Jump to content
Tuts 4 You

[UnpackMe] Themida 2.2.6.0


nProtect

Recommended Posts

Hi all,

 

This file is compiled with Visual Studio 2010 (C++ Language) and protect one with VM_START/VM_END.

New themida version have new VM system so I have use FISH32 White VM to protect this file

 

dh7a.jpg

 

 

Themida - Advanced Windows Software Protection System  [Version 2.2.6.0]Protection Options for ThemidaTest.exe
--------------------------------------Macros Information
------------------
VM Macros: 1
ENCRYPT Macros: 0
CLEAR Macros: 0
MUTATE Macros: 0
STR_ENCRYPT Macros: 0
CHECK_PROTECTION Macros: 0
CHECK_CODE_INTEGRITY Macros: 0
CHECK_VIRTUAL_PC Macros: 0
Protection Options
------------------
Anti-Debugger: Ultra
Anti-Dumpers: ENABLED
Entry Point Ofuscation: ENABLED
Resource Encryption: ENABLED
VMWare compatible: ENABLED
API-Wrapping Level: Level 2
Anti-Patching: File Patching
Metamorph Security: ENABLED
Memory Guard: ENABLED
When Debugger Found: Display Message
Application compression: ENABLED
Resources compression: ENABLED
SecureEngine compression: ENABLED
Anti-File Monitor: ENABLED
Anti-Registry Monitor: ENABLED
Delphi/BCB form protection: ENABLED
Virtual Machine Settings
------------------------
Automatic handling of Virtual Machines: DISABLED
Force Integrity Checks: ENABLED
Virtualize Protection Core with: FISH32 (White)
Virtualize old VM macros: FISH32 (White)
Virtual Machines Inserted:
--> FISH32 (White)
Advanced Protection Options
---------------------------
Encrypt Application: ENABLED
DLL plugin: DISABLED
Hide from PE scanners: Type 2
.NET assemblies: ENABLED
Active Context: DISABLED
Add Manifest: Don't add manifest
XBundler files
--------------
No files to bundle
 

 

 

ThemidaTest.rar

  • Like 2
Link to comment
  • 3 weeks later...

Hi,


 


here I made a little "simple" script for this UnpackMe.Just test it.



////////////////////////////////////////////////////////////////
// Little IAT Fixing Script for [UnpackMe] Themida 2.2.6.0
// http://forum.tuts4you.com/topic/33562-unpackme-themida-2260/
//
// Start Script at EP
// Using ELF Flag Switch Patch
// Basic Simple and Slow Direct API Check & Fixing
// Fix rest Direct APIs manually to IAT - See OllyScript Log
//
// LCF-AT
////////////////////////////////////////////////////////////////
pause
bphwc
bc
lc
lclr
bpmc
var OEP
var FLAG_ADDR
var MJ_1
var PREVENT
var EBP_CALL
var OLD_FLAG
var COUNT
var STORE_API_SEC
var STORE_API_SEC_2
var APIS
var SIGN
var BASE
gmi eip, MODULEBASE
mov BASE, $RESULT
mov OEP, 00001253+BASE // Enter OEP
mov FLAG_ADDR, 0002BFDE+BASE // Enter FLAG Check Address After
mov MJ_1, 000C7026+BASE // Enter 1. Magic Jump Address
mov PREVENT, 000C65D3+BASE // Enter Check Crasher Address
mov EBP_CALL, 000C70E2+BASE // Enter Address to get right API ADDR
/////////////////////////////////
START:
bphws OEP
bpgoto OEP, OEP_STOP
bphws MJ_1
esto
bphwc eip
pusha
xor edi, edi
gci eip, DESTINATION
mov eax, $RESULT
mov ecx, eip
mov [ecx], #909090909090#
inc edi
cmp edi, 04
je ALL_MJS_NOPPED
/////////////////////////////////
MJ_SCAN:
find ecx, #0F84#
mov ecx, $RESULT
gci ecx, DESTINATION
mov ebx, $RESULT
cmp ebx, eax
je RIGHT_MJ
inc ecx
jmp MJ_SCAN
/////////////////////////////////
RIGHT_MJ:
mov [ecx], #909090909090#
inc edi
add ecx, 06
cmp edi, 04
jne MJ_SCAN
/////////////////////////////////
ALL_MJS_NOPPED:
popa
alloc 2000
mov STORE_API_SEC, $RESULT
mov STORE_API_SEC_2, $RESULT
mov [PREVENT], #90E9#, 02
bphws FLAG_ADDR
bpgoto FLAG_ADDR, FLAG_STOP
bphwc MJ_1
bphws EBP_CALL
bpgoto EBP_CALL, MJ_STOP
esto
/////////////////////////////////
MJ_STOP:
bphws FLAG_ADDR
bphwc EBP_CALL
mov [STORE_API_SEC], eax
add STORE_API_SEC, 04
inc APIS
esto
/////////////////////////////////
FLAG_STOP:
cmp COUNT, 01
je RE_FLAG
mov OLD_FLAG, [esp]
mov [esp], 287
inc COUNT
esto
/////////////////////////////////
RE_FLAG:
mov [esp], OLD_FLAG
bphwc FLAG_ADDR
bphws EBP_CALL
mov COUNT, 00
esto
/////////////////////////////////
OEP_STOP:
bphwc
gmemi eip, MEMORYBASE
mov CODE, $RESULT
mov CODE_BAK, $RESULT
gmi eip, MODULESIZE
mov SIZE, $RESULT
add SIZE, CODE
pusha
mov edi, STORE_API_SEC_2
mov esi, CODE
cmp [edi], 00
je APIS_END
mov eax, esi
/////////////////////////////////
FIND_CALLERS:
find eax, #E8#
cmp $RESULT, 00
je CALLS_END
mov eip, $RESULT
mov eax, $RESULT
gci eip, SIZE
cmp $RESULT, 05
inc eax
jne FIND_CALLERS
dec eax
mov ecx, [eip+1]
add ecx, eip
add ecx, 05
inc eax
cmp ecx, SIZE
ja IS_API
cmp ecx, CODE
ja FIND_CALLERS
/////////////////////////////////
TENG:
dec eax
call FIND_STORE
cmp ecx, -1
je FIND_CALLERS
call FIND_API_IAT
cmp [eip+05], 90, 01
je N_FIX_A
dec eip
mov [eip], #909090909090#
/////////////////////////////////
N_FIX_A:
eval "call dword [{edx}]"
asm eip, $RESULT
add eax, 06
jmp FIND_CALLERS
/////////////////////////////////
IS_API:
jmp TENG
/////////////////////////////////
CALLS_END:
mov eax, esi
/////////////////////////////////
FIND_JUMPERS:
mov SIGN, 8
find eax, #E9#
cmp $RESULT, 00
je JUMPS_END
mov eip, $RESULT
mov eax, $RESULT
gci eip, SIZE
cmp $RESULT, 05
inc eax
jne FIND_JUMPERS
dec eax
mov ecx, [eip+1]
add ecx, eip
add ecx, 05
inc eax
cmp ecx, SIZE
ja IS_API_2
cmp ecx, CODE
ja FIND_JUMPERS
/////////////////////////////////
SENG:
dec eax
call FIND_STORE
cmp ecx, -1
je FIND_JUMPERS
call FIND_API_IAT
cmp [eip+05], 90, 01
je N_FIX
dec eip
mov [eip], #909090909090#
/////////////////////////////////
N_FIX:
eval "jmp dword [{edx}]"
asm eip, $RESULT
add eax, 06
jmp FIND_JUMPERS
/////////////////////////////////
FIND_STORE:
mov edi, STORE_API_SEC_2
/////////////////////////////////
FIND_STORE_A:
cmp [edi], 00
je API_OVERS
cmp [edi], ecx
je FOUND_APIS
add edi, 04
jmp FIND_STORE_A
/////////////////////////////////
FOUND_APIS:
ret
/////////////////////////////////
API_OVERS:
mov edi, STORE_API_SEC_2
inc eax
gn ecx
cmp $RESULT_2, 00
jne IS_SOME_API
mov ecx, -1
ret
/////////////////////////////////
IS_SOME_API:
eval "Found not this possible API in ecx in IAT LOG-Section! \r\n\r\nFix this one manually later! \r\n\r\nLCF-AT"
msg $RESULT
log ""
log "API to fix manually because API not logged!"
log "----------------------"
log eip, ""
log ecx
log "----------------------"
log ""
mov ecx, -1
ret
/////////////////////////////////
FIND_API_IAT:
find CODE, ecx
/////////////////////////////////
TOK:
cmp $RESULT, 00
jne FOUND_IT
eval "Found not this API in ecx in codesection!Its a Olly script bug! \r\n\r\nFix this one manually later! \r\n\r\nLCF-AT"
msg $RESULT
log ""
log "API to fix manually because Olly Script Plugin bug!"
log "----------------------"
log eip, ""
log ecx
log "----------------------"
log ""
inc eax
cret
cmp SIGN, 8
je FIND_JUMPERS
jmp FIND_CALLERS
/////////////////////////////////
FOUND_IT:
mov edx, $RESULT
cmp [edx], ecx
je RIGHT_A
inc edx
find edx, ecx
jmp TOK
/////////////////////////////////
RIGHT_A:
ret
/////////////////////////////////
IS_API_2:
jmp SENG
/////////////////////////////////
JUMPS_END:
/////////////////////////////////
APIS_END:
popa
mov eip, OEP
msg "Script Finished! \r\n\r\nFix One VM at 0000103A RVA Manually! \r\n\r\nLCF-AT"
pause
ret

