Results 1 to 8 of 8

Thread: Unpacking Themida 2.0.3

  1. #1
    Omnomnom
    Guest

    Unpacking Themida 2.0.3

    Hi,

    My target is a VB executable packed with Themida (presumably version 2.0.3).

    I deduced it was Themida based on the following information:
    PEiD revealed nothing (other than a packed entropy).
    RDG (on M-A mode) detected "Themida (PE Hide Type 1)"
    While tracing through some of the decryption/decompression I noted a large string of the equivelant 'Themida Professional by Oreans Software"
    int3 opcode in first code block.
    Numerous SEHs littered throughout the code.
    RTDSCs littered throughout the code.

    I've tried a few scripts written for older versions (of Themida) to no avail.

    I'm not very experienced with unpacking, though have done a few basic unpackmes.

    I can attach to the process, but as soon as I resume the process it kills itself.

    I was wondering if anyone could point me in the direction of a generic unpacker/script/tutorial for MUPing this version of Themida.

    Cheers .
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    My advice: Forget it!!!
    You are far away from unpacking it.

    Regards,
    OHPen
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  3. #3
    Dunno, if you've got at least some experience and some stamina you might be able to do it.. VB isn't that hard Themida wise.. Let's hope it doesn't have any macro's though, and you might have some luck..

    As far as I know LCF_AT, Nooby & computer angel released a script for this version. There are some other tuts around as well.. try tuts4you.

  4. #4
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5
    Themida on VB is a piece of cake. Just take any tutorial and follow it. I think LCF-AT wrote one on how to solve VB unpackmes.

  5. #5
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    @rendari: it is pretty strange that you call themida a "piece of cake". it is one of the longest unbroken protections out there till the first people managed to unpack it. and yet it is still a very strong protection if the user of themida is using all features like code virtualization an so on.
    a protection is not a "piece of cake" if there is a script which is able to unpack a certain version of it with the minimal set of protection options applied...

    think about it

    regards,
    OHPen
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  6. #6
    Imho I agree with rendari, Themida is a piece of cake on VB.. It usually is only the packer.

    Strong dunno, it's still pretty good. But with the latest successful attacks Themida ain't what it used to be.

  7. #7
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5
    OHPen,

    I never said Themida was a piece of cake in general. I agree that it can be difficult at times if the VM is enabled. However, with a VB6 target the only thing that can possibly be VM'd is the entrypoint, and that is only two instructions!! (push/call). Fixing imports is easy, fixing entrypoint is easy (2 instructions!!) and that is all that Themida changes. So I stand by what I said, Themida is a piece of cake with VB.

    Now on a C++ app where the reg routine is in the RISC VM, now that is a pain in the ass >.<

    -rendari

  8. #8
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    @rendari: Ok, maybe limited to VB application themida is easy to break. Didn't know that only EP can be virtualized. But regarding the pcode-thinggy it sounds reasonable.
    But Themida on native applications, for example written in C/C++ it is still hard to manage

    Regards,
    OHPen
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

Similar Threads

  1. Custome Themida? packed malware
    By tfBullet in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: November 24th, 2013, 14:10
  2. Question about Themida and Debugging.
    By pigmeu in forum The Newbie Forum
    Replies: 3
    Last Post: July 26th, 2009, 04:31
  3. Themida protected plugin dll
    By OHPen in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: January 5th, 2009, 01:41
  4. Themida - VirtualAllocMemory of four bytes
    By OHPen in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: August 16th, 2006, 17:51

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •