吾爱破解 - LCG - LSG |安卓破解|病毒分析|www.52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 29606|回复: 34
收起左侧

[转贴] Themida 2.x.x 脱壳

[复制链接]
cndml 发表于 2018-4-11 19:24
本帖最后由 cndml 于 2018-12-28 15:04 编辑

原帖地址:http://zenhax.com/viewtopic.php?f=4&t=1051Hello everybody,

Today I will be showing you all how you can unpack a sample which is packedwith ThemIDA. This tutorial will show you how to do the process withoutrequiring to manually use a debugger yourself.

What you will learn in this thread:
- What Themida is
- A bit about how Themida works
- Why packers/obfuscators may be used with not only malicious software butsafe, legitmate software
- Why unpacking is useful to Malware Analysis
- How you can unpack samples packed by Themida without requring knowledge ofhow to use a Debugger yourself manually

1). What Themida is
Themida is software specifically engineered to help software stay betterprotected from becoming cracked and/or it's source code was being stolen.

If someone comes along and they can read the code you wrote for your software,if you have not made the software opensource and did not wish the code to begiven out and/or read by someone, would you be happy about them having found away to read your source code? I don't think you would.

The purpose of Themida is to help prevent the protected software from becomingvulnerable to reverse engineering attempts. It can also help against piracy.

2). A bit about how Themida works
Themida will pack the executable. When you execute the packed sample, it willunpack the executable in memory and use that to continue executing to performand do what it's meant to do. If the unpacking of the packed executable intomemory fails for whatever reason, then the program will not work.

3). Why packers may be used in legitimate software
Packers may be used in legitimate software so the developer's software isbetter protected against attacks. If someone can read your code, or useDisassembly to understand how it works, they can try to find vulnerabilitiesand then use them to create zero-day exploits.

Packers are also quite frequent with malware. Your Antivirus product may pickupdetections for software packed in a certain way/type of packer used.

4). Why unpacking is useful in Malware Analysis
If the sample is packed, then this essentially protects against Disassembly. Wewon't be able to understand how the program works, we'll just be reading theinstructions from the packer wrapper. For example, the process of theunpacking. However, we want the original executable (unpacked executable) and wewant to perform Disassembly with that executable so we can try to make sense ofand understand how the program works to know if it's malicious or not.

5). How we can actually identify and unpack Themida packed executables
To start off, you'll need a few things:

Tools

ProtectionID6.6.7
OllyDBG 1.10


OllyDbg Plugins

ODBGScriptv1.82.6
StrongOD0.4.8.892
PhantOm 1.79
ARImpRec.dll


Script

Themida - Winlicense Ultra Unpacker1.4

Ok the first thing we need do is set path in the Themida - Winlicense UltraUnpacker 1.4.txt for your "ARImpRec.dl", so we open the txt withnotepad and search it.

Quote:
HERE_ENTER_YOUR_DLL_PATH_TO_ARIMPREC_DLL:
mov ARIMPREC_PATH, "C:\Documents and Settings\Admin\Desktop\OllyDBG\plugin\ARImpRec.dll"



Open up ProtectionID and as can see first icon like a paper with a pencil,press there and drop your executable. It should process the information (if itcan). As we can see in the below screenshot, it detects the Themida packing:

1.png

Ok after checked that we unpack ollydbg in a path we want, a example mine is inDesktop:
C:\Documents and Settings\Admin\Desktop\OllyDBG.

So now we gonna create inside ollydbg folder a folder called plugin and insidewe extract all plugins we download, so this need be look like that.

2.png

3.png

PS: delete PSAPI.DLL from main folder of OllyDBG.

Ok so now we are ready to start with it.

1. First time we open Olly we need set the plugin directory because is notconfigured, for do it we go to --> Option-Appareance, in the tab Directorieswe can set where we stored plugins, so do it, press ok and restart Olly.

4.png

2.So now the next time we open Olly we see plugins loaded.

5.png

3. Ok now we go open the target to unpack or just press F3, after opened we gota pop up, just press Yes and the file continue Analysing, just wait to finish.

6.png

4.Now press F9 to run it and as you can see, we got a pop up, don't worry justpress ok and the debug is terminated.

7.png
8.png

5. Good the next move is run script, so for this we go can do it via pluginmenu-ODBGScript-Run Script and we search for "Themida - Winlicense UltraUnpacker 1.4.txt" download before.

6.Ok after we load nothing happen becase we terminated the debug before, sowhat we need do is reopen the target, just press in the X to close target.

7.After reopened target run script again or if you get this pop up asking forbegin unpacking process we press Yes.

9.png

Ok next one we press No.

10.png

So now the unpacking process has begun, we can check status in the down bar asthe right side of screen, after some seconds, we got pause, now to resume andcontinue unpacking maximize main thread windows and press right click and go to-> Script Functions-Script Windows, so now we have a Window of Scriptopened, right click there and press Resume.

