CodeExplorer Posted April 1, 2023 Posted April 1, 2023 View File Themida x32 v3.0.4.0 One of my tool (CompareInfo v3) protected by Themida x32 v3.0.4.0. Submitter CodeExplorer Submitted 04/01/2023 Category UnPackMe
TRISTAN Pro Posted April 1, 2023 Posted April 1, 2023 (edited) I prefer Vmprotect or Pelock than themida protector without virtualized code as unpackme NB:(without Virtualizing and Obfuscate). Edited April 19, 2023 by TRISTAN Pro Give up
TRISTAN Pro Posted April 2, 2023 Posted April 2, 2023 5 hours ago, X0rby said: Tutorial ? Even newbie can do this bro,themida become easy to dump tell me if it doesn't work.
jackyjask Posted April 2, 2023 Posted April 2, 2023 @TRISTAN Prohave you used unlicense tool? it does the job (creates unpackced .exe), but the produced binary is broken
TRISTAN Pro Posted April 2, 2023 Posted April 2, 2023 (edited) 3 hours ago, jackyjask said: @TRISTAN Prohave you used unlicense tool? it does the job (creates unpackced .exe), but the produced binary is broken Yuo should use ollydbg or x32dbg and automate script to fix it manually. Edited April 2, 2023 by TRISTAN Pro
modz50 Posted April 2, 2023 Posted April 2, 2023 Themida can always be unpacked unless its C++ if its .net then it will be dumped from memory Themidaload the decrypted .exe into memory
jackyjask Posted April 2, 2023 Posted April 2, 2023 59 minutes ago, modz50 said: unless its C++ the above sample is C++ I guess what is so special about C++, @modz50 ?
X0rby Posted April 6, 2023 Posted April 6, 2023 (edited) On 4/2/2023 at 8:41 AM, TRISTAN Pro said: Even newbie can do this bro,themida become easy to dump tell me if it doesn't work. Themida is harder to be unpacked by newbies... any solution to find the OEP of themida protected file? Edited April 25, 2023 by X0rby
TRISTAN Pro Posted April 6, 2023 Posted April 6, 2023 Check my dumped file the Oep is in the first eip ep.
CodeExplorer Posted April 10, 2023 Author Posted April 10, 2023 We run the exe and we analyze all inter-modular calls, in the end we found import table start and import table end: 00404000 0044FF4E NÿD. CompareI.0044FF4E // first import table thunk 00404004 005ACA9A šÊZ. CompareI.005ACA9A 00404008 0047AA69 iªG. CompareI.0047AA69 0040400C 00000000 .... 00404010 759D4D9E žMu KERNEL32.GlobalAlloc 00404014 759D4DE2 âMu JMP to KERNELBA.GetFileSize 00404018 759D73E0 àsu JMP to KERNELBA.CreateFileA 0040401C 759D4C88 ˆLu JMP to KERNELBA.ReadFile 00404020 00498CC2 ÂŒI. CompareI.00498CC2 00404024 00548FA7 §T. CompareI.00548FA7 00404028 759D4D80 €Mu KERNEL32.GlobalFree ... 00404278 0047D96D mÙG. CompareI.0047D96D // last import table thunk 0040427C 00000000 .... we set breakpoint on write to dword to 00404278 we restart the target, after last breakpoint we set breakpoint on access to code section for reaching OEP. Run and entry point reached. I don't know yet what to do with redirected imports. 1
vosiyons Posted April 10, 2023 Posted April 10, 2023 2 hours ago, CodeExplorer said: We run the exe and we analyze all inter-modular calls, in the end we found import table start and import table end: 00404000 0044FF4E NÿD. CompareI.0044FF4E // first import table thunk 00404004 005ACA9A šÊZ. CompareI.005ACA9A 00404008 0047AA69 iªG. CompareI.0047AA69 0040400C 00000000 .... 00404010 759D4D9E žMu KERNEL32.GlobalAlloc 00404014 759D4DE2 âMu JMP to KERNELBA.GetFileSize 00404018 759D73E0 àsu JMP to KERNELBA.CreateFileA 0040401C 759D4C88 ˆLu JMP to KERNELBA.ReadFile 00404020 00498CC2 ÂŒI. CompareI.00498CC2 00404024 00548FA7 §T. CompareI.00548FA7 00404028 759D4D80 €Mu KERNEL32.GlobalFree ... 00404278 0047D96D mÙG. CompareI.0047D96D // last import table thunk 0040427C 00000000 .... we set breakpoint on write to dword to 00404278 we restart the target, after last breakpoint we set breakpoint on access to code section for reaching OEP. Run and entry point reached. I don't know yet what to do with redirected imports. Dear @CodeExplorer your reverse engineering is appreciated. Why do you prepare the tutors in txt format?
