Results 1 to 4 of 4

Thread: Question about Themida and Debugging.

  1. #1
    pigmeu
    Guest

    Question about Themida and Debugging.

    Hi, I'm trying to find an algorithm inside a program, but when I trace until a specified call and run the program, it stays running indefinitely. When I Pause the execution, the program stops at ntdll.dll module at the following address:
    Code:
    7C90E510 >/$	MOV EDX,ESP
    7C90E512  |.	SYSENTER
    7C90E514 >\$	RETN		; I stop here after Pause.
    
    Stack:
    02C0FA14   7C90DF5A  RETURN to ntdll.ZwWaitForSingleObject+0C
    02C0FA18   7C91B24B  RETURN to ntdll.7C91B24B from ntdll.ZwWaitForSingleObject
    02C0FA1C   00000140
    02C0FA20   00000000
    02C0FA24   00000000
    02C0FA28   004B7364  test.004B7364
    
    Caller1 : Setting a BP on 7C90DF4E never breaks:
    7C90DF4E >/$	MOV EAX,10F   
    7C90DF53  |.	MOV EDX,7FFE0300
    7C90DF58  |.	CALL DWORD PTR DS:[EDX]
    7C90DF5A  \.	RETN 0C
    If I try to trace with f7/f8 at 7C90E514 RETN I get the following error message:
    Debugged program set single step flag (bit T in EFL). I don't know how to step command at address 7C90E514 correctly. Try to set breakpoint on next command and run.

    I already checked the places where it returns to but seems those codes are not being called because I already set a BP on them and the program never breaks.
    Anybody can give me ideas on how to solve this issue?
    I use Windows XP SP3 + OllyDbg.



    My second question is about Themida features. I wanna know what Themida's feature is being used at the following code (Virtual Machine, Code Replace, both or none? ):
    Code:
    ;proc1
    0040B490   $	PUSH EBP
    0040B491   .	MOV EBP,ESP
    0040B493   .	SUB ESP,40
    0040B496   .	PUSH EBX
    0040B497   .	PUSH ESI
    0040B498   .	PUSH EDI
    0040B499   .-	JMP 00672694                             ;  go to proc2
    0040B49E     	DB D6
    0040B49F     	DB FE
    0040B4A0     	DB 96
    ...
    
    ;proc2
    00672694   ? 	PUSH 33AAF500
    00672699   .^  	JMP 00658E1A                             ;  go to proc3
    0067269E       	DB B1
    0067269F       	DB D6
    006726A0       	DB 1F
    006726A1       	DB EC
    
    ;proc3
    00658E1A   >  PUSH 0
    00658E1C   .   PUSHFD
    00658E1D   .   PUSHAD
    00658E1E   .   NOP
    00658E1F   .   NOP
    00658E20   .   CALL 00658E25                            ;  test.00658E25
    00658E25   $   POP EBP
    00658E26   .   SUB EBP,63A2E11
    00658E2C   .   NOP
    00658E2D   .   NOP
    00658E2E   >   MOV EAX,63BD0E6
    00658E33   . > ADD EAX,EBP
    00658E35   . 5>PUSH EAX
    00658E36   . 8>MOV ESI,DWORD PTR SS:[EBP+6221321]
    00658E3C   . B>MOV EBX,1
    00658E41   . 8>LEA EAX,DWORD PTR DS:[ESI+33C]
    00658E47   > F>LOCK XCHG BYTE PTR DS:[EAX],BL           ;  LOCK prefix
    00658E4A   . 0>OR BL,BL
    00658E4C   . 7>JNZ SHORT 00658E50                       ;  test.00658E50
    00658E4E   . E>JMP SHORT 00658E60                       ;  test.00658E60
    00658E50   > 6>PUSHAD
    00658E51   . 6>PUSH 0
    00658E53   . F>CALL DWORD PTR SS:[EBP+6222321]
    00658E59   . 6>POPAD
    00658E5A   .^E>JMP SHORT 00658E47                       ;  test.00658E47
    00658E5C   .^E>JMP SHORT 00658E2E                       ;  test.00658E2E
    00658E5E   . E>JMP SHORT 00658E67                       ;  test.00658E67
    00658E60   > 5>POP EAX
    00658E61   . 8>MOV DWORD PTR DS:[ESI+3E0],EAX
    00658E67   > B>MOV EAX,95
    00658E6C   . 8>MOV DWORD PTR DS:[ESI+350],EAX
    00658E72   . C>MOV DWORD PTR SS:[ESP+24],6228457
    00658E7A   . 0>ADD DWORD PTR SS:[ESP+24],EBP
    00658E7E   . 6>POPAD
    00658E7F   . 9>POPFD
    00658E80   . C>RETN
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    That code definitely is virtualized. 33AAF500 is the decryption key/bytecode and the RISC VM starts at 00658E1A. That's at least what I can tell, might not be that much tho.

  3. #3
    Your first problem is likely to be CodeEncrypt it behaves the same when you don't fix it but do dump it. (It requires the Oreans memory loaded dll's.)
    Pretty easy function just read my tut about it to fix it.. Should not behave like that though when just running normally..

  4. #4
    pigmeu
    Guest
    Thanks for the replies.
    quosego, since I couldn't manage to run the unpacked version of this target, I'm running it inside ollydbg using my own ollyscript that fix the IAT jumps and breaks on OEP.
    Talking about my mentioned code, before to reach it, I needed to kill all Themida threads because it was the only working way that I found out to break on a new thread created by this target app. (Using Debug>Break on New Thread did not work properly because I got strange results and setting a BP on the entry point of the thread proc, the application does not break on it instantly because the others Themida threads had priority ...) Is this the case?
    Last edited by pigmeu; July 26th, 2009 at 04:54.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Custome Themida? packed malware
    By tfBullet in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: November 24th, 2013, 14:10
  2. Unpacking Themida 2.0.3
    By Omnomnom in forum The Newbie Forum
    Replies: 7
    Last Post: March 15th, 2009, 17:30
  3. Themida protected plugin dll
    By OHPen in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: January 5th, 2009, 01:41
  4. Themida - VirtualAllocMemory of four bytes
    By OHPen in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: August 16th, 2006, 17:51

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •