How Unpack Themida 2.x.x (WXP)
Page 5 of 5

Author:  kdn [ Fri Sep 16, 2016 1:26 am ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

CriticalError wrote:
ofc this is dumped in XP no in 7, for make it work, you need make changes in the code of the dumped file to run into Win7, thats simple the kernel is different in XP than 7.

ok thanks that makes sense I guess, if anyone else has done this would be keen to learn the method.

Author:  CriticalError [ Sun Oct 16, 2016 5:02 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

aluigi wrote:
Maybe you can provide a zip containing the whole ollydbg folder already setup and with all the necessary plugins and modifications so that the users can just unzip and use it without looking for dead links and editing stuff.

done mate, here is the ollydbg folder I use before I think all is there but maybe not xD long time ago doing it and leave it so well it still there and hope it works.

http://www.mediafire.com/file/1xvqcqgux ... odbg110.7z

Author:  TetraMan [ Sat Dec 24, 2016 1:02 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

BUMP - just want to know if anybody has successfully used against any Themida 2.4 target.

TetraMan wrote:
Has anybody used this method against Themida 2.4?

I successfully unpacked an app protected by earlier Themida.

Now I am attempting unpacking of app protected by Themida 2.4

Some of the script popups are not appearing as expected (specifically, the very first popup during the first run - it does not appear... the application simply continues to run as normal), however, the script does produce a dump (unpacked) executable.

Upon running the unpacked version, however, it crashes with "... instruction at... referenced memory... The memory could not be read."

If anybody has successfully unpacked an app protected by Themida 2.4, did you use this method? Did the process go as outlined in the instructions? Did you do anything differently?

Author:  natibong [ Thu Jan 05, 2017 11:37 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

I'm Chung. I have a tools. Can you help me unpack. Thanh you verymuch.
My tool is: http://www.mediafire.com/file/pki28i5ko ... 281%29.rar

Author:  TetraMan [ Wed Jan 11, 2017 1:21 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

Chung -

What version of Themida is your target protected by?
If it is Themida v2.4 or later, I have found these techniques may not work.

I have successfully used these techniques on targets protected by Themida v2.3 and earlier. However, my latest target is protected by Themida v2.4 and these techniques do not seem to work properly. The unpacked application throws errors. Also, the normal screens/windows did not appear during the unpacking process.

Author:  natibong [ Sun Jan 15, 2017 6:20 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

Hi. My tool protected by Themida v2.3 and earlier. Can you help me?

Author:  natibong [ Mon Jan 16, 2017 10:15 am ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

Hi TetraMan! I used Protection ID V0.6.6.7 December check vesion. The Tools is protecting by Themida v2.0.1.0 - v2.1.8.0. Can you help me unpack it. Thanks!

Author:  TetraMan [ Mon Jan 16, 2017 4:14 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

While this "How Unpack Themida 2.x.x" approach does not seem to work with targets protected by Themida > v2.4, you should find the process will work for you in unpacking your older target.

You will need the tools listed in earlier posts, eg: Olly and others. I use VMware workstation to host a clean installation of Windows XP (32bit). I am certain you can find both of those things available on the web. You can then easily follow the excellent instructions in earlier posts to this thread and unpack your target!

Author:  FrankRizzo [ Fri Mar 17, 2017 4:31 am ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

Hi guys. I have the same issue as a previous poster, and I didn't see it answered, so I'll ask for us both again.

I'm using a 32-bit Windows 7 VM. (ESXi). I have Olly 1.10, and all the plug-ins. I have my ollydbg.ini configured correctly, and I get to the step right after "Disable Noppers" and my target pops up a message box.

In the script window, I see this:

If WL doesen't use a MessageBoxExA API to show you the HWID Nag 
or other messages then it used a custom code.In this case just pause
the script if you see the message then pause Olly open call stack and
set a soft BP from where it was called from = after message loop.Now
remove BP again and set the script eip on the label......


and then just resume the script. ;)

This is good advice, but seems to be missing a key component.

I pause the script, then pause olly, ALT-K to bring up the call stack, find the correct place, set the BP. Then what?

Set it
Unset it
adjust the script EIP to the CUSTOM_HWID_ label, and resume?

If so, what's the point of the BP?

Author:  supervirus5 [ Tue Jun 27, 2017 10:48 am ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

Don't download : odbg110.7z from the Mediafire link

The file is INFECTED With Trojan.Win32.Swisyn.bner

And it infects .exe files if you have downloaded it i suggest downloading Kaspersky Antivirus Removal Tool and run a full scan on the system.

@Mods @Moderators Request Delete the link

Author:  aluigi [ Tue Jun 27, 2017 12:49 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

I guess you are a newbie in this field, so:
1) you do NOT need that file, read viewtopic.php?p=18090#p18090
2) new to reverse engineering and advanced tools? welcome to false positives!
3) CriticalError is a well respected and trusted user
4) don't worry, it's not your fault, as I said that's normal if you are new to this stuff. Enjoy reverse engineering and learn

Author:  Mwyann [ Sat Sep 02, 2017 1:38 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)


I don't know if I can ask here, but I tried this method on some unmaintained software that can't run on Win10 because of Winlicense ("internal exception occured (Address: 0x0)"). The script returned an .exe that looks like it's unpacked, but it won't run (exception 0xc0000005), so maybe I didn't unpack everything.

Protection ID says this:
[!] Themida v2.0.1.0 - v2.1.8.0 (or newer) detected !
[i] Hide PE Scanner Option used
[!] VM Protect  detected !

After unpacking :
[!] VM Protect (* unknown *) detected !

Can someone give me a hand on this, or could maybe do it for me? Thanks in advance :-)

Author:  CriticalError [ Sat Sep 02, 2017 7:46 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

first as say before you need do via virtual machine XP , after unpack exe is not only run and is all, you need debug it and fix problems to run properly.

Author:  Mwyann [ Sat Sep 02, 2017 8:23 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

I did unpack in a WinXP virtual machine. Unfortunately, I don't have the required knowledge to debug and fix the problems, that's why I'm asking here if someone could help me out on this :-)

Author:  Mwyann [ Fri Sep 08, 2017 1:23 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

EDIT: I managed to unpack a slightly different version, and it works now! But it broke the registration algorithm, so I have to patch it.

Author:  seedkey2005 [ Sun Sep 17, 2017 7:47 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

Hi guys!

I used this script many times succesfully ... now on this target I get a message "An internal exception occurred .... Please, contact support@o*****.com. Thank you!". It pop out after the Log Window says "IAT WAS MANUALLY PATCHED!" and an Hardware BP was handled and 2 more modules loaded.

I'm running Olly on WXP on Vmware

Thanks for any advice

best regards


Author:  qwertyu131 [ Mon Oct 02, 2017 10:14 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

Themida unpack error help pls.
I use script Themida - Winlicense Ultra Unpacker 1.4


Log data
Address    Message
           Themida - Winlicense Ultra Unpacker 1.4

019B0A0F   Breakpoint at 019B0A0F
019B0A10   Breakpoint at 019B0A10
019C0054   Breakpoint at 019C0054

           OS=x86 32-Bit
019C0056   Breakpoint at 019C0056
019F0021   Breakpoint at 019F0021
019F0028   Breakpoint at 019F0028

           5.772 MB +/-

           16.064 MB +/-

           Your target is a >>> Executable <<< file!

           PE HEADER:   400000 | 1000
           CODESECTION: 401000 | A53000
           PE HEADER till CODESECTION Distance: 1000 || Value of 1000 = Normal!
           Your Target seems to be a normal file!

           Unpacking of NET targets is diffrent!
           Dump running process with WinHex and then fix the whole PE and NET struct!

013AF000   Hardware breakpoint 1 at KnightOn.<ModuleEntryPoint>
01A0064B   Breakpoint at 01A0064B

           Overlay found & dumped to disk!

           Disasembling Syntax: MASM (Microsoft)     <=> OK

           Show default segments:               Enabled
           Always show size of memory operands: Enabled
           Extra space between arguments:       Disabled

           StrongOD Found!
           HidePEB=1          Enabled   = OK
           KernelMode=1       Enabled   = OK
           KillPEBug=1        Enabled   = OK
           SkipExpection=1    Enabled   = OK
           Custom Exceptions  Enabled   = 00000000-FFFFFFFF

           DRX=1              Enabled   = OK


           Basic Olly & Plugin Settings seems to be ok!
           No InfoBox to User to show now!

013AF009   Breakpoint at KnightOn.013AF009
013AF00B   Breakpoint at KnightOn.013AF00B

           XP System found - Very good choice!

           Newer SetEvent & Kernel32 ADs Redirecting in Realtime is disabled by user!

           Kernel Ex Table Start: 7C802644
01A4003F   Breakpoint at 01A4003F

           PE DUMPSEC:  VA 1A50000 - VS 30000
           PE ANTISEC:  VA 1A51000
           PE OEPMAKE:  VA 1A51600
           SETEVENT_VM: VA 1A521D0
           PE I-Table:  VA 1A53000
           VP - STORE:  VA 1A52F00
           and or...
           API JUMP-T:  VA 1A53000
01A4003F   Breakpoint at 01A4003F

           RISC VM Store Section VA is: 1A80000 - VS 200000
01A40041   Breakpoint at 01A40041
00F1FC72   Hardware breakpoint 1 at KnightOn.00F1FC72

           Found WL Intern Export API Access at: F20122

           Use this address to get all intern access WL APIs!
76B30000   Module C:\WINDOWS\system32\winmm.dll
7C809AF1   Hardware breakpoint 2 at kernel32.VirtualAlloc

           ---------- Loaded File Infos ----------

           Target    Base: 400000

           Kernel32  Base: 7C800000

           Kernel32  SORD: 7C8001F8 | 84000
           Kernel32  SORD: 7C800200

           User32    Base: 7E360000
           Advapi32  Base: 77DC0000

           WL Section: F1C000   |  2CC000

           WL Align:   EC55C014 |  EBP Pointer Value

           XBundler Prepair Sign not found!
           CISC VM is located in the Themida - Winlicense section F1C000 | 2CC000.

           VMWare Address: F1EBE8 | 0

           VMWare Checks are not Used & Disabled by Script!

           Auto XBundler Checker & Dumper is enabled!
           If XBunlder Files are found in auto-modus then they will dumped by script!
           If the auto XBunlder Dumper does fail etc then disable it next time!

           Anti Access Stop on Code Section was Set!

           Normal IAT Patch Scan Was Written!
01E60306   Hardware breakpoint 3 at 01E60306
7C810729   New thread with ID 000005C0 created
7C810729   New thread with ID 000001D4 created
7C810729   New thread with ID 000006B8 created
7C810729   New thread with ID 000003EC created
7C810729   New thread with ID 00000668 created
7C810729   New thread with ID 000006E0 created
7C810729   New thread with ID 00000104 created
7C810729   New thread with ID 00000524 created
7C810729   New thread with ID 00000100 created
7C810729   New thread with ID 000005BC created
7C810729   New thread with ID 000003A0 created
7C810729   New thread with ID 00000724 created
7C810729   New thread with ID 0000050C created
7C810729   New thread with ID 00000508 created
7C810729   New thread with ID 00000708 created
7C810729   New thread with ID 000001F4 created
7C810729   New thread with ID 000003F8 created
7C810729   New thread with ID 00000314 created
7C810729   New thread with ID 00000400 created
7C810729   New thread with ID 000003E0 created
7C810729   New thread with ID 000003F0 created
7C810729   New thread with ID 000006D8 created
7C810729   New thread with ID 000003F4 created
7C810729   New thread with ID 00000600 created
01E50033   Hardware breakpoint 1 at 01E50033
7C9001DB   Hardware breakpoint 3 at ntdll.7C9001DB

           Heap Prot was redirected!
4FE30000   Module C:\WINDOWS\system32\d3d9.dll
6DF30000   Module C:\WINDOWS\system32\d3d8thk.dll
77BF0000   Module C:\WINDOWS\system32\version.dll
73EE0000   Module C:\WINDOWS\system32\dsound.dll
71AC0000   Module C:\WINDOWS\system32\wsock32.dll
71AA0000   Module C:\WINDOWS\system32\ws2_32.dll
71A90000   Module C:\WINDOWS\system32\ws2help.dll
6D3B0000   Module C:\WINDOWS\system32\dinput8.dll
3FA50000   Module C:\WINDOWS\system32\wininet.dll
77F60000   Module C:\WINDOWS\system32\shlwapi.dll
03840000   Module C:\WINDOWS\system32\normaliz.dll
45300000   Module C:\WINDOWS\system32\urlmon.dll
400F0000   Module C:\WINDOWS\system32\iertutil.dll
773C0000   Module C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
7C810729   New thread with ID 000007E0 created
73B20000   Module C:\WINDOWS\system32\avifil32.dll
77BD0000   Module C:\WINDOWS\system32\msacm32.dll
75E20000   Module C:\WINDOWS\system32\msvfw32.dll
7C9B0000   Module C:\WINDOWS\system32\shell32.dll
10000000   Module C:\Mgame\KnightOnline\OpenAL32.dll
03AC0000   Module C:\Mgame\KnightOnline\libvorbisfile.dll
76C80000   Module C:\WINDOWS\system32\imagehlp.dll
76C80000   Unload C:\WINDOWS\system32\imagehlp.dll
011ADE75   Memory breakpoint when writing to [00401000]

011ADE77   Breakpoint at KnightOn.011ADE77
01E602AF   Breakpoint at 01E602AF

           First Found 4 Magic Jumps!
           MJ_1: 011C237F
           MJ_2: 011C23C5
           MJ_3: 011C23E5
           MJ_4: 011C2404

           Modern TM WL Version Found!

           --------  IAT RD DATA  ---------

           11092AE - CMP R32, 10000

           11C18C4 - Prevent Crasher

           11C237F - Prevent IAT RD
           11C23C5 - Prevent IAT RD
           11C23E5 - Prevent IAT RD
           11C2404 - Prevent IAT RD

5B2A0000   Module C:\WINDOWS\system32\uxtheme.dll
746F0000   Module C:\WINDOWS\system32\MSCTF.dll
75470000   Module C:\WINDOWS\system32\MSCTFIME.IME

Author:  CriticalError [ Fri Oct 06, 2017 2:06 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

Please stop make post about errors, read carefully all thread, I won't give support for unpack it, i'm not a programmer and I do it few times and lucky no get errors, depend versions of themida you get different errors and need be fixed, the script won't do all, for run it you need make modifications for make it work exe,dll, so please stop bump topic asking for help, I can't do it, thanks for all and hope understand.

Page 5 of 5 All times are UTC
Powered by phpBB® Forum Software © phpBB Limited