0xNOP Posted October 9, 2014 Posted October 9, 2014 Straight on forward... I have heard the latest version of Themida hasn't been cracked yet, this means the software is hard to crack, etc, etc. also means that yet no one / cracker has made a successful crack for it, of course... So I'm developing some tools for a game and I have a licensing on and I was thinking in getting some good protector to start protecting my binaries because I want to prevent people with shenanigans intentions to come take a sneak peek at my code... the assembly is a .NET IA32 Executable. I'm using NetSeal Licensing System.. I know this is can be a broad topic, like which or what protector is the best, why this one lacks of efficiency etc, etc.. But in Layman's terms is Themida really worth is nowadays, specially with this new version out in the field... Also I know already that any file as long it's an executable it can be analized, studied and eventually reverse engineered, but I would like to at least come to a point where I can say, my software is protected and no one, until this day can do something mischievous about it.
White Posted October 10, 2014 Posted October 10, 2014 Themida has its own VM structure.This make a little hard to analysis.But it can be cracked by anyone who really want to. 1
kao Posted October 10, 2014 Posted October 10, 2014 OK, straight to the point..... the assembly is a .NET IA32 Executable. ... I'm using NetSeal Licensing System.. Themida for .NET is a joke. All those shiny new features work on x86/x64 files, but not on .NET. Use a proper .NET obfuscator - it provides much much more protection for .NET apps than Themida. And while we're at it - .NET Seal Licensing has more holes than Swiss cheese. Just look at RTN board (http://www.rtn-team.cc/board), there are tools, tutorials and lots of broken software that shows how bad it is. 1
GIV Posted October 10, 2014 Posted October 10, 2014 In think that Confuser is more recommended for .NET than Themida. 1
simple Posted October 10, 2014 Posted October 10, 2014 If ur software is ne good it will get ripped, period. Id use custom before paid protectors, and even then just barely enough to make noobs want to move onto easier targets. u wont stop a good cracker, it's dumb/expensive to try. Put ur focus into creating new features for ur paying customers than worrying about people ull never profit from neways. 1
0xNOP Posted October 10, 2014 Author Posted October 10, 2014 (edited) If ur software is ne good it will get ripped, period. Id use custom before paid protectors, and even then just barely enough to make noobs want to move onto easier targets. u wont stop a good cracker, it's dumb/expensive to try. Put ur focus into creating new features for ur paying customers than worrying about people ull never profit from neways. Yeah I ashamed I didn't studied more on the topic about Cryptography, I know VB.NET can be easily secured for a good developer, but I don't have the skills, you say, Why develop an application if you don't have the skills yet? because I wanted to started programming that, and wanted to do some profit, still the game's community are kinda naive to RCE'ing so they don't like... you know are malicious or anything, I hope so, but still I'm afraid someone can easily open de4dot and you know do their thing. In think that Confuser is more recommended for .NET than Themida. Confuser has been defeated as well. :S or correct me if I'm wrong... and I have a problem with confuser, if I use even the 'Normal' settings, whenever someone is trying to open it up, it gives halt errors and program stopped working and all that stuff aka, it breaks the resulting executable.. however, when I run it in my desktop, it just runs fine!? Any further ideas on this? OK, straight to the point.. Themida for .NET is a joke. All those shiny new features work on x86/x64 files, but not on .NET. Use a proper .NET obfuscator - it provides much much more protection for .NET apps than Themida. And while we're at it - .NET Seal Licensing has more holes than Swiss cheese. Just look at RTN board (http://www.rtn-team.cc/board), there are tools, tutorials and lots of broken software that shows how bad it is. more holes than Swiss cheese! that's quite a delicious visualization! haha but such a serious interpretation! Thanks for the reference for research on such security threats on NetSeal, I'm seriously thinking in changing my code overall. I will explain further below. Themida has its own VM structure.This make a little hard to analysis.But it can be cracked by anyone who really want to. Crackable.png Wow! Thats an incredible display you showed me right there! and I thought it was impossible for the newest releases! I feel ashamed for them :S thanks for showing me the light, since I was really thinking in buying a $277 Dev License :S ---------- slightly changing topics, I'm seriously thinking in moving onto C++ will that change the game plan and improve security? Edited October 10, 2014 by ULI-R0
GIV Posted October 10, 2014 Posted October 10, 2014 About Confuser.Use Confuser EX latest version.I did not say is uncrackable.All is.Just is much better than Themida.On Themida .NET all is just dump at the right point and fix the assembly. Voila! (I did some videos about it if you search this board). I did test among latest versions. Same crap. On Confuser is not as easy.Confuser is unpacked by semi or pro reversers. Don't make any illusion.All is crackable.The best protection is one made by you, custom. 1
