ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Fri Aug 18, 2017 3:06 am

All times are UTC




Post new topic  Reply to topic  [ 91 posts ]  Go to page 1 2 3 4 5 Next
Author Message
PostPosted: Wed Jun 17, 2015 3:15 pm 
User avatar

Joined: Thu Aug 14, 2014 8:52 pm
Posts: 181
Hello everybody,

Today I will be showing you all how you can unpack a sample which is packed with Themida. This tutorial will show you how to do the process without requiring to manually use a debugger yourself.

What you will learn in this thread:
- What Themida is
- A bit about how Themida works
- Why packers/obfuscators may be used with not only malicious software but safe, legitmate software
- Why unpacking is useful to Malware Analysis
- How you can unpack samples packed by Themida without requring knowledge of how to use a Debugger yourself manually

1). What Themida is
Themida is software specifically engineered to help software stay better protected from becoming cracked and/or it's source code was being stolen.

If someone comes along and they can read the code you wrote for your software, if you have not made the software opensource and did not wish the code to be given out and/or read by someone, would you be happy about them having found a way to read your source code? I don't think you would.

The purpose of Themida is to help prevent the protected software from becoming vulnerable to reverse engineering attempts. It can also help against piracy.

2). A bit about how Themida works
Themida will pack the executable. When you execute the packed sample, it will unpack the executable in memory and use that to continue executing to perform and do what it's meant to do. If the unpacking of the packed executable into memory fails for whatever reason, then the program will not work.

3). Why packers may be used in legitimate software
Packers may be used in legitimate software so the developer's software is better protected against attacks. If someone can read your code, or use Disassembly to understand how it works, they can try to find vulnerabilities and then use them to create zero-day exploits.

Packers are also quite frequent with malware. Your Antivirus product may pickup detections for software packed in a certain way/type of packer used.

4). Why unpacking is useful in Malware Analysis
If the sample is packed, then this essentially protects against Disassembly. We won't be able to understand how the program works, we'll just be reading the instructions from the packer wrapper. For example, the process of the unpacking. However, we want the original executable (unpacked executable) and we want to perform Disassembly with that executable so we can try to make sense of and understand how the program works to know if it's malicious or not.

5). How we can actually identify and unpack Themida packed executables
To start off, you'll need a few things:

Tools


OllyDBG Plugins


Script


Ok the first thing we need do is set path in the Themida - Winlicense Ultra Unpacker 1.4.txt for your "ARImpRec.dl", so we open the txt with notepad and search it.

Quote:
HERE_ENTER_YOUR_DLL_PATH_TO_ARIMPREC_DLL:
mov ARIMPREC_PATH, "C:\Documents and Settings\Admin\Desktop\OllyDBG\plugin\ARImpRec.dll"


Open up ProtectionID and as can see first icon like a paper with a pencil, press there and drop your executable. It should process the information (if it can). As we can see in the below screenshot, it detects the Themida packing:

Image

Ok after checked that we unpack ollydbg in a path we want, a example mine is in Desktop: C:\Documents and Settings\Admin\Desktop\OllyDBG.

So now we gonna create inside ollydbg folder a folder called plugin and inside we extract all plugins we download, so this need be look like that.

Image
Image

PS: delete PSAPI.DLL from main folder of OllyDBG.

Ok so now we are ready to start with it.

1. First time we open Olly we need set the plugin directory because is not configured, for do it we go to --> Option-Appareance, in the tab Directories we can set where we stored plugins, so do it, press ok and restart Olly.

Image

2.So now the next time we open Olly we see plugins loaded.

Image

3. Ok now we go open the target to unpack or just press F3, after opened we got a pop up, just press Yes and the file continue Analysing, just wait to finish.

Image

4.Now press F9 to run it and as you can see, we got a pop up, don't worry just press ok and the debug is terminated.

Image
Image

5. Good the next move is run script, so for this we go can do it via plugin menu-ODBGScript-Run Script and we search for "Themida - Winlicense Ultra Unpacker 1.4.txt" download before.

6.Ok after we load nothing happen becase we terminated the debug before, so what we need do is reopen the target, just press in the X to close target.

7.After reopened target run script again or if you get this pop up asking for begin unpacking process we press Yes.