CodeExplorer Posted April 11, 2023 Author Posted April 11, 2023 12 hours ago, vosiyons said: Dear @CodeExplorer your reverse engineering is appreciated. Why do you prepare the tutors in txt format? txt format just because it is easier to build.
vosiyons Posted April 11, 2023 Posted April 11, 2023 (edited) 5 hours ago, CodeExplorer said: txt format just because it is easier to build. Dear @CodeExplorer I use this while preparing a tutor and I recommend it to you. The fast and easy-to-use screen recorder creates instant demos, tutorials and presentations with the highest compression ratio in the world by compiling your desktop into files. Available for EXE, SWF, AVI, FLV and MP4.[ https://www.screen-record.com/screen2exe.htm Edited April 11, 2023 by vosiyons
CodeExplorer Posted April 11, 2023 Author Posted April 11, 2023 Oh, you meant video tutorials, I didn't build any: time consuming for both creator and watcher. I better focus attention on doing things automatically by script/tools. 3 1 1
TRISTAN Pro Posted April 15, 2023 Posted April 15, 2023 (edited) On 4/10/2023 at 7:19 PM, CodeExplorer said: We run the exe and we analyze all inter-modular calls, in the end we found import table start and import table end: 00404000 0044FF4E NÿD. CompareI.0044FF4E // first import table thunk 00404004 005ACA9A šÊZ. CompareI.005ACA9A 00404008 0047AA69 iªG. CompareI.0047AA69 0040400C 00000000 .... 00404010 759D4D9E žMu KERNEL32.GlobalAlloc 00404014 759D4DE2 âMu JMP to KERNELBA.GetFileSize 00404018 759D73E0 àsu JMP to KERNELBA.CreateFileA 0040401C 759D4C88 ˆLu JMP to KERNELBA.ReadFile 00404020 00498CC2 ÂŒI. CompareI.00498CC2 00404024 00548FA7 §T. CompareI.00548FA7 00404028 759D4D80 €Mu KERNEL32.GlobalFree ... 00404278 0047D96D mÙG. CompareI.0047D96D // last import table thunk 0040427C 00000000 .... we set breakpoint on write to dword to 00404278 we restart the target, after last breakpoint we set breakpoint on access to code section for reaching OEP. Run and entry point reached. I don't know yet what to do with redirected imports. Hardware breakpoint on OEP then rebuild import and fix with scylla dump and it will done. Analyse my dumped file and compare with yuor original file. If yuo don't get it or fix all import please Watch tutorial by Kissy UpK with private exe protector. Edited April 15, 2023 by TRISTAN Pro
X0rby Posted April 15, 2023 Posted April 15, 2023 (edited) Done. unpacked.7z Edited April 15, 2023 by X0rby Upload unpacked file on t4u server.
jackyjask Posted April 16, 2023 Posted April 16, 2023 9 hours ago, X0rby said: Done. unpacked.7z 3.95 MB · 2 downloads could I ask why your unpacked file is so huge? (expected 5.9 got 9.7 MB)
X0rby Posted April 16, 2023 Posted April 16, 2023 (edited) 9 hours ago, jackyjask said: could I ask why your unpacked file is so huge? (expected 5.9 got 9.7 MB) The reason is the IAT after fixing it the size increased, I didn't fix it perfectly so the size become like that. Edited April 16, 2023 by X0rby grammar
randi56 Posted April 16, 2023 Posted April 16, 2023 On 4/15/2023 at 8:21 PM, TRISTAN Pro said: Hardware breakpoint on OEP then rebuild import and fix with scylla dump and it will done. Analyse my dumped file and compare with yuor original file. If yuo don't get it or fix all import please Watch tutorial by Kissy UpK with private exe protector. I can't find the tuto you mention it here sir
X0rby Posted April 24, 2023 Posted April 24, 2023 (edited) @jackyjask here you go 5.99MB ! Better SiZe.exe Edited April 24, 2023 by X0rby Upload
X0rby Posted April 24, 2023 Posted April 24, 2023 (edited) 6.exe Size : 24kb + Themida fully removed 100% Edited April 24, 2023 by X0rby
jackyjask Posted April 24, 2023 Posted April 24, 2023 Amazing stuff! could you shed some light of your great success with colleagues here?
CodeExplorer Posted May 24, 2023 Author Posted May 24, 2023 To be frankly I don't know what's going on in this forum: users just post unpacked files witouth providing any information on how they did it! 2
native_aot Posted May 28, 2023 Posted May 28, 2023 (edited) On 5/24/2023 at 2:11 PM, CodeExplorer said: To be frankly I don't know what's going on in this forum: users just post unpacked files witouth providing any information on how they did it! i have themida version 3.1.4 in chinese forum and you can try it https://down.52pojie.cn/Tools/Packers/ Edited May 28, 2023 by native_aot 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now