Just use it to get your IAT and most direct APIs fixed at original IAT.See Script log later to fix the other missing commands manually later if the script is finished [OllyScriptPlugin Scan Bug + Not logged APIs into IAT-LogSection].All very simple to use it so you can't do not much wrong in this case.


 


greetz


Link to comment

Hi,Here is a WinLicense v2.2.6.0 CrackMe which is the NOTEPAD.EXE of Windows XP CHS.Test_WinLicense2260.rar (3.48 MB)

     Size    Date   Time   Name---------  -------- -----  ----  3684864  14-11-13 22:02  NOTEPAD_XP_WL.EXE      466  14-11-13 21:53  regkey.dat---------  -------- -----  ----

Links:
http://rghost.net/50168904

or

http://pan.baidu.com/s/17qk1FA very simple one. More details please refer to my posts at UnPacKcN(in Simplified Chinese):
http://www.unpack.cn/thread-94341-1-1.htmlgreetz

Link to comment

@ GIV


 


Yes you are right. :) So if my Auto-Pilot does work then my Auto-pilot can do the work for me. :)


 


@ MistHill


 


thanks for the new test file + HWID / License. :) Ok I have checked this new one and bypassed the HWID checks manually + unpacked the file with my new script.So I add 2 unpacked files one original unpacked version and one size reduced version.


 


greetz


 


EDIT:


NOTEPAD_XP_WL - Unpacked x2.rar (6.41MB)


 


I added a extern download link now.


 


@ Ted


 


So I get again some upload / download problem with my files.Upload was working but download not and get some error again.Can you find out why the board makes this trouble?Maybe you could ask the author / creater of this board to add some realtime auto verify feature for uploaded files or something like this if something did fail etc you know what I mean.Thank you.


NOTEPAD_XP_WL - Unpacked x2.rar

NOTEPAD_XP_WL_DP_SmallSize.rar

Edited by LCF-AT
  • Like 2
Link to comment

@LCF-ATFirst, I have to admit I'm a big fan of you. Wonderful work!The test file is from other guy at UnPacKcN. I don't have WL2260, only WL2240 currently.
I was a little disappointed that it can be bypassed easily in only two simple steps, even don't need a script.
 

Step One
Set a hardware breakpoint at 016058F6(if it loaded at the default imagebase 0x01000000), then F9, click 'OK' to dismiss the popup dialogbox "Name - Company".
We will land at the BP where the code has been SMC decrypted:

016058F6   68 A4FD5F00        PUSH    5FFDA4        ; pPCODE(RVA)016058FB   68 97040000        PUSH    497           ; dwFirstHandlerNum01605900   E9 0692EDFF        JMP     014DEB0B      ; VM_ENTRY01605905   E8 00000000        CALL    0160590A0160590A   58                 POP     EAX           ; 0160590A0160590B   2D 14000000        SUB     EAX, 14       ; 016058F601605910   FFE0               JMP     NEAR EAX

This pattern is very similar to the previous CISC before entering the VM.
Where the 014DEB0B is the VM Entry Address, 5FFDA4 is a RVA pointer to PCODE, and the second PUSHed 497 is the first handler number which will jump to in VM. It's only one PUSH(KEY) in CISC VM.
In this very "VM CALL", the Is_Registered_DWORD1 and Is_Registered_DWORD2 will be checked. The terms are from an article "The Winlicense Tutorials v1.2.1" by quosego/SND.
 

Step Two
Put a F2 breakpoint at 013B63F1:

013B63F1   3938               CMP     [EAX], EDI    ; CmpEcxEaxAddress013B63F3   9C                 PUSHFD

And need only one F9, we stopped there, then clear the breakpoint.
Now, EDI=2B253B23, EAX=014F9D80, [EAX]=49D7C111; just patch [014F9D80]=2B253B23, F9, all done!
 