Image

Ok next one we press No.

Image

So now the unpacking process has begun, we can check status in the down bar as the right side of screen, after some seconds, we got pause, now to resume and continue unpacking maximize main thread windows and press right click and go to -> Script Functions-Script Windows, so now we have a Window of Script opened, right click there and press Resume.

Image

8. So now we got a pop up telling us about we need modify some values into "ollydbg.ini", after that we need restart Olly and resume script.

Image

9. So now we repeat steps do before, open target and run script,etc, after we finish we got this at the end.

Image

PS: remember close OllyDBG after open .ini.

10. Ok we press Yes and in the Script Execution press right click and Resume.

11. Good now this part is very important, if we running a VMWare, we need set Yes, if we running normal SO just press No.

Image

12. Now we got another pop up, really in my case I select Moddern Scan no Simple, it uses more checks.

Image

13. Ok in this one we select No.

Image

14. Ok after finished we got a new pop, there I press Yes.

Image

15. Finally the job is done, as you can see there, now we can see dumped file, so we press Yes for use this data.

Image

16. As script say, we choose first time no, if we got any problem after press no, repeat the process and the next time just press Yes, just in case.

Image

17. Ok this pop ask for compress the dumped file, but in this case we won't do it because is a good size, is not a file of 120MB or 200MB so I think is fine press No.

Image

18. Ok after all this we finally have dumped file in the folder where stored exe.

Image

Press ok and we are done.

Image

Image

Image

PS: Ok I hope this guide help us to unpack in future your themida protections, so well have fun and sorry if my english is to bad.

Credits: LCF-AT, Nacho_dj and me for write this guide.

Download: http://www.mediafire.com/file/1xvqcqgux ... odbg110.7z


Last edited by CriticalError on Sun Oct 16, 2016 5:02 pm, edited 3 times in total.

Top
   
PostPosted: Thu Jun 18, 2015 9:01 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6406
I guess you want to use the IMG tag:
Code:
[img]http://...[/img]


Top
   
PostPosted: Thu Jun 18, 2015 12:26 pm 
User avatar

Joined: Thu Aug 14, 2014 8:52 pm
Posts: 181
aluigi wrote:
I guess you want to use the IMG tag:
Code:
[img]http://...[/img]
I do in this way because you have a restriction with pictures up of 1024 pixels, so thats the problem, if you can change it I modify my post.


Top
   
PostPosted: Thu Jun 18, 2015 12:38 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6406
The reason I added that limit was because, month ago, in every thread you added huge (and useless for the purpose of the forum) images of the games.

P.S.: I have just removed the limit.


Top
   
PostPosted: Mon Jul 13, 2015 6:01 am 
User avatar

Joined: Fri Aug 08, 2014 12:51 am
Posts: 17
Great tutorial but I packed a file I made myself with Themdia 2.3 and this failed to work. The executable would just crash, ill do some experiments and get back to you.
Good job however taking your time to write this up sir!

_________________
Devblog


Top
   
PostPosted: Mon Jul 13, 2015 5:24 pm 
User avatar

Joined: Thu Aug 14, 2014 8:52 pm
Posts: 181
cra0 wrote:
Great tutorial but I packed a file I made myself with Themdia 2.3 and this failed to work. The executable would just crash, ill do some experiments and get back to you.
Good job however taking your time to write this up sir!
you can leave here or give me exe or dll you try unpack and I try myself.


Top
   
PostPosted: Tue Jul 14, 2015 3:54 am 
User avatar

Joined: Fri Aug 08, 2014 12:51 am
Posts: 17
CriticalError wrote:
cra0 wrote:
Great tutorial but I packed a file I made myself with Themdia 2.3 and this failed to work. The executable would just crash, ill do some experiments and get back to you.
Good job however taking your time to write this up sir!
you can leave here or give me exe or dll you try unpack and I try myself.


do you have skype/steam?

_________________
Devblog


Top
   
PostPosted: Tue Sep 22, 2015 1:03 pm 

Joined: Tue Sep 22, 2015 1:01 pm
Posts: 3
Hi,
I'm sorry for the late reply, But when I'm done with all the steps mentioned and getting to the part where it should dump the unpacked file to disk I get a message says that the dumping failed and I should manually dump it by myself.
How'd I manually dump the unpacked file?