11.png

8. So now we got a pop up telling us about we need modify some values into"ollydbg.ini", after that we need restart Olly and resume script.

12.png

9. So now we repeat steps do before, open target and run script,etc, after wefinish we got this at the end.

13.png

PS: remember close OllyDBG after open .ini.

10. Ok we press Yes and in the Script Execution press right click and Resume.

11. Good now this part is very important, if we running a VMWare, we need setYes, if we running normal SO just press No.

14.png

12. Now we got another pop up, really in my case I select Moddern Scan noSimple, it uses more checks.

15.png

13. Ok in this one we select No.

16.png

14. Ok after finished we got a new pop, there I press Yes.

17.png

15. Finally the job is done, as you can see there, now we can see dumped file,so we press Yes for use this data.

18.png

16. As script say, we choose first time no, if we got any problem after pressno, repeat the process and the next time just press Yes, just in case.

19.png

17. Ok this pop ask for compress the dumped file, but in this case we won't doit because is a good size, is not a file of 120MB or 200MB so I think is finepress No.

20.png

18. Ok after all this we finally have dumped file in the folder where storedexe.

21.png

Press ok and we are done.

22.png

23.png

24.png

PS: Ok I hope this guide help us to unpack in future your themida protections,so well have fun and sorry if my english is to bad.

Credits: LCF-AT, Nacho_dj and me for write this guide.

免费评分

参与人数 3吾爱币 +3 热心值 +3 收起 理由
zxh0327 + 1 + 1 谢谢@Thanks!
lanyueliang + 1 + 1 谢谢@Thanks!
bb2999 + 1 + 1 用心讨论,共获提升!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

幼稚子吟 发表于 2020-6-18 18:46
想请问 有遇到过脚本执行到最后一步 也就是
16. As script say, we choose first time no, if we got any problem after pressno, repeat the process and the next time just press Yes, just in case.
这里 源程序会发生“已停止运行”
猜测是API修复这边出了问题 我应该怎么做以完成修复API的工作呢
2.png
3.png
1.png
qwg 发表于 2018-8-27 08:18 来自手机
本帖最后由 qwg 于 2018-8-27 15:27 编辑

win7带壳dll能运行,od带壳破解也正常,脚本脱壳时候ImportREC自动获取有一处无效错误NTDLL  NtdllDefWindowProc_A,手动修改了指针名称  user32 DefWindowProc_A,改不改好像都一样,包括自动脱壳出的文件都一样,不重启电脑,都正常。是需要od脱壳时候修改 或者修改脚步,还是修复脱壳后的文件。。dll文件中已经是修改了的,但是程序加载后还是没有改变。。。然后改
NtdllDefWindowProc_A.png
Hmily 发表于 2018-4-12 18:25
@cndml 图片需要上传,直接粘贴无法显示,看文章应该还是用的LCF-AT大神的老脚本

Themida - Winlicense Ultra Unpacker 1.4
https://www.52pojie.cn/thread-290732-1-1.html
(出处: 吾爱破解论坛)
evea 发表于 2018-4-13 09:08
看了原帖 确实是 LCF-AT大神的老脚本
bb2999 发表于 2018-4-14 21:50
请楼主大师把图片打个包上传一下。
bb2999 发表于 2018-4-20 19:43
11232行 提示

INIstore ,0, INIpath Couldn`t open file !

请问是什么设置有问题?
lanyueliang 发表于 2018-5-23 15:37
老师您好。Themida的脱壳脚本能分享一下吗?
lanyueliang 发表于 2018-5-25 12:13
tmd脱壳,其实也不难,通用到达oep的方法是这样,od打开程序,alt+m在401000段下内存写入断点,然后shift+f9,   不出以外的话会停在rep movs 这行代码上!

老师您好。上面的是您以前给的一个找oep的方法。我试了一些加tmd的壳,有的可以到rep movs 这行代码上。也有的就是只停留在载人od后程序的的入口点,不出现在rep movs 这行代码上。这是什么原因呢?
jsclove 发表于 2018-8-23 09:51
感谢分享                                       
qwg 发表于 2018-8-23 17:47 来自手机
有没有跨平台修复方法。或win7脱壳后的修复,或者是dll不脱壳补丁方式
 楼主| cndml 发表于 2018-8-24 17:31
qwg 发表于 2018-8-23 17:47
有没有跨平台修复方法。或win7脱壳后的修复,或者是dll不脱壳补丁方式

原程序能跨平台修复后也没问题,dll补丁可以考虑lpk劫持,win7下动态修改内存地址的话,需要自己重定位

免费评分

参与人数 1吾爱币 +1 热心值 +1 收起 理由
qwg + 1 + 1 谢谢大神,还望指点迷津!

查看全部评分

您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则 警告:本版块禁止灌水或回复与主题无关内容,违者重罚!

快速回复 收藏帖子 返回列表 搜索

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-3-29 13:49

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表