0xNOP Posted October 10, 2014 Author Posted October 10, 2014 About Confuser. Use Confuser EX latest version. I did not say is uncrackable. All is. Just is much better than Themida. On Themida .NET all is just dump at the right point and fix the assembly. Voila! (I did some videos about it if you search this board). I did test among latest versions. Same crap. On Confuser is not as easy. Confuser is unpacked by semi or pro reversers. Don't make any illusion. All is crackable. The best protection is one made by you, custom. Awesome I will do further research on ConfuserEx! seems promising, just for what I'm looking for, I'm not looking for for software being uncrackable or impossible to crack we all know thats not true, so i'm just looking for a way of making my tool harder to RCE and give you know a little bit of a headache to the cracker XD Thanks for pointing it out! I will definitely look forward on it! I will also study more on Cryptography see how I can implement my own methods of obfuascation / crypting / encryptions
White Posted October 11, 2014 Posted October 11, 2014 Wow! Thats an incredible display you showed me right there! and I thought it was impossible for the newest releases! I feel ashamed for them :S thanks for showing me the light, since I was really thinking in buying a $277 Dev License :S I have no idea about the latest release,cause I don't have it.And maybe it is impossible for me.
xSRTsect Posted October 11, 2014 Posted October 11, 2014 @uli-r0: one important thing for you to keep in mind is that a cracker will crack random apps - just because you are developing a application for a certain comunity (e.g. gamers) that won't certainly mean that these community (gamers) will try to reverse your work. Another thing is that code obfuscation and crypto are two very distinct subjects.
Conquest Posted October 12, 2014 Posted October 12, 2014 (edited) These are all my personal opinion and knowledge and not from any other source, so it may be 100% accurate/correct.The reason why themida is being consider a good opponent again is ,IMHO, because of the stopped development of UV plugin by deathway. But i still dont see a reason why it cant be bypassed , if vm cant be removed even then the way themida vm(or any other vm) works its always possible to spoof info and make application run on unlicensed system . on the this specific matter of protection, vm and special themida features for which it is famous , is not applicable to .net . Dont waste money on protectors. either make one yourself or dont make them protected at all. It just takes one reverser to crack the protection. I completely agree with @simple . if you are going to make a good software, it will always attract unwanted attention . but dont make fighting counterfeiting as your main aim . The way reversers think, They will get more motivated if you start trying to fight head on . Improve your software for those who are paying , in the end all what reversers look for is a challenge . if there is none, you can safely assume that you will have less amount of time dealing with reversing and more on creating premium features . PS: even though i use counterfeit windows (since i corrupt my windows beyond the point of no return, pretty much once a month), still at the end of day i bought windows license out of my guilt to pay Microsoft for what they have created . Edited October 12, 2014 by Conquest 2
DMichael Posted October 15, 2014 Posted October 15, 2014 (edited) These are all my personal opinion and knowledge and not from any other source, so it may be 100% accurate/correct.The reason why themida is being consider a good opponent again is ,IMHO, because of the stopped development of UV plugin by deathway. But i still dont see a reason why it cant be bypassed , if vm cant be removed even then the way themida vm(or any other vm) works its always possible to spoof info and make application run on unlicensed system . on the this specific matter of protection, vm and special themida features for which it is famous , is not applicable to .net . Dont waste money on protectors. either make one yourself or dont make them protected at all. It just takes one reverser to crack the protection. I completely agree with @simple . if you are going to make a good software, it will always attract unwanted attention . but dont make fighting counterfeiting as your main aim . The way reversers think, They will get more motivated if you start trying to fight head on . Improve your software for those who are paying , in the end all what reversers look for is a challenge . if there is none, you can safely assume that you will have less amount of time dealing with reversing and more on creating premium features . PS: even though i use counterfeit windows (since i corrupt my windows beyond the point of no return, pretty much once a month), still at the end of day i bought windows license out of my guilt to pay Microsoft for what they have created . most of Themida strength are depends on the developer -- Themida is just layer besides most of developers dont use or dont know how to use the themida SDK properly - real protection comes from experienced developer Edited October 15, 2014 by DMichael
GIV Posted October 15, 2014 Posted October 15, 2014 The reason why themida is being consider a good opponent again is ,IMHO, because of the stopped development of UV plugin by deathway. Is true. But from what i smell the latest VM's of Themida are already devirtualized from tools witch stay in underground. I have many hints in that direction. I think Obsidium is a great protector too From what i have seen in latest period many software developers witch used Themida in the past use Obsidium now.