It's so easy, I'm not sure about the reason whether it's the problem of Oreans or the protection options are too simple.
The File key regkey.dat created on 2013/11/14, with a 90 days limit and 2014-03-14 as Expired Date. I think it needs more patches at that time.
 

Basically, it's still the old trick "FirstJmpAddress/CmpEcxEaxAddress" introduced by the former SND member cektop or some others.
Slightly different:
1) No FirstJmp at the top of the "VM CALLs" block, instead the previous jump to 01605905 at the bottom of block.

015FFD9F  /E9 615B0000        JMP     01605905

2) Comparing instructions changed to "CMP [R32], R32/PUSHFD" from "CMP R32, R32/PUSHFD". There are so many of these that I have to write a script to find them(16 items) out precisely in this VM.
There are 4 VMs of this kind in the target listed by address order: 011501CA, 01282DD5, 013AE6D0, and 014DEB0B.
According to my past experience of CISC, the fourth one is specific to WinLicense for license related jobs, Themida has only three VMs.
 

I did download your recent excellent "TheMida WinLicense HWID Bypass Tool 1.0" and the brilliant "Themida - Winlicense 1.x - 2.x Multi PRO Edition 1.2" long time ago.
But, I'm mainly focusing on the "WL license system" at present, seldom played unpacking TMD/WL.In short, the "WL license system" of new version doesn't change too much, but the newly developed VMs are very interesting indeed and we will have a lot of fun.One more thing, are you planning to release the "TM WL HWID Check Bypass Script 1.0" to the public or willing to share it with me privately, or neither. :smilie3:
Regards,MistHill
 

  • Like 2
Link to comment

@ MistHill


 


Yes I have seen the diffrent changes in the latest VM but almost they are still the same.Also bypassing HWID is still easy possible so that I also could update my HWID tool. :)


 


No idea at the moment whether I release my HWID script later so this I just wrote in a hour or so and thought a tool version would be better.


 


So if you want to know how to bypass the HWID checks then its almost very very simple to do this so I just found a totaly simple way and its easier as you think at the moment so that you can use in the most cases one and same static way. :) Maybe oreans did not think about it but me so that I use this kind of special simple way.


 


Hint: So its so easy that you will find out this way too so don't try to think in any special hardcore way etc. :) Think very simple and you will see it.Its almost like if you wouldn't see the forest - trees in front of many. :) Just try and play a little so you can't fail to find the way so I promise.


 


greetz


Link to comment

@ LCF-AT

 

Thanks for your hint, I'll try my best to get the idea! :)"you can use in the most cases one and same static way.", that sounds quite good! I have never thought about it before.But "bypass HWID" does have some limitation. Supposing the developer of an app. protected by WinLicense makes use of the SDK function WLHardwareGetID in his/her user code to retrieve the current hardware ID for the current machine, and comparing it with the hardware ID in the current license key, the "bypass method" will die!I adopted a method months ago that is, just after WinLicense gathered all the raw parts(CPUID, HDDID, BIOSID and MACID) by means of instructions and API functions, and before generating the HardwareID from which the function WLHardwareGetID will retrieve.
At this POINT, I calculate the corresponding parts with a script based on its algorithms and the HardwareID in the current license key, and patch them all.
This way fixed the WLHardwareGetID issue and is safer than "bypass HWID", but can't handle the situation of Days/Date Expiration which involves the registries and files accessing.
It's too complicated, not a good approach!Furthermore, I came across a target earlier this year, in which the SDK function WLRegGetLicenseInfo is applied at a place after the OEP.
This one is even more amazing that it will verify the Name and HardwareID stored in the custom data field of the current license key.In these cases, we have to deal with the VMs that SDK functions are living in.Regards

Link to comment

@ MistHill


 


So also in the most normal cases the HWID protected targets don't use extra SDK WL functions to check the HWID but if so then you could also patch the diffrent check WL functions if necessary so also in some rarly cases there will be more checks inside which you need to patch to get the target run.But as I said in the most cases the files are just lower protected where also a simple bypass method will work.So from all HWID targets which I found on my PC was only one target which failed to use this simple bypass way [some more checks needed to patch] and all others did work.


 


So if you like then you could maybe create some new diffrent own protected UnpackMes + HWID + Trial over etc and I could check them too later etc.So for me I don't really like to create diffrent UnpackMes by myself so I think other people can do this better [mostly I am to lazy etc]. :)


 


greetz


Link to comment
  • 2 weeks later...

MistHill

Thank for solution, but

 

An internal exception occured (Address: 0x15011d7)

Please, contact support@oreans.com. Thank you!
 
