Themida x32 v3.0.4.0

[H1TC43R]

On 5/24/2023 at 8:11 AM, CodeExplorer said:

To be frankly I don't know what's going on in this forum: users just post unpacked files witouth providing any information on how they did it!

Yes this is a shame, especially with VMProtect and Themidia

I'm looking into these now, as i have a project with at least 8 different protectors and a file size roughly 5.5gb so time consuming and always looking for a better way to do things

[ra1n]

On 5/24/2023 at 8:11 AM, CodeExplorer said:

To be frankly I don't know what's going on in this forum: users just post unpacked files witouth providing any information on how they did it!

I find that most of the time the user in question utilised some public tool and have zero knowledge of how it actually works, and thus don't respond to any questions regarding the internals of their solution. Or maybe they're just too "smart" for us noobs and decide to give us the solution with zero context and then vanish, because that really reflects their intellect.

[RADIOX]

I don't know if so easy to do it or I did it wrong

[chill_B]

On 8/26/2023 at 2:06 AM, RADIOX said:

I don't know if so easy to do it or I did it wrong

What about 64 bit app?

[RADIOX]

On 9/17/2023 at 4:49 AM, chill_B said:

What about 64 bit app?

hi not all apps like this this is just a simple sample

[Atom_09]

awesome!!

[New Year - New Mind]

On 8/26/2023 at 9:06 AM, RADIOX said:

I don't know if so easy to do it or I did it wrong

@RADIOX Can you show the anti debug plugin setting? I can't debug the target cause of being detected of x64dbg.

Regards.

sean.

[boot]

oep_va = 0x004032E4

iat_tree:

