I am trying to compile Unlicense
https://github.com/ergrelet/unlicense

I've installed vs_BuildTools.exe VS 2022
However when I run:
pip install git+https://github.com/ergrelet/unlicense.git
I get:
https://ibb.co/BKPT5MHf
How to fix the above error?

Edited Monday at 12:51 PM2 days by CodeExplorer

Unfortunately you didn't include the entire command-line and the whole log. In general, this VS error indicates that VS cannot find the required include files. You either didn't run it from the "Developer command prompt for VS 2022" OR you don't have the the correct SDKs of Visual Studio installed, OR the PATH variable is borked in some way..

There are several workarounds:

Option A: use a Python version from that time period. In my tests Python v3.9 works out of the box and doesn't even need VS Build Tools.

Option B: change version requirements for the project:
1) make a folder for unlicense, say c:\projects\unlicense
2) open command prompt, change to that folder and clone the unlicense repo there: git clone https://github.com/ergrelet/unlicense.git . Or just download ZIP and unpack it into that folder.
3) edit pyproject.toml to change versions of python packages. For you, the most important is the xxhash version, pick one where there is a pre-compiled wheel file available for your version of Python. I'd use "^3.6" there, it seems to be compatible. If that does not work, try "^3.1", that's the oldest version with a pre-built v3.11 wheel. That should be enough for you.
4) run pip install . - it should run build process, find the pre-built packages in PyPI and happily use them, instead of compiling xxhash from source.

Option C: try installing/building xxhash package and figure out what went wrong. Ain't got no time for that..

Edited Monday at 07:08 PM2 days by kao

Many thanks. Python v3.9 did the trick.
Other command line I have to run:
pip install poetry
pip install yapf
poetry run unlicense

instead of
poetry run yapf -r -d unlicense

And here is my first fix: fixed jmp dword ptr [import thunk]
on old version was wrongly fixed by call dword ptr.

imports_fixed1.rar

What a coincidence, I downloaded unlicense today. Is unlicense still the best and most up-to-date tool for Themida/WinLicense?

4 hours ago, rafaelcoisa said:

What a coincidence, I downloaded unlicense today. Is unlicense still the best and most up-to-date tool for Themida/WinLicense?

I may be revealing a secret, but Unlicense has never worked for applications with non-standard Themida/WinLicense protection settings.

20 minutes ago, InvizCustos said:

I may be revealing a secret, but Unlicense has never worked for applications with non-standard Themida/WinLicense protection settings.

I think you probably wrong. Download NinjaTrader 8.1.4.1 December 17, 2024. Take the Agile dll files and drop in it. It works. The strings are there, the routines for decrypting and encrypting, the clr hook via getJit and all. Now, It works fully? no. but there maybe a way to make it work fully.

Edited Tuesday at 10:36 PM1 day by rafaelcoisa

4 minutes ago, rafaelcoisa said:

I think you probably wrong. Download NinjaTrader 8.1.4.1 December 17, 2024. Take the Agile dll files and drop in it. It works. The strings are there, the routines for decrypting and encrypting, the clr hook via getJit and all. Now, It works fully? no. but there maybe a way to make it work fully.

You can check Unlicense, for example, on this target. This target is protected using Themida v3, but with non-standard protection options.

12 hours ago, InvizCustos said:

You can check Unlicense, for example, on this target. This target is protected using Themida v3, but with non-standard protection options.

That target is protected by Themida v3, it fails to auto-detect the version; i have manually fix it but can't restore any imports. Wondering what Themida options are being used?

I can't even debug the file in x96dbg with ScyllaHide;
for Themida I usually only have to mark BeingDebugged, NtQueryInformationProcess and all DRx Protection flags.

14 minutes ago, CodeExplorer said:

I can't even debug the file in x96dbg with ScyllaHide;

Even TitanHide won't help against this target

15 minutes ago, CodeExplorer said:

for Themida I usually only have to mark BeingDebugged, NtQueryInformationProcess and all DRx Protection flags.

This is because most people do not know how to properly configure the protection options for Themida.

Most just use the default settings.

NtUserGetForegroundWindow also has to marked for some advanced targets

In my tests Unlicense has some problems with virtualized entry points: sometimes the targets starts, sometimes it doesn't start.

1 hour ago, CodeExplorer said:

Wondering what Themida options are being used?

This setting breaks existing public unpackers

Edited 22 hours ago22 hr by InvizCustos

"THEMIDA OPTION_ADVANCED_OEP_IAT_SCRAMBLE" refers to a specific, advanced protection option within the Themida software protection tool. It is a setting that scrambles the Import Address Table (IAT) to make it harder for attackers to analyze the application's functions at the Original Entry Point (OEP), a key target for software cracking

• What it is: It's a Themida protection feature that modifies the Import Address Table (IAT).

• How it works: By scrambling the IAT, the option makes it significantly more difficult for attackers to identify and analyze the functions the program uses at its Original Entry Point (OEP).

• Purpose: The goal is to enhance the security of the application by complicating reverse-engineering and cracking attempts that often rely on manipulating the OEP and IAT. 

OPTION_ADVANCED_OEP_IAT_SCRAMBLE
VALUE YES

Edited 22 hours ago22 hr by CodeExplorer

3 hours ago, CodeExplorer said:

"THEMIDA OPTION_ADVANCED_OEP_IAT_SCRAMBLE" refers to a specific, advanced protection option within the Themida software protection tool. It is a setting that scrambles the Import Address Table (IAT) to make it harder for attackers to analyze the application's functions at the Original Entry Point (OEP), a key target for software cracking

• What it is: It's a Themida protection feature that modifies the Import Address Table (IAT).

• How it works: By scrambling the IAT, the option makes it significantly more difficult for attackers to identify and analyze the functions the program uses at its Original Entry Point (OEP).

• Purpose: The goal is to enhance the security of the application by complicating reverse-engineering and cracking attempts that often rely on manipulating the OEP and IAT. 

OPTION_ADVANCED_OEP_IAT_SCRAMBLE
VALUE YES

By any chance you got hwid themida crackme? Any VM and any version if possible or Themida DL so i can make one myself and see how they are doing it ( i know its out of context sorry ).

2 hours ago, iced said:

By any chance you got hwid themida crackme? Any VM and any version if possible or Themida DL so i can make one myself and see how they are doing it ( i know its out of context sorry ).

I don't have hwid themida crackme. I have licensed Themida v3.1.8.0 Themida v3.2.2.22.
Can someone test this, specially build for OPTION_ADVANCED_OEP_IAT_SCRAMBLE,
but it must find OEP for standard options also.
It is an x96dbg script; my first fixed x96dbg script: Themida v2.x.x.x OEP Finder fixed.txt
https://workupload.com/file/n7nE5xJ9vCM