN, 8

je FIND_JUMPERS

jmp FIND_CALLERS

/////////////////////////////////

FOUND_IT:

mov edx, $RESULT

cmp [edx], ecx

je RIGHT_A

inc edx

find edx, ecx

jmp TOK

/////////////////////////////////

RIGHT_A:

ret

/////////////////////////////////

IS_API_2:

jmp SENG

/////////////////////////////////

JUMPS_END:

/////////////////////////////////

APIS_END:

popa

mov eip, OEP

msg "Script Finished! \r\n\r\nFix One VM at 0000103A RVA Manually! \r\n\r\nLCF-AT"

pause

ret

Just use it to get your IAT and most direct APIs fixed at original IAT.See Script log later to fix the other missing commands manually later if the script is finished [OllyScriptPlugin Scan Bug + Not logged APIs into IAT-LogSection].All very simple to use it so you can't do not much wrong in this case.

 

greetz

[GIV]

Here is another one.

Themida 2.2.6.0 UnPackMe_VB6.exe.7z

[LCF-AT]

Hi,

 

thanks for the new UnpackMe GIV.

Ok this one was more simple to unpack.

 

greetz

Themida 2.2.6.0 UnPackMe_VB6 - Unpacked + Video.rar

[GIV]

Ah... I got-it. You go on "auto pilot".

[MistHill]

Hi,Here is a WinLicense v2.2.6.0 CrackMe which is the NOTEPAD.EXE of Windows XP CHS.Test_WinLicense2260.rar (3.48 MB)

     Size    Date   Time   Name---------  -------- -----  ----  3684864  14-11-13 22:02  NOTEPAD_XP_WL.EXE      466  14-11-13 21:53  regkey.dat---------  -------- -----  ----

Links:
http://rghost.net/50168904

or

http://pan.baidu.com/s/17qk1FA very simple one. More details please refer to my posts at UnPacKcN(in Simplified Chinese):
http://www.unpack.cn/thread-94341-1-1.htmlgreetz

[LCF-AT]

@ GIV

 

Yes you are right. So if my Auto-Pilot does work then my Auto-pilot can do the work for me.

 

@ MistHill

 

thanks for the new test file + HWID / License. Ok I have checked this new one and bypassed the HWID checks manually + unpacked the file with my new script.So I add 2 unpacked files one original unpacked version and one size reduced version.

 

greetz

 

EDIT:

NOTEPAD_XP_WL - Unpacked x2.rar (6.41MB)

 

I added a extern download link now.

 

@ Ted

 

So I get again some upload / download problem with my files.Upload was working but download not and get some error again.Can you find out why the board makes this trouble?Maybe you could ask the author / creater of this board to add some realtime auto verify feature for uploaded files or something like this if something did fail etc you know what I mean.Thank you.

NOTEPAD_XP_WL - Unpacked x2.rar

NOTEPAD_XP_WL_DP_SmallSize.rar

Edited November 23, 2013 by LCF-AT

[MistHill]

@LCF-ATFirst, I have to admit I'm a big fan of you. Wonderful work!The test file is from other guy at UnPacKcN. I don't have WL2260, only WL2240 currently.
I was a little disappointed that it can be bypassed easily in only two simple steps, even don't need a script.
 

Step One
Set a hardware breakpoint at 016058F6(if it loaded at the default imagebase 0x01000000), then F9, click 'OK' to dismiss the popup dialogbox "Name - Company".
We will land at the BP where the code has been SMC decrypted:

016058F6   68 A4FD5F00        PUSH    5FFDA4        ; pPCODE(RVA)016058FB   68 97040000        PUSH    497           ; dwFirstHandlerNum01605900   E9 0692EDFF        JMP     014DEB0B      ; VM_ENTRY01605905   E8 00000000        CALL    0160590A0160590A   58                 POP     EAX           ; 0160590A0160590B   2D 14000000        SUB     EAX, 14       ; 016058F601605910   FFE0               JMP     NEAR EAX

This pattern is very similar to the previous CISC before entering the VM.
Where the 014DEB0B is the VM Entry Address, 5FFDA4 is a RVA pointer to PCODE, and the second PUSHed 497 is the first handler number which will jump to in VM. It's only one PUSH(KEY) in CISC VM.
In this very "VM CALL", the Is_Registered_DWORD1 and Is_Registered_DWORD2 will be checked. The terms are from an article "The Winlicense Tutorials v1.2.1" by quosego/SND.
 

Step Two
Put a F2 breakpoint at 013B63F1:

013B63F1   3938               CMP     [EAX], EDI    ; CmpEcxEaxAddress013B63F3   9C                 PUSHFD

And need only one F9, we stopped there, then clear the breakpoint.
Now, EDI=2B253B23, EAX=014F9D80, [EAX]=49D7C111; just patch [014F9D80]=2B253B23, F9, all done!
 

It's so easy, I'm not sure about the reason whether it's the problem of Oreans or the protection options are too simple.
The File key regkey.dat created on 2013/11/14, with a 90 days limit and 2014-03-14 as Expired Date. I think it needs more patches at that time.
 

Basically, it's still the old trick "FirstJmpAddress/CmpEcxEaxAddress" introduced by the former SND member cektop or some others.
Slightly different:
1) No FirstJmp at the top of the "VM CALLs" block, instead the previous jump to 01605905 at the bottom of block.

015FFD9F  /E9 615B0000        JMP     01605905

2) Comparing instructions changed to "CMP [R32], R32/PUSHFD" from "CMP R32, R32/PUSHFD". There are so many of these that I have to write a script to find them(16 items) out precisely in this VM.
There are 4 VMs of this kind in the target listed by address order: 011501CA, 01282DD5, 013AE6D0, and 014DEB0B.
According to my past experience of CISC, the fourth one is specific to WinLicense for license related jobs, Themida has only three VMs.
 

I did download your recent excellent "TheMida WinLicense HWID Bypass Tool 1.0" and the brilliant "Themida - Winlicense 1.x - 2.x Multi PRO Edition 1.2" long time ago.
But, I'm mainly focusing on the "WL license system" at present, seldom played unpacking TMD/WL.In short, the "WL license system" of new version doesn't change too much, but the newly developed VMs are very interesting indeed and we will have a lot of fun.One more thing, are you planning to release the "TM WL HWID Check Bypass Script 1.0" to the public or willing to share it with me privately, or neither.
Regards,MistHill
 

[LCF-AT]

@ MistHill

 

Yes I have seen the diffrent changes in the latest VM but almost they are still the same.Also bypassing HWID is still easy possible so that I also could update my HWID tool.

 

No idea at the moment whether I release my HWID script later so this I just wrote in a hour or so and thought a tool version would be better.

 

So if you want to know how to bypass the HWID checks then its almost very very simple to do this so I just found a totaly simple way and its easier as you think at the moment so that you can use in the most cases one and same static way. Maybe oreans did not think about it but me so that I use this kind of special simple way.

 

Hint: So its so easy that you will find out this way too so don't try to think in any special hardcore way etc. Think very simple and you will see it.Its almost like if you wouldn't see the forest - trees in front of many. Just try and play a little so you can't fail to find the way so I promise.

 

greetz

[MistHill]

@ LCF-AT

 

Thanks for your hint, I'll try my best to get the idea! "you can use in the most cases one and same static way.", that sounds quite good! I have never thought about it before.But "bypass HWID" does have some limitation. Supposing the developer of an app. protected by WinLicense makes use of the SDK function WLHardwareGetID in his/her user code to retrieve the current hardware ID for the current machine, and comparing it with the hardware ID in the current license key, the "bypass method" will die!I adopted a method months ago that is, just after WinLicense gathered all the raw parts(CPUID, HDDID, BIOSID and MACID) by means of instructions and API functions, and before generating the HardwareID from which the function WLHardwareGetID will retrieve.
At this POINT, I calculate the corresponding parts with a script based on its algorithms and the HardwareID in the current license key, and patch them all.
This way fixed the WLHardwareGetID issue and is safer than "bypass HWID", but can't handle the situation of Days/Date Expiration which involves the registries and files accessing.
It's too complicated, not a good approach!Furthermore, I came across a target earlier this year, in which the SDK function WLRegGetLicenseInfo is applied at a place after the OEP.
This one is even more amazing that it will verify the Name and HardwareID stored in the custom data field of the current license key.In these cases, we have to deal with the VMs that SDK functions are living in.Regards

[LCF-AT]

@ MistHill

 

So also in the most normal cases the HWID protected targets don't use extra SDK WL functions to check the HWID but if so then you could also patch the diffrent check WL functions if necessary so also in some rarly cases there will be more checks inside which you need to patch to get the target run.But as I said in the most cases the files are just lower protected where also a simple bypass method will work.So from all HWID targets which I found on my PC was only one target which failed to use this simple bypass way [some more checks needed to patch] and all others did work.

 

So if you like then you could maybe create some new diffrent own protected UnpackMes + HWID + Trial over etc and I could check them too later etc.So for me I don't really like to create diffrent UnpackMes by myself so I think other people can do this better [mostly I am to lazy etc].

 

greetz

[Smoke]

@ MistHill

Thank for solution, but

 

An internal exception occured (Address: 0x15011d7)

Please, contact support@oreans.com. Thank you!

