Jump to content
Tuts 4 You

Themida x32 v3.0.4.0

CodeExplorer

By CodeExplorer
in UnPackMe

 Share

Recommended Posts

TRISTAN Pro

TRISTAN Pro

Posted
Posted (edited)

I prefer Vmprotect or Pelock than themida protector without virtualized code as unpackme

NB:(without Virtualizing and Obfuscate).

 

Edited by TRISTAN Pro
Give up
Link to comment
Share on other sites
TRISTAN Pro

TRISTAN Pro

Posted
Posted
5 hours ago, X0rby said:

Tutorial ?

Even newbie can do this bro,themida become easy to dump tell me if it doesn't work.

Link to comment
Share on other sites
TRISTAN Pro

TRISTAN Pro

Posted
Posted (edited)
3 hours ago, jackyjask said:

@TRISTAN Prohave you used unlicense tool?

it does the job (creates unpackced .exe), but the produced binary is broken

image.png.5e7a7d16e4400ae5b0d40916910fecd5.png

Yuo should use ollydbg or x32dbg and automate script to fix it manually.

Edited by TRISTAN Pro
Link to comment
Share on other sites
modz50

modz50

Posted
Posted

Themida can always be unpacked unless its C++ if its .net then it will be dumped from memory Themidaload the decrypted .exe into memory

Link to comment
Share on other sites
X0rby

X0rby

Posted
Posted (edited)
On 4/2/2023 at 8:41 AM, TRISTAN Pro said:

Even newbie can do this bro,themida become easy to dump tell me if it doesn't work.

Themida is harder to be unpacked by newbies...

any solution to find the OEP of themida protected file?

Edited by X0rby
Link to comment
Share on other sites
CodeExplorer

CodeExplorer

Posted
  • Author
Posted

We run the exe and we analyze all inter-modular calls, in the end we found import table start and import table end:

00404000  0044FF4E  NÿD.  CompareI.0044FF4E  // first import table thunk
00404004  005ACA9A  šÊZ.  CompareI.005ACA9A
00404008  0047AA69  iªG.  CompareI.0047AA69
0040400C  00000000  ....
00404010  759D4D9E  žMu  KERNEL32.GlobalAlloc
00404014  759D4DE2  âMu  JMP to KERNELBA.GetFileSize
00404018  759D73E0  àsu  JMP to KERNELBA.CreateFileA
0040401C  759D4C88  ˆLu  JMP to KERNELBA.ReadFile
00404020  00498CC2  ÂŒI.  CompareI.00498CC2
00404024  00548FA7  §T.  CompareI.00548FA7
00404028  759D4D80  €Mu  KERNEL32.GlobalFree
...
00404278  0047D96D  mÙG.  CompareI.0047D96D  // last import table thunk
0040427C  00000000  ....

we set breakpoint on write to dword to 00404278
we restart the target, after last breakpoint we set breakpoint on access to code section for reaching OEP.
Run and entry point reached.
I don't know yet what to do with redirected imports.

 

  • Like 1
Link to comment
Share on other sites
vosiyons

vosiyons

Posted
Posted
2 hours ago, CodeExplorer said:

We run the exe and we analyze all inter-modular calls, in the end we found import table start and import table end:

00404000  0044FF4E  NÿD.  CompareI.0044FF4E  // first import table thunk
00404004  005ACA9A  šÊZ.  CompareI.005ACA9A
00404008  0047AA69  iªG.  CompareI.0047AA69
0040400C  00000000  ....
00404010  759D4D9E  žMu  KERNEL32.GlobalAlloc
00404014  759D4DE2  âMu  JMP to KERNELBA.GetFileSize
00404018  759D73E0  àsu  JMP to KERNELBA.CreateFileA
0040401C  759D4C88  ˆLu  JMP to KERNELBA.ReadFile
00404020  00498CC2  ÂŒI.  CompareI.00498CC2
00404024  00548FA7  §T.  CompareI.00548FA7
00404028  759D4D80  €Mu  KERNEL32.GlobalFree
...
00404278  0047D96D  mÙG.  CompareI.0047D96D  // last import table thunk
0040427C  00000000  ....

we set breakpoint on write to dword to 00404278
we restart the target, after last breakpoint we set breakpoint on access to code section for reaching OEP.
Run and entry point reached.
I don't know yet what to do with redirected imports.