Spoiler

$ ==>    00404000 <>76F285D4  gdi32.GetObjectA
$+4      00404004 <>76F2CFFD  gdi32.CreateFontIndirectA
$+8      00404008 <>76F24EB8  gdi32.GetStockObject
$+C      0040400C   00000000
$+10     00404010 <>76055846  kernel32.GlobalAlloc
$+14     00404014 <>7605194A  kernel32.GetFileSize
$+18     00404018 <>7605537E  kernel32.CreateFileA
$+1C     0040401C <>76053E83  kernel32.ReadFile
$+20     00404020 <>76051282  kernel32.WriteFile
$+24     00404024 <>76050E00  kernel32.GetStartupInfoA
$+28     00404028 <>76055510  kernel32.GlobalFree
$+2C     0040402C <>76051222  kernel32.GetProcAddress
$+30     00404030 <>760513F0  kernel32.CloseHandle
$+34     00404034 <>76051245  kernel32.GetModuleHandleA
$+38     00404038 <>76055159  kernel32.GetCommandLineA
$+3C     0040403C   00000000
$+40     00404040 <>6B88ACED  mfc42.#4698
$+44     00404044 <>6B845385  mfc42.#5307
$+48     00404048 <>6B8448F7  mfc42.#5289
$+4C     0040404C <>6B8452EB  mfc42.#5714
$+50     00404050 <>6B8751F3  mfc42.#6324
$+54     00404054 <>6B8751F3  mfc42.#6324
$+58     00404058 <>6B8751F3  mfc42.#6324
$+5C     0040405C <>6B834179  mfc42.#6365
$+60     00404060 <>6B82D0E1  mfc42.#3136
$+64     00404064 <>6B82AA21  mfc42.#3262
$+68     00404068 <>6B82D6C9  mfc42.#2985
$+6C     0040406C <>6B82C111  mfc42.#3081
$+70     00404070 <>6B82A7A7  mfc42.#2976
$+74     00404074 <>6B87AC25  mfc42.#3830
$+78     00404078 <>6B83406D  mfc42.#5162
$+7C     0040407C <>6B83406D  mfc42.#5162
$+80     00404080 <>6B8751F3  mfc42.#6324
$+84     00404084 <>6B8D16B5  mfc42.#5486
$+88     00404088 <>6B87AC4B  mfc42.#4622
$+8C     0040408C <>6B83351D  mfc42.#4424
$+90     00404090 <>6B8FCF3C  mfc42.#3738
$+94     00404094 <>6B832E56  mfc42.#561
$+98     00404098 <>6B83C65B  mfc42.#825
$+9C     0040409C <>6B845862  mfc42.#815
$+A0     004040A0 <>6B870D3E  mfc42.#641
$+A4     004040A4 <>6B86CBA6  mfc42.#656
$+A8     004040A8 <>6B871522  mfc42.#2514
$+AC     004040AC <>6B83C735  mfc42.#6847
$+B0     004040B0 <>6B871039  mfc42.#4376
$+B4     004040B4 <>6B871019  mfc42.#4853
$+B8     004040B8 <>6B8434B9  mfc42.#6867
$+BC     004040BC <>6B870DC8  mfc42.#6052
$+C0     004040C0 <>6B871046  mfc42.#1775
$+C4     004040C4 <>6B8711E5  mfc42.#5280
$+C8     004040C8 <>6B873D9A  mfc42.#4431
$+CC     004040CC <>6B8FE35D  mfc42.#3597
$+D0     004040D0 <>6B8751F3  mfc42.#6324
$+D4     004040D4 <>6B83406D  mfc42.#5162
$+D8     004040D8 <>6B834179  mfc42.#6365
$+DC     004040DC <>6B8336B7  mfc42.#4407
$+E0     004040E0 <>6B83C735  mfc42.#6847
$+E4     004040E4 <>6B83330B  mfc42.#2385
$+E8     004040E8 <>6B833763  mfc42.#5163
$+EC     004040EC <>6B8443EF  mfc42.#4079
$+F0     004040F0 <>6B87A712  mfc42.#4353
$+F4     004040F4 <>6B846485  mfc42.#5290
$+F8     004040F8 <>6B83C49A  mfc42.#3798
$+FC     004040FC <>6B847663  mfc42.#4837
$+100    00404100 <>6B83A92F  mfc42.#4441
$+104    00404104 <>6B85EBD5  mfc42.#2648
$+108    00404108 <>6B85EBC9  mfc42.#2055
$+10C    0040410C <>6B85FAFD  mfc42.#6376
$+110    00404110 <>6B8751F3  mfc42.#6324
$+114    00404114 <>6B85E47C  mfc42.#5065
$+118    00404118 <>6B83EA2A  mfc42.#1727
$+11C    0040411C <>6B847506  mfc42.#5261
$+120    00404120 <>6B844B09  mfc42.#2446
$+124    00404124 <>6B840549  mfc42.#2124
$+128    00404128 <>6B83C735  mfc42.#6847
$+12C    0040412C <>6B82B38D  mfc42.#3402
$+130    00404130 <>6B85E462  mfc42.#4627
$+134    00404134 <>6B82DF2E  mfc42.#3610
$+138    00404138 <>6B83F055  mfc42.#1146
$+13C    0040413C <>6B82B1D0  mfc42.#1168
$+140    00404140 <>6B833286  mfc42.#567
$+144    00404144 <>6B870E2D  mfc42.#324
$+148    00404148 <>6B8721A2  mfc42.#2302
$+14C    0040414C <>6B82BEB8  mfc42.#4234
