ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Sat Sep 23, 2017 2:24 pm

All times are UTC




Post new topic  Reply to topic  [ 96 posts ]  Go to page Previous 1 2 3 4 5
Author Message
PostPosted: Fri Sep 16, 2016 1:26 am 

Joined: Thu Sep 15, 2016 4:10 am
Posts: 2
CriticalError wrote:
ofc this is dumped in XP no in 7, for make it work, you need make changes in the code of the dumped file to run into Win7, thats simple the kernel is different in XP than 7.



ok thanks that makes sense I guess, if anyone else has done this would be keen to learn the method.


Top
   
PostPosted: Sun Oct 16, 2016 5:02 pm 
User avatar

Joined: Thu Aug 14, 2014 8:52 pm
Posts: 182
aluigi wrote:
@CriticalError
Maybe you can provide a zip containing the whole ollydbg folder already setup and with all the necessary plugins and modifications so that the users can just unzip and use it without looking for dead links and editing stuff.

done mate, here is the ollydbg folder I use before I think all is there but maybe not xD long time ago doing it and leave it so well it still there and hope it works.

http://www.mediafire.com/file/1xvqcqgux ... odbg110.7z


Top
   
PostPosted: Sat Dec 24, 2016 1:02 pm 

Joined: Wed Apr 13, 2016 1:12 pm
Posts: 4
BUMP - just want to know if anybody has successfully used against any Themida 2.4 target.

TetraMan wrote:
Has anybody used this method against Themida 2.4?

I successfully unpacked an app protected by earlier Themida.

Now I am attempting unpacking of app protected by Themida 2.4

Some of the script popups are not appearing as expected (specifically, the very first popup during the first run - it does not appear... the application simply continues to run as normal), however, the script does produce a dump (unpacked) executable.

Upon running the unpacked version, however, it crashes with "... instruction at... referenced memory... The memory could not be read."

If anybody has successfully unpacked an app protected by Themida 2.4, did you use this method? Did the process go as outlined in the instructions? Did you do anything differently?


Top
   
PostPosted: Thu Jan 05, 2017 11:37 pm 

Joined: Thu Jan 05, 2017 11:33 pm
Posts: 3
I'm Chung. I have a tools. Can you help me unpack. Thanh you verymuch.
My tool is: http://www.mediafire.com/file/pki28i5ko ... 281%29.rar


Top
   
PostPosted: Wed Jan 11, 2017 1:21 pm 

Joined: Wed Apr 13, 2016 1:12 pm
Posts: 4
Chung -

What version of Themida is your target protected by?
If it is Themida v2.4 or later, I have found these techniques may not work.

I have successfully used these techniques on targets protected by Themida v2.3 and earlier. However, my latest target is protected by Themida v2.4 and these techniques do not seem to work properly. The unpacked application throws errors. Also, the normal screens/windows did not appear during the unpacking process.


Top
   
PostPosted: Sun Jan 15, 2017 6:20 pm 

Joined: Thu Jan 05, 2017 11:33 pm
Posts: 3
Hi. My tool protected by Themida v2.3 and earlier. Can you help me?


Top
   
PostPosted: Mon Jan 16, 2017 10:15 am 

Joined: Thu Jan 05, 2017 11:33 pm
Posts: 3
Hi TetraMan! I used Protection ID V0.6.6.7 December check vesion. The Tools is protecting by Themida v2.0.1.0 - v2.1.8.0. Can you help me unpack it. Thanks!


Top
   
PostPosted: Mon Jan 16, 2017 4:14 pm 

Joined: Wed Apr 13, 2016 1:12 pm
Posts: 4
While this "How Unpack Themida 2.x.x" approach does not seem to work with targets protected by Themida > v2.4, you should find the process will work for you in unpacking your older target.

You will need the tools listed in earlier posts, eg: Olly and others. I use VMware workstation to host a clean installation of Windows XP (32bit). I am certain you can find both of those things available on the web. You can then easily follow the excellent instructions in earlier posts to this thread and unpack your target!


Top
   
PostPosted: Fri Mar 17, 2017 4:31 am 

Joined: Fri Mar 17, 2017 4:24 am
Posts: 1
Hi guys. I have the same issue as a previous poster, and I didn't see it answered, so I'll ask for us both again.

