despy3 Posted December 17, 2020 Share Posted December 17, 2020 View File Themida v2.4.6.30 This is a .NET executable with a Goland DLL packed with Themida. Try to unpack the executable, dump the bundled DLL then fix the DLL to make it work. Once completed detail the methods used and how you fixed the DLL. Submitter despy3 Submitted 12/17/2020 Category UnPackMe (.NET) Link to comment Share on other sites More sharing options...
0x59 Posted December 17, 2020 Share Posted December 17, 2020 Just use the themida unpacker Link : https://github.com/NotPrab/.NET-Deobfuscator 1 Link to comment Share on other sites More sharing options...
despy3 Posted December 18, 2020 Author Share Posted December 18, 2020 dump the bundled DLL then fix the DLL to make it work. Link to comment Share on other sites More sharing options...
despy3 Posted December 28, 2020 Author Share Posted December 28, 2020 On 12/18/2020 at 3:16 AM, 0x59 said: Just use the themida unpacker Link : https://github.com/NotPrab/.NET-Deobfuscator @0x59 try dump the bundled DLL then fix the DLL to make it work. anyone get an idea? Anything will be great, Link to comment Share on other sites More sharing options...
0x59 Posted December 29, 2020 Share Posted December 29, 2020 dll is written in go-lang and im a .NET reverser 😕 Link to comment Share on other sites More sharing options...
Solution Josman Posted March 18, 2021 Solution Share Posted March 18, 2021 Tutorial: Spoiler 1. Dump the executable with extreme dumper or dnspy 2. Dump the bunded dll with MegaDumper, the vdump one should be test.dll if you not sure just check the export function with cff explorer or ida. 3. No need of fixing the dll(at least for me) just rename it to test.dll and launch the dumped executable. PoC: https://streamable.com/khmzo6 unpacked.rar 1 Link to comment Share on other sites More sharing options...
boot Posted May 5, 2023 Share Posted May 5, 2023 EXE: Just need to dump it by using dumper, such as DotnetDumper Using CFF to fix it and remove the strong signature Using De4dot to clean it up DLL: Because it's a .Net program, you can dump the DLL at the same time, but if it's a not .Net program, write own tool extract... dumpMe - bak.rar Link to comment Share on other sites More sharing options...
fhisar34 Posted May 5, 2023 Share Posted May 5, 2023 can you open themida c++ https://www.dosya.tc/server42/k1b4p3/soacsx.zip.html Link to comment Share on other sites More sharing options...
BlackHat Posted May 6, 2023 Share Posted May 6, 2023 Use Extreme Dumper to Dump. When the code is on-fly, save the DLL from Memory. Can You confirm the size I got is valid or not ? because I see the file size posted by boot is comparatively smaller to mine. callGo.exe test.dll Link to comment Share on other sites More sharing options...
fhisar34 Posted May 7, 2023 Share Posted May 7, 2023 I made a dump but it doesn't work, the size is correct Link to comment Share on other sites More sharing options...
ArtZero Posted September 18, 2023 Share Posted September 18, 2023 1. Dump dumpMe.exe file using ExtremeDumper, and save callGo.exe. It has unpacked. 2. Dump dumpMe.exe file using MegaDumper, you'll got rawdump_6BEC0000.dll file. Just rename to test.dll (it is a native language). 3. Place to same folder callGo.exe file and test.dll, it's work.. Unpacked.rar Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now