Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Themida x32 v3.1.8.0

lovejoy226
lovejoy226
in UnPackMe

Featured Replies

Posted

Themida x32 v3.1.8.0

The Entry Point is virtualized.

2 Parts of the codes are also virtualized.

[Your Mission]

Just unpack this file and make it run well without any errors or termination.

No devirtualiztion are necessary.

File Information

Submitter lovejoy226

Submitted 02/12/2025

Category UnPackMe

View File

Themida x32 v3.1.8.0

    •
    • Like 1
    • Thanks 1

    Solved by HostageOfCode

    Go to solution

    Think i figured it out where the real OEP is now the real issue is why my dump aint working 😕

    • Like 1
    • Author
    8 hours ago, 14yoKID said:

    Think i figured it out where the real OEP is now the real issue is why my dump aint working 😕 

    00407483     | E8 3A040000        | call hashgen_protected_entry_vmed |
00407488     | 56                 | push esi                          |
00407489     | E8 CE0C0000        | call <JMP.&exit>                  |
0040748E     | FF75 E0            | push dword ptr ss:[ebp-20]        |
00407491     | E8 CC0C0000        | call <JMP.&_exit>                 |
00407496     | CC                 | int3                              |
00407497     | E9 46906D00        | jmp hashgen_protected_entry_vmed. |   OEP
0040749C     | 6A 3E              | push 3E                           |
0040749E     | 4F                 | dec edi                           |
0040749F     | A4                 | movsb                             |
004074A0     | 6C                 | insb                              |
004074A1     | 3B0D 40D04000      | cmp ecx,dword ptr ds:[40D040]     |
004074A7     | 75 01              | jne hashgen_protected_entry_vmed. |
004074A9     | C3                 | ret                               |
004074AA     | E9 89060000        | jmp hashgen_protected_entry_vmed. |
004074AF     | 55                 | push ebp                          |
004074B0     | 8BEC               | mov ebp,esp                       |
004074B2     | 8B45 08            | mov eax,dword ptr ss:[ebp+8]      |
004074B5     | 56                 | push esi                          |
004074B6     | 8B48 3C            | mov ecx,dword ptr ds:[eax+3C]     |
004074B9     | 03C8               | add ecx,eax                       |
004074BB     | 0FB741 14          | movzx eax,word ptr ds:[ecx+14]    |
004074BF     | 8D51 18            | lea edx,dword ptr ds:[ecx+18]     |
004074C2     | 03D0               | add edx,eax                       |

    @14yoKID Dumping it at the oep, you could not obtain the working binary. So I uploaded this unpackme.

    I got this.

    hashgen_protected_Entry_VMed_dump_SCY.zip

    Are there anyone who can do it?

    Many thanks in advance.

    Regards.

    sean.

    Edited by New Year - New Mind

    • Like 1
    • Author
    10 hours ago, 14yoKID said:

    Think i figured it out where the real OEP is now the real issue is why my dump aint working 😕

    @14yoKID try to unpack this.

    Project1_ACProtected.zip

    Regards.

    sean.

    • Like 1
    • 2 weeks later...
    • Solution

    Hmm , expected themida to be harder but was not harder even 5% to unpack than vmprotect.

    hashgen_protected_Entry_VMed__fixed.exe

    •
    • Thanks 1
    • Author
    Quote

    The Entry Point is virtualized.

    2 Parts of the codes are also virtualized.

    [Your Mission]

    Just unpack this file and make it run well without any errors or termination.

    No devirtualiztion are necessary.

    @HostageOfCode You have done it. man. Many thanks.

    Regards.

    sean.

    Edited by New Year - New Mind

    • Like 1
    • Author
    1 hour ago, HostageOfCode said:

    Hmm , expected themida to be harder but was not harder even 5% to unpack than vmprotect.

    hashgen_protected_Entry_VMed__fixed.exe 200 kB · 2 downloads

    @HostageOfCode How to reduce the size of the dump?

    My resulting dump is this but not reduced of the size.

    hashgen_protected_Entry_VMed_dump_SCY.zip

    Regards.

    sean.

    • Like 1
    2 hours ago, HostageOfCode said:

    Hmm , expected themida to be harder but was not harder even 5% to unpack than vmprotect.

    I assume it depends on the protection settings. Try unpacking this target

    • Like 1
    21 hours ago, New Year - New Mind said:

    @HostageOfCode How to reduce the size of the dump?

    My resulting dump is this but not reduced of the size.

    hashgen_protected_Entry_VMed_dump_SCY.zip 8.42 MB · 1 download

    Regards.

    sean.

    Your iat is not solved correctly. Put bp on GetProcAddress and log all the apis. 

    Tried to make it run with the virtualized functions but without success so far. It uses IsProcessorFeaturePresent and other tricks to detect unpack.

    • Like 1
    • Author
    1 hour ago, HostageOfCode said:

    Your iat is not solved correctly. Put bp on GetProcAddress and log all the apis. 

    Tried to make it run with the virtualized functions but without success so far. It uses IsProcessorFeaturePresent and other tricks to detect unpack.

    @HostageOfCode Do you mean that it does not run in your system?

    screenshot-65.png

    It runs in my system after dumping. but the addressofentrypoint is invalid?

    And after rebooting my pc, it does not run.

    Regards.

    sean.

    Edited by New Year - New Mind

    • Like 1

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.