 

Script

bphws 016058F6, "x"

esto
bphwc 016058F6
bp 013B63F1
esto
mov eax, 2B253B23
bc 013B63F1
esto
ret

[LCF-AT]

@ Smoke

 

1. The script you made is a little wrong.

-----------------------------------------------------

013B63F1  CMP DWORD PTR DS:[EAX],EDI
 

On this address you can't move the value in eax directly so in eax has to keep the address [ADDR] and in edi you see the DWORD what will checked with the value which is in eax = [ADDR] | VALUE.

 

Change

mov eax, 2B253B23

to

mov [eax], 2B253B23 or mov [eax], edi

and save and try again.

 

Also if you still get the message "An internal exception occured...." then you get still detected.Just load the UnpackMe in Olly and press run and on this way you can check whether you get still this message or not and if yes then your Olly is not hidden.Start Olly open Olly log and check your StrongOD log so there you have see this....

 

KernelMode Enable!

HookSSDT Successful!

 

...if you see this then the strongOD driver was loaded and hooked.Also be sure that you have renamed the original driver name of fengyue to something else.

 

Just set BP at VirtualAlloc and see the stack there you can see what it checks.

0006FF34   01531655  ASCII "fengyue.sys"

 

Note: StrongOD only works with Windows7 32 Bit!Also you need to use the latest version of 0.4.8.892 to get the kerneldriver also working.If you use any earlier version then it will not work so just check the Olly log to be sure or use any tool like KernelDetectiv and check SSDTable to find the StrongOD driver.If you find it in the list then all is fine so I have it checked now also by myself on Windows 7 32 Bit and have no problems.

 

greetz

[The Trooper]

@LCF-AT

Really, when it comes the unpacking, you are the best I've seen so far.
Greetings

Edited December 12, 2013 by The Trooper

[yano65bis]

Yes this is the best so far .

But it seems there is no one in this forum that can make tuts on how unpack Themida step  by step in writing and not by the videos.we are tired of these videos because finally the purpose of this forum is to spread knowledge and not  things ready made​​, as it is the case of such scripts.
I hope that really .

Thank you anyway
danke schön @ LCF-AT

Edited December 13, 2013 by yano65bis

[GIV]

You cannot make notes from the video?

I cannot agree in any point with you.

Sorry but you are wrong.

[yano65bis]

Yes GIV we can note  and the videos are very importants that is indiscutable.

But we prefer finally we hope that there are also in parallel some writen tuts too.

Thanks everyone  for his efforts and especially supere @ LCF-AT.

Good luck to everyoneThanks

Edited December 13, 2013 by yano65bis

[GIV]

If you watched Themida manual example of unpacking from here:

http://tuts4you.com/download.php?view.3495

You have noticed that inside are three txt files regarding this tutorial.

You cand print them on the printer and and you have a lot to read.

Maybe you are not too familiar with LCF-AT tutorials.

Inside all of them are txt files with EXACT and DETAILED instructions on almost every tutorial.

[LCF-AT]

Hi,

 

about tutorials: Some of you like pdf/html tutorials with pics & text and some like video tutorials.So all in all I do prefer to create video tutorials + text in combination.

 

Respect to all who creating detailed pics + text tutorials so I know this is a lot work so I have done this too "one time" and for me it was really very hard to finish that one. So I don't really have the patience to do this again and to create tons of single pictures etc and for me its also easier to record a unpack process where you also can see really each step and the rest I write down into text files [also much work].

 

So the point is that you also can find any kind of tutorials [pdf / html / video etc] to each theme and if you do check them and if you have some little basics then it should be no big problem to handle videos also if they have no text or if they was made in a other language.

 

Its always better to have something instead to have to nothing or?

 

greetz

[yano65bis]

Hi everyone

Yes you're right LCF-AT, there is no doubt in your great efforts to make things better.

Then i have only a small request for you LCF-AT: can you make videos with posibility to start the video only when we want it to start so that we can smoothly follow the process of unpacking , because in fact  I have problems in following your videos while are running : they are so Quick.

 

Thanks a lot

[GIV]

I use the pause button...

[yano65bis]

Hi GIV

 

YES WE CAN USE PAUSE BUTTON.BUT IT IS NOT A GOOD IDEA SINCE THE UNPACKING VIDEO IS SO QUICK : WE MUST TRACK-HUNT THE PAUSE BUTTON BEFOR IS TO LATE   DO YOU NOT THINK SO GIV ?

 

I PREFER FLOATING SREEN POINT TO PAUSE/RUN FLASH VIDEOS LIKE THE MOST FLASH TUTS VIDEO I HAVE SEEN SO FAR.

 

 

GREETZ

Edited December 17, 2013 by yano65bis