Script

bphws 016058F6, "x"


esto
bphwc 016058F6
bp 013B63F1
esto
mov eax, 2B253B23
bc 013B63F1
esto
ret
Link to comment

@ Smoke

 

1. The script you made is a little wrong.

-----------------------------------------------------

013B63F1  CMP DWORD PTR DS:[EAX],EDI
 

On this address you can't move the value in eax directly so in eax has to keep the address [ADDR] and in edi you see the DWORD what will checked with the value which is in eax = [ADDR] | VALUE.

 

Change

mov eax, 2B253B23

to

mov [eax], 2B253B23 or mov [eax], edi

and save and try again.

 

Also if you still get the message "An internal exception occured...." then you get still detected.Just load the UnpackMe in Olly and press run and on this way you can check whether you get still this message or not and if yes then your Olly is not hidden.Start Olly open Olly log and check your StrongOD log so there you have see this....

 

KernelMode Enable!

HookSSDT Successful!

 

...if you see this then the strongOD driver was loaded and hooked.Also be sure that you have renamed the original driver name of fengyue to something else.

 

Just set BP at VirtualAlloc and see the stack there you can see what it checks.

0006FF34   01531655  ASCII "fengyue.sys"

 

Note: StrongOD only works with Windows7 32 Bit!Also you need to use the latest version of 0.4.8.892 to get the kerneldriver also working.If you use any earlier version then it will not work so just check the Olly log to be sure or use any tool like KernelDetectiv and check SSDTable to find the StrongOD driver.If you find it in the list then all is fine so I have it checked now also by myself on Windows 7 32 Bit and have no problems. :)

 

greetz

  • Like 3
Link to comment

@LCF-AT

Really, when it comes the unpacking, you are the best I've seen so far.
Greetings

Edited by The Trooper
  • Like 2
Link to comment

Yes this is the best so far .

But it seems there is no one in this forum that can make tuts on how unpack Themida step  by step in writing and not by the videos.we are tired of these videos because finally the purpose of this forum is to spread knowledge and not  things ready made​​, as it is the case of such scripts.
I hope that really .

Thank you anyway
danke schön @ LCF-AT

Edited by yano65bis
Link to comment

Yes GIV we can note  and the videos are very importants that is indiscutable.

But we prefer finally we hope that there are also in parallel some writen tuts too.

Thanks everyone  for his efforts and especially supere @ LCF-AT.

Good luck to everyoneThanks

Edited by yano65bis
Link to comment

If you watched Themida manual example of unpacking from here:



http://tuts4you.com/download.php?view.3495

You have noticed that inside are three txt files regarding this tutorial.


You cand print them on the printer and and you have a lot to read.


Maybe you are not too familiar with LCF-AT tutorials.


Inside all of them are txt files with EXACT and DETAILED instructions on almost every tutorial.


Link to comment

Hi,


 


about tutorials: Some of you like pdf/html tutorials with pics & text and some like video tutorials.So all in all I do prefer to create video tutorials + text in combination.


 


Respect to all who creating detailed pics + text tutorials so I know this is a lot work so I have done this too "one time" and for me it was really very hard to finish that one. :) So I don't really have the patience to do this again and to create tons of single pictures etc and for me its also easier to record a unpack process where you also can see really each step and the rest I write down into text files [also much work].


 


So the point is that you also can find any kind of tutorials [pdf / html / video etc] to each theme and if you do check them and if you have some little basics then it should be no big problem to handle videos also if they have no text or if they was made in a other language.


 


Its always better to have something instead to have to nothing or? :)


 


greetz


  • Like 1
Link to comment

Hi everyone


Yes you're right LCF-AT, there is no doubt in your great efforts to make things better.


Then i have only a small request for you LCF-AT: can you make videos with posibility to start the video only when we want it to start so that we can smoothly follow the process of unpacking , because in fact  I have problems in following your videos while are running : they are so Quick.:)


 


Thanks a lot


Link to comment

Hi GIV


 


YES WE CAN USE PAUSE BUTTON.BUT IT IS NOT A GOOD IDEA SINCE THE UNPACKING VIDEO IS SO QUICK : WE MUST TRACK-HUNT THE PAUSE BUTTON BEFOR IS TO LATE :)  DO YOU NOT THINK SO GIV ?


 


I PREFER FLOATING SREEN POINT TO PAUSE/RUN FLASH VIDEOS LIKE THE MOST FLASH TUTS VIDEO I HAVE SEEN SO FAR.


 


 


GREETZ


Edited by yano65bis
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...