Nemo Posted October 15, 2014 Posted October 15, 2014 Yes i have noticed that too GIV seems its not something you can find a lot of information for. Makes it more interesting
GIV Posted October 15, 2014 Posted October 15, 2014 (edited) And it uses some INT3 tricks etc...or SEH. Edited October 15, 2014 by GIV
TiLT Posted October 16, 2014 Posted October 16, 2014 As an occasional developer I use Themida for my C/C++ projects and Confuser for my .Net projects. Themida may not be bulletproof, but it's good value for the money. How I look at it is this....my time is valuable and the time it would take me to develop something that approaches Themida's capabilities makes it an easy buy. I can always add my own tricks inside of Themida's VM, or do my own protection routines that lead to a Themida VM. It's a good tool and I think it's worth the price.
GIV Posted October 16, 2014 Posted October 16, 2014 All is good to Themida is the VM witch can be deobfuscated of course with the proper tools.The best VM for a software protection is his fair price.Else all will be cracked.
mm10121991 Posted October 17, 2014 Posted October 17, 2014 Obsiduim is very easy compared to other descent protectors(wl,vmp,safengine)Just because there are no public step by step tutorials or automatic scripts that people can't unpack it 1
Nemo Posted October 17, 2014 Posted October 17, 2014 That is the point, nobody seems to be able to do anything without a script or a tool these days.. 1
zenix Posted October 29, 2014 Posted October 29, 2014 That is the point, nobody seems to be able to do anything without a script or a tool these days.. That is an interesting point, isn't it? It is sad that most of the people are just blind follower of tools and script. And some of them claim themselves as "Master". Well, IMHO, Themida is a good protector for Win32/64 PE excusable files. But now for .Net files.
GIV Posted October 29, 2014 Posted October 29, 2014 That is an interesting point, isn't it? It is sad that most of the people are just blind follower of tools and script. And some of them claim themselves as "Master". Well, IMHO, Themida is a good protector for Win32/64 PE excusable files. But now for .Net files. Not at all. Just find the OEP (the method have been the same for past years) and from there you can do many things without a script. If the instructions you search are not in VM you are a lucky guy. The loader for Themida file can be done in few minutes.
zenix Posted October 31, 2014 Posted October 31, 2014 Can you name a protector which we are unable to locate OEP or near OEP. Take one step backward, even if we are unable to OEP, we still can dump the whole decrypted image into a file.And a loader can be done as well, as long as the code is not in VM.
GIV Posted October 31, 2014 Posted October 31, 2014 Sure.VMProtect.If you try to make a loader you will get a instant "File corrupted" message.
zenix Posted November 6, 2014 Posted November 6, 2014 (edited) I have no problem with the CRC check of VMProtect. Here is the open secret.For protected files, there is no CRC check after OEP except the codes in VM and VMProtect SDK.If your loader got caught, it means that you try to patch it while VMProtect protector shell has not finished its job.Just wait. Once OEP is reached, CRC checks are gone. Also, there are many cracked version of VMProtect protector itself.But, this is another story. One more open secret to mention,CRC of VMProtect is done by byte to byte xor with shift.The result is in a DWORD table.Once you understand it, it is finished. Here is one VMProtected file with CRC check and a blacklisted key.Solution is included. http://rghost.net/58910240 Let me explain further about the two byte patched.First byte is to bypass the blacklist check.The second byte is to balance the CRC of VM_GetHash. Edited November 6, 2014 by zenix
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now