I'm using a 32-bit Windows 7 VM. (ESXi). I have Olly 1.10, and all the plug-ins. I have my ollydbg.ini configured correctly, and I get to the step right after "Disable Noppers" and my target pops up a message box.

In the script window, I see this:

Code:
If WL doesen't use a MessageBoxExA API to show you the HWID Nag 
or other messages then it used a custom code.In this case just pause
the script if you see the message then pause Olly open call stack and
set a soft BP from where it was called from = after message loop.Now
remove BP again and set the script eip on the label......

CUSTOM_HWID_NO_MESSAGEBOX_SET_SCRIPT_EP_HERE

and then just resume the script. ;)



This is good advice, but seems to be missing a key component.

I pause the script, then pause olly, ALT-K to bring up the call stack, find the correct place, set the BP. Then what?

Set it
Unset it
adjust the script EIP to the CUSTOM_HWID_ label, and resume?

If so, what's the point of the BP?


Top
   
PostPosted: Tue Jun 27, 2017 10:48 am 

Joined: Tue Jun 27, 2017 10:46 am
Posts: 1
Don't download : odbg110.7z from the Mediafire link

The file is INFECTED With Trojan.Win32.Swisyn.bner

And it infects .exe files if you have downloaded it i suggest downloading Kaspersky Antivirus Removal Tool and run a full scan on the system.


@Mods @Moderators Request Delete the link


Top
   
PostPosted: Tue Jun 27, 2017 12:49 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6690
@supervirus5
I guess you are a newbie in this field, so:
1) you do NOT need that file, read viewtopic.php?p=18090#p18090
2) new to reverse engineering and advanced tools? welcome to false positives!
3) CriticalError is a well respected and trusted user
4) don't worry, it's not your fault, as I said that's normal if you are new to this stuff. Enjoy reverse engineering and learn


Top
   
PostPosted: Sat Sep 02, 2017 1:38 pm 

Joined: Tue Aug 29, 2017 10:55 am
Posts: 3
Hi,

I don't know if I can ask here, but I tried this method on some unmaintained software that can't run on Win10 because of Winlicense ("internal exception occured (Address: 0x0)"). The script returned an .exe that looks like it's unpacked, but it won't run (exception 0xc0000005), so maybe I didn't unpack everything.

Protection ID 0.6.8.5 says this:
Code:
[!] Themida v2.0.1.0 - v2.1.8.0 (or newer) detected !
[i] Hide PE Scanner Option used
[!] VM Protect  detected !

After unpacking :
Code:
[!] VM Protect (* unknown *) detected !

Can someone give me a hand on this, or could maybe do it for me? Thanks in advance :-)


Top
   
PostPosted: Sat Sep 02, 2017 7:46 pm 
User avatar

Joined: Thu Aug 14, 2014 8:52 pm
Posts: 182
first as say before you need do via virtual machine XP , after unpack exe is not only run and is all, you need debug it and fix problems to run properly.


Top
   
PostPosted: Sat Sep 02, 2017 8:23 pm 

Joined: Tue Aug 29, 2017 10:55 am
Posts: 3
I did unpack in a WinXP virtual machine. Unfortunately, I don't have the required knowledge to debug and fix the problems, that's why I'm asking here if someone could help me out on this :-)


Top
   
PostPosted: Fri Sep 08, 2017 1:23 pm 

Joined: Tue Aug 29, 2017 10:55 am
Posts: 3
EDIT: I managed to unpack a slightly different version, and it works now! But it broke the registration algorithm, so I have to patch it.


Top
   
PostPosted: Sun Sep 17, 2017 7:47 pm 

Joined: Sun Sep 17, 2017 7:42 pm
Posts: 1
Hi guys!

I used this script many times succesfully ... now on this target I get a message "An internal exception occurred .... Please, contact support@o*****.com. Thank you!". It pop out after the Log Window says "IAT WAS MANUALLY PATCHED!" and an Hardware BP was handled and 2 more modules loaded.

I'm running Olly on WXP on Vmware

Thanks for any advice

best regards

S


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 96 posts ]  Go to page Previous 1 2 3 4 5

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited