ZenHAX
http://zenhax.com/

How Unpack Themida 2.x.x (WXP)
http://zenhax.com/viewtopic.php?f=4&t=1051
Page 5 of 5

Author:  kdn [ Fri Sep 16, 2016 1:26 am ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

CriticalError wrote:
ofc this is dumped in XP no in 7, for make it work, you need make changes in the code of the dumped file to run into Win7, thats simple the kernel is different in XP than 7.



ok thanks that makes sense I guess, if anyone else has done this would be keen to learn the method.

Author:  CriticalError [ Sun Oct 16, 2016 5:02 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

aluigi wrote:
@CriticalError
Maybe you can provide a zip containing the whole ollydbg folder already setup and with all the necessary plugins and modifications so that the users can just unzip and use it without looking for dead links and editing stuff.

done mate, here is the ollydbg folder I use before I think all is there but maybe not xD long time ago doing it and leave it so well it still there and hope it works.

http://www.mediafire.com/file/1xvqcqgux ... odbg110.7z

Author:  TetraMan [ Sat Dec 24, 2016 1:02 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

BUMP - just want to know if anybody has successfully used against any Themida 2.4 target.

TetraMan wrote:
Has anybody used this method against Themida 2.4?

I successfully unpacked an app protected by earlier Themida.

Now I am attempting unpacking of app protected by Themida 2.4

Some of the script popups are not appearing as expected (specifically, the very first popup during the first run - it does not appear... the application simply continues to run as normal), however, the script does produce a dump (unpacked) executable.

Upon running the unpacked version, however, it crashes with "... instruction at... referenced memory... The memory could not be read."

If anybody has successfully unpacked an app protected by Themida 2.4, did you use this method? Did the process go as outlined in the instructions? Did you do anything differently?

Author:  natibong [ Thu Jan 05, 2017 11:37 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

I'm Chung. I have a tools. Can you help me unpack. Thanh you verymuch.
My tool is: http://www.mediafire.com/file/pki28i5ko ... 281%29.rar

Author:  TetraMan [ Wed Jan 11, 2017 1:21 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

Chung -

What version of Themida is your target protected by?
If it is Themida v2.4 or later, I have found these techniques may not work.

I have successfully used these techniques on targets protected by Themida v2.3 and earlier. However, my latest target is protected by Themida v2.4 and these techniques do not seem to work properly. The unpacked application throws errors. Also, the normal screens/windows did not appear during the unpacking process.

Author:  natibong [ Sun Jan 15, 2017 6:20 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

Hi. My tool protected by Themida v2.3 and earlier. Can you help me?

Author:  natibong [ Mon Jan 16, 2017 10:15 am ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

Hi TetraMan! I used Protection ID V0.6.6.7 December check vesion. The Tools is protecting by Themida v2.0.1.0 - v2.1.8.0. Can you help me unpack it. Thanks!

Author:  TetraMan [ Mon Jan 16, 2017 4:14 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

While this "How Unpack Themida 2.x.x" approach does not seem to work with targets protected by Themida > v2.4, you should find the process will work for you in unpacking your older target.

You will need the tools listed in earlier posts, eg: Olly and others. I use VMware workstation to host a clean installation of Windows XP (32bit). I am certain you can find both of those things available on the web. You can then easily follow the excellent instructions in earlier posts to this thread and unpack your target!

Author:  FrankRizzo [ Fri Mar 17, 2017 4:31 am ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

Hi guys. I have the same issue as a previous poster, and I didn't see it answered, so I'll ask for us both again.

I'm using a 32-bit Windows 7 VM. (ESXi). I have Olly 1.10, and all the plug-ins. I have my ollydbg.ini configured correctly, and I get to the step right after "Disable Noppers" and my target pops up a message box.

In the script window, I see this:

Code:
If WL doesen't use a MessageBoxExA API to show you the HWID Nag 
or other messages then it used a custom code.In this case just pause
the script if you see the message then pause Olly open call stack and
set a soft BP from where it was called from = after message loop.Now
remove BP again and set the script eip on the label......

CUSTOM_HWID_NO_MESSAGEBOX_SET_SCRIPT_EP_HERE

and then just resume the script. ;)



This is good advice, but seems to be missing a key component.

I pause the script, then pause olly, ALT-K to bring up the call stack, find the correct place, set the BP. Then what?

Set it
Unset it
adjust the script EIP to the CUSTOM_HWID_ label, and resume?

If so, what's the point of the BP?

Author:  supervirus5 [ Tue Jun 27, 2017 10:48 am ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

Don't download : odbg110.7z from the Mediafire link

The file is INFECTED With Trojan.Win32.Swisyn.bner

And it infects .exe files if you have downloaded it i suggest downloading Kaspersky Antivirus Removal Tool and run a full scan on the system.


@Mods @Moderators Request Delete the link

Author:  aluigi [ Tue Jun 27, 2017 12:49 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

@supervirus5
I guess you are a newbie in this field, so:
1) you do NOT need that file, read viewtopic.php?p=18090#p18090
2) new to reverse engineering and advanced tools? welcome to false positives!
3) CriticalError is a well respected and trusted user
4) don't worry, it's not your fault, as I said that's normal if you are new to this stuff. Enjoy reverse engineering and learn

Author:  Mwyann [ Sat Sep 02, 2017 1:38 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

Hi,

I don't know if I can ask here, but I tried this method on some unmaintained software that can't run on Win10 because of Winlicense ("internal exception occured (Address: 0x0)"). The script returned an .exe that looks like it's unpacked, but it won't run (exception 0xc0000005), so maybe I didn't unpack everything.

Protection ID 0.6.8.5 says this:
Code:
[!] Themida v2.0.1.0 - v2.1.8.0 (or newer) detected !
[i] Hide PE Scanner Option used
[!] VM Protect  detected !

After unpacking :
Code:
[!] VM Protect (* unknown *) detected !

Can someone give me a hand on this, or could maybe do it for me? Thanks in advance :-)

Author:  CriticalError [ Sat Sep 02, 2017 7:46 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

first as say before you need do via virtual machine XP , after unpack exe is not only run and is all, you need debug it and fix problems to run properly.

Author:  Mwyann [ Sat Sep 02, 2017 8:23 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

I did unpack in a WinXP virtual machine. Unfortunately, I don't have the required knowledge to debug and fix the problems, that's why I'm asking here if someone could help me out on this :-)

Author:  Mwyann [ Fri Sep 08, 2017 1:23 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

EDIT: I managed to unpack a slightly different version, and it works now! But it broke the registration algorithm, so I have to patch it.

Author:  seedkey2005 [ Sun Sep 17, 2017 7:47 pm ]
Post subject:  Re: How Unpack Themida 2.x.x (WXP)

Hi guys!

I used this script many times succesfully ... now on this target I get a message "An internal exception occurred .... Please, contact support@o*****.com. Thank you!". It pop out after the Log Window says "IAT WAS MANUALLY PATCHED!" and an Hardware BP was handled and 2 more modules loaded.

I'm running Olly on WXP on Vmware

Thanks for any advice

best regards

S

Page 5 of 5 All times are UTC
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/