$+150    00404150 <>6B82FF89  mfc42.#823
$+154    00404154 <>6B831776  mfc42.#1575
$+158    00404158 <>6B87A79E  mfc42.#3092
$+15C    0040415C <>6B870FAE  mfc42.#4710
$+160    00404160 <>6B83335F  mfc42.#2379
$+164    00404164 <>6B84AE61  mfc42.#755
$+168    00404168 <>6B847EA1  mfc42.#470
$+16C    0040416C <>6B83B13A  mfc42.#800
$+170    00404170 <>6B84630C  mfc42.#6199
$+174    00404174 <>6B8755F5  mfc42.#3499
$+178    00404178 <>6B8750C8  mfc42.#2515
$+17C    0040417C <>6B87530B  mfc42.#355
$+180    00404180 <>6B87A98F  mfc42.#3876
$+184    00404184 <>6B83B258  mfc42.#860
$+188    00404188 <>6B847F56  mfc42.#3873
$+18C    0040418C <>6B85C301  mfc42.#922
$+190    00404190 <>6B83B840  mfc42.#858
$+194    00404194 <>6B85C384  mfc42.#924
$+198    00404198 <>6B841B4A  mfc42.#537
$+19C    0040419C <>6B846EB1  mfc42.#2725
$+1A0    004041A0 <>6B88AC3A  mfc42.#5302
$+1A4    004041A4 <>6B88A586  mfc42.#5300
$+1A8    004041A8 <>6B83E952  mfc42.#3346
$+1AC    004041AC <>6B88A37C  mfc42.#2396
$+1B0    004041B0 <>6B84267F  mfc42.#5199
$+1B4    004041B4 <>6B842AEA  mfc42.#1089
$+1B8    004041B8 <>6B8482AB  mfc42.#3922
$+1BC    004041BC <>6B8444F4  mfc42.#5731
$+1C0    004041C0 <>6B88B0DE  mfc42.#2512
$+1C4    004041C4 <>6B83E818  mfc42.#2554
$+1C8    004041C8 <>6B88AF27  mfc42.#4486
$+1CC    004041CC <>6B88ADB2  mfc42.#6375
$+1D0    004041D0 <>6B82C7A8  mfc42.#4274
$+1D4    004041D4 <>6B833659  mfc42.#6374
$+1D8    004041D8 <>6B88BCD0  mfc42.#4673
$+1DC    004041DC   00000000
$+1E0    004041E0 <>76FB27CE  msvcrt.__p__fmode
$+1E4    004041E4 <>76FB2804  msvcrt.__set_app_type
$+1E8    004041E8 <>76FCD770  msvcrt._except_handler3
$+1EC    004041EC <>76FAE1E1  msvcrt._controlfp
$+1F0    004041F0 <>76FB27C3  msvcrt.__p__commode
$+1F4    004041F4 <>770432EC  offset msvcrt._adjust_fdiv
$+1F8    004041F8 <>770377AD  msvcrt.__setusermatherr
$+1FC    004041FC <>76FAC151  msvcrt._initterm
$+200    00404200 <>76FB2BC0  msvcrt.__getmainargs
$+204    00404204 <>770404D8  offset msvcrt._acmdln
$+208    00404208 <>76FB36AA  msvcrt.exit
$+20C    0040420C <>76FCDC75  msvcrt._XcptFilter
$+210    00404210 <>7700B2C0  msvcrt._exit
$+214    00404214 <>76FB112D  msvcrt._onexit
$+218    00404218 <>76FAF509  msvcrt.__dllonexit
$+21C    0040421C <>76FAC4F0  msvcrt.tolower
$+220    00404220 <>76FA9CEE  msvcrt.malloc
$+224    00404224 <>76FBB2C4  msvcrt.fopen
$+228    00404228 <>76FC3495  msvcrt.__CxxFrameHandler3
$+22C    0040422C <>76FB3E00  msvcrt.fprintf
$+230    00404230   00000000
$+234    00404234 <>762A17B1  shell32.DragAcceptFiles
$+238    00404238 <>76395744  shell32.DragQueryFileA
$+23C    0040423C   00000000
$+240    00404240 <>7532452A  user32.GetScrollInfo
$+244    00404244 <>7532467A  user32.ShowScrollBar
$+248    00404248 <>7532B463  user32.DrawIcon
$+24C    0040424C <>753208E5  user32.GetClientRect
$+250    00404250 <>75317467  user32.GetSystemMetrics
$+254    00404254 <>75322EFA  user32.IsIconic
$+258    00404258 <>7532AF26  user32.wsprintfA
$+25C    0040425C <>75323F54  user32.EnableWindow
$+260    00404260 <>7533EEF4  user32.SendMessageA
$+264    00404264 <>7531C9AC  user32.GetWindowLongA
$+268    00404268 <>7533EF4A  user32.SetWindowLongA
$+26C    0040426C <>75327B22  user32.SetWindowTextA
$+270    00404270 <>7768B768  ntdll_1a.NtdllDefWindowProc_A
$+274    00404274 <>7531D781  user32.LoadIconA
$+278    00404278 <>75327AF4  user32.CallWindowProcA
$+27C    0040427C   00000000

unpacked:

unpacked_.zip

[New Year - New Mind]

On 8/26/2023 at 9:06 AM, RADIOX said:

I don't know if so easy to do it or I did it wrong

Use this option when you dump it.

Regards.

sean.

Edited 3 hours ago by New Year - New Mind