 


Dear @CodeExplorer your reverse engineering is appreciated. Why do you prepare the tutors in txt format?

Link to comment
Share on other sites
CodeExplorer

CodeExplorer

Posted
  • Author
Posted
12 hours ago, vosiyons said:


Dear @CodeExplorer your reverse engineering is appreciated. Why do you prepare the tutors in txt format?

txt format just because it is easier to build.
 

Link to comment
Share on other sites
vosiyons

vosiyons

Posted
Posted (edited)
5 hours ago, CodeExplorer said:

txt format just because it is easier to build.
 

 

Dear @CodeExplorer I use this while preparing a tutor and I recommend it to you.

The fast and easy-to-use screen recorder creates instant demos, tutorials and presentations with the highest compression ratio in the world by compiling your desktop into files. Available for EXE, SWF, AVI, FLV and MP4.[

https://www.screen-record.com/screen2exe.htm

 

Edited by vosiyons
Link to comment
Share on other sites
CodeExplorer

CodeExplorer

Posted
  • Author
Posted

Oh, you meant video tutorials, I didn't build any: time consuming for both creator and watcher.
I better focus attention on doing things automatically by script/tools.
 

  • Like 3
  • Thanks 1
  • Haha 1
Link to comment
Share on other sites
TRISTAN Pro

TRISTAN Pro

Posted
Posted (edited)
On 4/10/2023 at 7:19 PM, CodeExplorer said:

We run the exe and we analyze all inter-modular calls, in the end we found import table start and import table end:

00404000  0044FF4E  NÿD.  CompareI.0044FF4E  // first import table thunk
00404004  005ACA9A  šÊZ.  CompareI.005ACA9A
00404008  0047AA69  iªG.  CompareI.0047AA69
0040400C  00000000  ....
00404010  759D4D9E  žMu  KERNEL32.GlobalAlloc
00404014  759D4DE2  âMu  JMP to KERNELBA.GetFileSize
00404018  759D73E0  àsu  JMP to KERNELBA.CreateFileA
0040401C  759D4C88  ˆLu  JMP to KERNELBA.ReadFile
00404020  00498CC2  ÂŒI.  CompareI.00498CC2
00404024  00548FA7  §T.  CompareI.00548FA7
00404028  759D4D80  €Mu  KERNEL32.GlobalFree
...
00404278  0047D96D  mÙG.  CompareI.0047D96D  // last import table thunk
0040427C  00000000  ....

we set breakpoint on write to dword to 00404278
we restart the target, after last breakpoint we set breakpoint on access to code section for reaching OEP.
Run and entry point reached.
I don't know yet what to do with redirected imports.

 

Hardware breakpoint on OEP then rebuild import and fix with scylla dump and it will done.

Analyse my dumped file and compare with yuor original file.

If yuo don't get it or fix all import please

Watch tutorial by Kissy UpK with private exe protector. 

 

Edited by TRISTAN Pro
Link to comment
Share on other sites
X0rby

X0rby

Posted
Posted (edited)
9 hours ago, jackyjask said:

could I ask why your unpacked file is so huge? (expected 5.9 got 9.7 MB)

The reason is the IAT after fixing it the size increased, I didn't fix it perfectly so the size become like that.

Edited by X0rby
grammar
Link to comment
Share on other sites
randi56

randi56

Posted
Posted
On 4/15/2023 at 8:21 PM, TRISTAN Pro said:

Hardware breakpoint on OEP then rebuild import and fix with scylla dump and it will done.

Analyse my dumped file and compare with yuor original file.

If yuo don't get it or fix all import please

Watch tutorial by Kissy UpK with private exe protector. 

 

I can't find the tuto you mention it here sir

Link to comment
Share on other sites
  • 5 weeks later...
CodeExplorer

CodeExplorer

Posted
  • Author
Posted

To be frankly I don't know what's going on in this forum: users just post unpacked files witouth providing any information on how they did it!

  • Thanks 2
Link to comment
Share on other sites
native_aot

native_aot

Posted
Posted (edited)
On 5/24/2023 at 2:11 PM, CodeExplorer said:

To be frankly I don't know what's going on in this forum: users just post unpacked files witouth providing any information on how they did it!

i have themida version 3.1.4 in chinese forum and you can try it

https://down.52pojie.cn/Tools/Packers/

Edited by native_aot
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...