CodeExplorer Posted April 1 Share Posted April 1 View File Themida x32 v3.0.4.0 One of my tool (CompareInfo v3) protected by Themida x32 v3.0.4.0. Submitter CodeExplorer Submitted 04/01/2023 Category UnPackMe Link to comment Share on other sites More sharing options...
TRISTAN Pro Posted April 1 Share Posted April 1 (edited) I prefer Vmprotect or Pelock than themida protector without virtualized code as unpackme NB:(without Virtualizing and Obfuscate). Edited April 19 by TRISTAN Pro Give up Link to comment Share on other sites More sharing options...
X0rby Posted April 2 Share Posted April 2 (edited) Tutorial ? Edited April 25 by X0rby Link to comment Share on other sites More sharing options...
TRISTAN Pro Posted April 2 Share Posted April 2 5 hours ago, X0rby said: Tutorial ? Even newbie can do this bro,themida become easy to dump tell me if it doesn't work. Link to comment Share on other sites More sharing options...
jackyjask Posted April 2 Share Posted April 2 @TRISTAN Prohave you used unlicense tool? it does the job (creates unpackced .exe), but the produced binary is broken Link to comment Share on other sites More sharing options...
TRISTAN Pro Posted April 2 Share Posted April 2 (edited) 3 hours ago, jackyjask said: @TRISTAN Prohave you used unlicense tool? it does the job (creates unpackced .exe), but the produced binary is broken Yuo should use ollydbg or x32dbg and automate script to fix it manually. Edited April 2 by TRISTAN Pro Link to comment Share on other sites More sharing options...
modz50 Posted April 2 Share Posted April 2 Themida can always be unpacked unless its C++ if its .net then it will be dumped from memory Themidaload the decrypted .exe into memory Link to comment Share on other sites More sharing options...
jackyjask Posted April 2 Share Posted April 2 59 minutes ago, modz50 said: unless its C++ the above sample is C++ I guess what is so special about C++, @modz50 ? Link to comment Share on other sites More sharing options...
X0rby Posted April 6 Share Posted April 6 (edited) On 4/2/2023 at 8:41 AM, TRISTAN Pro said: Even newbie can do this bro,themida become easy to dump tell me if it doesn't work. Themida is harder to be unpacked by newbies... any solution to find the OEP of themida protected file? Edited April 25 by X0rby Link to comment Share on other sites More sharing options...
TRISTAN Pro Posted April 6 Share Posted April 6 Check my dumped file the Oep is in the first eip ep. Link to comment Share on other sites More sharing options...
CodeExplorer Posted April 10 Author Share Posted April 10 We run the exe and we analyze all inter-modular calls, in the end we found import table start and import table end: 00404000 0044FF4E NÿD. CompareI.0044FF4E // first import table thunk 00404004 005ACA9A šÊZ. CompareI.005ACA9A 00404008 0047AA69 iªG. CompareI.0047AA69 0040400C 00000000 .... 00404010 759D4D9E žMu KERNEL32.GlobalAlloc 00404014 759D4DE2 âMu JMP to KERNELBA.GetFileSize 00404018 759D73E0 àsu JMP to KERNELBA.CreateFileA 0040401C 759D4C88 ˆLu JMP to KERNELBA.ReadFile 00404020 00498CC2 ÂŒI. CompareI.00498CC2 00404024 00548FA7 §T. CompareI.00548FA7 00404028 759D4D80 €Mu KERNEL32.GlobalFree ... 00404278 0047D96D mÙG. CompareI.0047D96D // last import table thunk 0040427C 00000000 .... we set breakpoint on write to dword to 00404278 we restart the target, after last breakpoint we set breakpoint on access to code section for reaching OEP. Run and entry point reached. I don't know yet what to do with redirected imports. Link to comment Share on other sites More sharing options...
vosiyons Posted April 10 Share Posted April 10 2 hours ago, CodeExplorer said: We run the exe and we analyze all inter-modular calls, in the end we found import table start and import table end: 00404000 0044FF4E NÿD. CompareI.0044FF4E // first import table thunk 00404004 005ACA9A šÊZ. CompareI.005ACA9A 00404008 0047AA69 iªG. CompareI.0047AA69 0040400C 00000000 .... 00404010 759D4D9E žMu KERNEL32.GlobalAlloc 00404014 759D4DE2 âMu JMP to KERNELBA.GetFileSize 00404018 759D73E0 àsu JMP to KERNELBA.CreateFileA 0040401C 759D4C88 ˆLu JMP to KERNELBA.ReadFile 00404020 00498CC2 ÂŒI. CompareI.00498CC2 00404024 00548FA7 §T. CompareI.00548FA7 00404028 759D4D80 €Mu KERNEL32.GlobalFree ... 00404278 0047D96D mÙG. CompareI.0047D96D // last import table thunk 0040427C 00000000 .... we set breakpoint on write to dword to 00404278 we restart the target, after last breakpoint we set breakpoint on access to code section for reaching OEP. Run and entry point reached. I don't know yet what to do with redirected imports. Dear @CodeExplorer your reverse engineering is appreciated. Why do you prepare the tutors in txt format? Link to comment Share on other sites More sharing options...