Thanks


Top
   
PostPosted: Tue Sep 22, 2015 2:04 pm 
User avatar

Joined: Thu Aug 14, 2014 8:52 pm
Posts: 181
ummm well what target you trying unpack, maybe you can upload here and I try unpack myself to chekc what happen.


Top
   
PostPosted: Tue Sep 22, 2015 2:57 pm 

Joined: Tue Sep 22, 2015 1:01 pm
Posts: 3
Well, Protection ID says it's version between v2.0.1.0 to v2.1.8.0 (or newer).
Is there any way to get more specific version of themida?
the file is BlackCipher.aes ( from MS directory )


Top
   
PostPosted: Tue Sep 22, 2015 3:04 pm 
User avatar

Joined: Thu Aug 14, 2014 8:52 pm
Posts: 181
well exit another tool called Exeinfo PE, you can check with them too, but anyway upload target here and I try unpack here.


Top
   
PostPosted: Tue Sep 22, 2015 3:13 pm 

Joined: Tue Sep 22, 2015 1:01 pm
Posts: 3
Check your inbox, I sent you the file in private.
Thanks


Top
   
PostPosted: Sat Sep 26, 2015 3:33 am 

Joined: Sat Sep 26, 2015 3:26 am
Posts: 5
Hi you.
I did according to your instructions. But I cant unpack it.... You can unpack to help me. Or can support me unpack it.
Thank you very much
EMAIL: huyhuan1213@gmail.com


Attachments:
File comment: I check by RDG.Packer.Detector.v0.7.4.2014 => Themida 2.x.x
Tool.rar [1.89 MiB]
Downloaded 714 times
Top
   
PostPosted: Sat Sep 26, 2015 1:54 pm 
User avatar

Joined: Thu Aug 14, 2014 8:52 pm
Posts: 181
I need full binaries to unpack it, because in the process when unpacking it, it ask for dll called opencv_core242.dll and you only upload a exe.


Top
   
PostPosted: Sat Sep 26, 2015 3:39 pm 

Joined: Sat Sep 26, 2015 3:26 am
Posts: 5
Thank you very much.

It's full soft. http://www.mediafire.com/download/3cvrw ... a/Tool.rar

Please help me unpack it!


Top
   
PostPosted: Sat Sep 26, 2015 3:55 pm 
User avatar

Joined: Thu Aug 14, 2014 8:52 pm
Posts: 181
well no idea what problem you got in the process, but here all be fine, anyway here is unpacked file.

https://dailyuploads.net/zb8wa1dnjot8


Top
   
PostPosted: Sun Sep 27, 2015 12:55 am 

Joined: Sat Sep 26, 2015 3:26 am
Posts: 5
Thank you very much!!!
But can i ask you a question?
Do you unpack it by your way or another way? If you have free time, can you make a video decribe the steps you unpack it?
I want to learn how to unpack the software....
Thank you and have a nice day!


Top
   
PostPosted: Sun Sep 27, 2015 9:51 am 

Joined: Sat Sep 26, 2015 3:26 am
Posts: 5
Thank you


Top
   
PostPosted: Thu Oct 01, 2015 5:14 am 

Joined: Sat Sep 26, 2015 3:26 am
Posts: 5
CriticalError wrote:
well no idea what problem you got in the process, but here all be fine, anyway here is unpacked file.

https://dailyuploads.net/zb8wa1dnjot8


When I run soft. It's show error. The soft can not run!!!


Top
   
PostPosted: Sat Oct 17, 2015 3:56 pm 

Joined: Sat Oct 17, 2015 3:51 pm
Posts: 1
Regards

Thanks for such great tutorial

would someone check if posible unpacking this app with this method, please confirm
program name: process blocker
links:
hxxp://www.processblocker.com/downloads ... cker32.msi
hxxp://www.processblocker.com/downloads ... cker64.msi
i'm using 32bit, the process which looks protected is the main exe file: List Editor.exe
it's packed with Winlicense, don't know the version, but PEid reported petite 2.2 which is not.

Please CriticalError , would you mind checking it...


My Best Reagrds


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 91 posts ]  Go to page 1 2 3 4 5 Next

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited