Themida 2.2.6.0

风吹屁屁凉

Hi all,

This file is compiled with Visual Studio 2010 (C++ Language) and protect one with VM_START/VM_END.
New themIDA version have new VM system so I have use FISH32 White VM to protect this file

Themida - Advanced Windows Software Protection System  [Version 2.2.6.0]

Protection Options for ThemidaTest.exe
--------------------------------------

Macros Information
------------------
VM Macros: 1
ENCRYPT Macros: 0
CLEAR Macros: 0
MUTATE Macros: 0
STR_ENCRYPT Macros: 0
CHECK_PROTECTION Macros: 0
CHECK_CODE_INTEGRITY Macros: 0
CHECK_VIRTUAL_PC Macros: 0


Protection Options
------------------
Anti-Debugger: Ultra
Anti-Dumpers: ENABLED
Entry Point Ofuscation: ENABLED
Resource Encryption: ENABLED
VMWare compatible: ENABLED
API-Wrapping Level: Level 2
Anti-Patching: File Patching
Metamorph Security: ENABLED
Memory Guard: ENABLED
When Debugger Found: Display Message
Application compression: ENABLED
Resources compression: ENABLED
SecureEngine compression: ENABLED
Anti-File Monitor: ENABLED
Anti-Registry Monitor: ENABLED
Delphi/BCB form protection: ENABLED


Virtual Machine Settings
------------------------
Automatic handling of Virtual Machines: DISABLED
Force Integrity Checks: ENABLED
Virtualize Protection Core with: FISH32 (White)
Virtualize old VM macros: FISH32 (White)
Virtual Machines Inserted:
--> FISH32 (White)


Advanced Protection Options
---------------------------
Encrypt Application: ENABLED
DLL plugin: DISABLED
Hide from PE scanners: Type 2
.NET assemblies: ENABLED
Active Context: DISABLED
Add Manifest: Don't add manifest


XBundler files
--------------
No files to bundle

茶城兄弟

中华儿女，来几个中国字怎么样？

dodolovely

支持2楼的一说，你这转帖的也太不厚道了

cxj98

高级货，咱们小白根本不懂。

Aurelion

一直都不知道咋修复VM的按钮事件 脱壳还是很简单的！

a070458

[AppleScript] 纯文本查看 复制代码

bphwcall
bc
bpmc
bphws 00401253, "x" 
bphws 004C7046, "x"
esto
bphwc 004C7046
mov [004C7175],#E998E4F3FF9090#
mov [00405612],#83BD642C1C1100A352564000E9591B0C0090#
mov [0041950E],#E97FC1FEFF90#
mov [00405692],#609CA1525640002BC783E80489079D6189C689EBE9693E010090#
mov [0042C987],#E9748DFDFF909090#
mov [00405700],#609C3D0064010072163DEC604000770F8B0D525640008908EB07909090909089189D6183E60FE964720200909090#
mov [004C9EFA],#E901B9F3FF90#
mov [00405800],#609CA1525640002BC783E804AB9D61E9FB460C00#
loop:
esto
cmp eip,0040548C 
ja loop
cmp eip,00401000
jb loop
jmp exit


exit:
bphwcall
bc
bpmc

渣脚本 大神飞过
VM只知道会传递一个错误的HWND 具体怎么搞  求大神指点

kGe

vm 于0040103a
+了section还是异常一大串，第一次开始于类似 jmp 【eax】，此时eax指向.......

wgz001

qq793359277 发表于 2013-11-13 15:07
一直都不知道咋修复VM的按钮事件 脱壳还是很简单的！

点击inside vm 时程序崩溃

kGe

THEMIDA 2.Xd anti fix 我的建议是保留VM SECTION

kGe

ok了ok了ok了ok了ok了ok了ok了ok了ok了ok了

------------------------------------------------------
接下来就是玩下IAT table里的API是怎么运动的了？