CodeExplorer Posted April 11 Author Share Posted April 11 12 hours ago, vosiyons said: Dear @CodeExplorer your reverse engineering is appreciated. Why do you prepare the tutors in txt format? txt format just because it is easier to build. Link to comment Share on other sites More sharing options...
vosiyons Posted April 11 Share Posted April 11 (edited) 5 hours ago, CodeExplorer said: txt format just because it is easier to build. Dear @CodeExplorer I use this while preparing a tutor and I recommend it to you. The fast and easy-to-use screen recorder creates instant demos, tutorials and presentations with the highest compression ratio in the world by compiling your desktop into files. Available for EXE, SWF, AVI, FLV and MP4.[ https://www.screen-record.com/screen2exe.htm Edited April 11 by vosiyons Link to comment Share on other sites More sharing options...
CodeExplorer Posted April 11 Author Share Posted April 11 Oh, you meant video tutorials, I didn't build any: time consuming for both creator and watcher. I better focus attention on doing things automatically by script/tools. 3 1 1 Link to comment Share on other sites More sharing options...
TRISTAN Pro Posted April 15 Share Posted April 15 (edited) On 4/10/2023 at 7:19 PM, CodeExplorer said: We run the exe and we analyze all inter-modular calls, in the end we found import table start and import table end: 00404000 0044FF4E NÿD. CompareI.0044FF4E // first import table thunk 00404004 005ACA9A šÊZ. CompareI.005ACA9A 00404008 0047AA69 iªG. CompareI.0047AA69 0040400C 00000000 .... 00404010 759D4D9E žMu KERNEL32.GlobalAlloc 00404014 759D4DE2 âMu JMP to KERNELBA.GetFileSize 00404018 759D73E0 àsu JMP to KERNELBA.CreateFileA 0040401C 759D4C88 ˆLu JMP to KERNELBA.ReadFile 00404020 00498CC2 ÂŒI. CompareI.00498CC2 00404024 00548FA7 §T. CompareI.00548FA7 00404028 759D4D80 €Mu KERNEL32.GlobalFree ... 00404278 0047D96D mÙG. CompareI.0047D96D // last import table thunk 0040427C 00000000 .... we set breakpoint on write to dword to 00404278 we restart the target, after last breakpoint we set breakpoint on access to code section for reaching OEP. Run and entry point reached. I don't know yet what to do with redirected imports. Hardware breakpoint on OEP then rebuild import and fix with scylla dump and it will done. Analyse my dumped file and compare with yuor original file. If yuo don't get it or fix all import please Watch tutorial by Kissy UpK with private exe protector. Edited April 15 by TRISTAN Pro Link to comment Share on other sites More sharing options...
X0rby Posted April 15 Share Posted April 15 (edited) Done. unpacked.7z Edited April 15 by X0rby Upload unpacked file on t4u server. Link to comment Share on other sites More sharing options...
jackyjask Posted April 16 Share Posted April 16 9 hours ago, X0rby said: Done. unpacked.7z 3.95 MB · 2 downloads could I ask why your unpacked file is so huge? (expected 5.9 got 9.7 MB) Link to comment Share on other sites More sharing options...
X0rby Posted April 16 Share Posted April 16 (edited) 9 hours ago, jackyjask said: could I ask why your unpacked file is so huge? (expected 5.9 got 9.7 MB) The reason is the IAT after fixing it the size increased, I didn't fix it perfectly so the size become like that. Edited April 16 by X0rby grammar Link to comment Share on other sites More sharing options...
randi56 Posted April 16 Share Posted April 16 On 4/15/2023 at 8:21 PM, TRISTAN Pro said: Hardware breakpoint on OEP then rebuild import and fix with scylla dump and it will done. Analyse my dumped file and compare with yuor original file. If yuo don't get it or fix all import please Watch tutorial by Kissy UpK with private exe protector. I can't find the tuto you mention it here sir Link to comment Share on other sites More sharing options...
X0rby Posted April 24 Share Posted April 24 (edited) @jackyjask here you go 5.99MB ! Better SiZe.exe Edited April 24 by X0rby Upload Link to comment Share on other sites More sharing options...
X0rby Posted April 24 Share Posted April 24 (edited) 6.exe Size : 24kb + Themida fully removed 100% Edited April 24 by X0rby Link to comment Share on other sites More sharing options...
jackyjask Posted April 24 Share Posted April 24 Amazing stuff! could you shed some light of your great success with colleagues here? Link to comment Share on other sites More sharing options...
CodeExplorer Posted May 24 Author Share Posted May 24 To be frankly I don't know what's going on in this forum: users just post unpacked files witouth providing any information on how they did it! 1 Link to comment Share on other sites More sharing options...
native_aot Posted May 28 Share Posted May 28 (edited) On 5/24/2023 at 2:11 PM, CodeExplorer said: To be frankly I don't know what's going on in this forum: users just post unpacked files witouth providing any information on how they did it! i have themida version 3.1.4 in chinese forum and you can try it https://down.52pojie.cn/Tools/Packers/ Edited May 28 by native_aot Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now