Unpacking themida and other protections [TUT]

[cnttuchme]

Credits: richie86

Software Introduction:
1. OD -- "you have to google it i cant upload it to the site
the rest of the files are included"
Also known as OllyDbg. It’s a 32-bit assembler level analysis debugger. Powerful tool to analyze 32-bit assembler.
2. Phantom
It’s a plugin for OllyDbg. Used to prevent the OllyDbg from being detected by anti-debugger engine for Themida/WInLicense.

3. okdodo script
This is the unpack script we will use in this tutorial.

4. PEiD
PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files.

5. ImpportRec
Import Reconstructor is a tool that used to fix the IAT of dump image and reconstruct them.


———————————————————————————————————-

Okay let’s get started.

First we have to determine what is the packer first. Drag Cpp1.exe into PEiD. You will need the latest signature database. Here we found it’s pack with Themida/WinLicense 1.8.2.0 above.
PeID

Start your ollydbg, make sure your phantom setting is like below. Configure it by pressing Plugin>Phantom>Option . You will need to restart ollydbg for setting to take effect.
Phantom Setting
Do this by moving the phantom.dll into the ollydbg folder.
[IMG]https://richie86.files.*********.com/2008/01/phantom-opt.jpg[/IMG]
After that drag Cpp1.exe into ollydbg. See the yellow line in main thread. B8 00 00 00 60, common entry point used by Themida/WinLicense.
[IMG]https://richie86.files.*********.com/2008/01/load.jpg[/IMG]
Pressing ALT+M to switch into Memory Map tab. Drag down a little bit the list and you will found msvcrt on PE Header. Shows that this EXE is using C++ Runtime.
C++

Let’s continue. Run okdodo script by pressing Plugin>ODbgScript>RunScript>then select okdodo.osc

The script will automatic run. After you being prompt that the script has completed. The debugger will stop at the OEP (Original Entry Point) of your EXE.
[IMG]https://richie86.files.*********.com/2008/01/oep.jpg[/IMG]

Take note of the OEP address above. We will using it later on. 00401151
Next we will try to dump the image out. Do NOT close OllyDbg yet.
Open your importRec. Attach the process to the Cpp1.Exe in the list.

Then you will see in the status box. Image Base: 00400000. So calculate the OEP by 00401151-00400000 = 1151
Fill in into the OEP box and press IAT Auto Search. It will inform you that the OEP is found.

Press Get Import to get all import function. From the Imports status, shows that valid:YES. Which means all imports function pointer are match.

So dump the image by Righ***ick>Advanced Commands>Select Code Section(s)
[IMG]https://richie86.files.*********.com/2008/01/imprec.jpg[/IMG]

Press Full Dump. then save it at somewhere as cpp1_dump.exe
[IMG]https://richie86.files.*********.com/2008/01/dumped.jpg[/IMG]
Then continue to reconstruct the dump base on new OEP. At main menu. Press Fix Dump, then select the dump image cpp1_dump.exe we create just now.
[IMG]https://richie86.files.*********.com/2008/01/fixdump.jpg[/IMG]

After reconstruct. New image cpp1_dump_.exe is created. And now try to open the cpp1_dump_.exe and you will see you are sucessfully unpacked it.
[IMG]https://richie86.files.*********.com/2008/01/done.jpg[/IMG]

Credit: okdodo for the script. unpack.cn for the resources.

okdodo script"/*
Script written by okdodo 2007/03
Tested for themida IAT restore and OEP find~

Ollyice: Ignore all exceptions (add 0EEDFADE,C0000005,C000001E)
HideOD : Check HideNtDebugBit and ZwQueryInformationProcess(method2)

Test Environment : Ollyice 1.1 + HideOD
ODBGScript 1.52 under WINXP
Thanks :
kanxue – author of HideOD
hnhuqiong – author of ODbgScript 1.52
*/

data:
var cbase
var csize
var dllimg
var pmbase
var apibase
var mem

gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT
gmemi eip,MEMORYBASE
mov dllimg,$RESULT
log dllimg

findapibase:
gpa “GetLocalTime”, “kernel32.dll”
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,”x”
esto
bphwc tmpbp
rtu
gpa “VirtualAlloc”, “kernel32.dll”
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,”x”
esto
bphwc tmpbp
rtu
mov apibase,eax
log apibase
gpa “LoadLibraryA”, “kernel32.dll”
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,”x”
esto
bphwc tmpbp
rtu

findVirtualAlloc:
find apibase,#558BECFF7514FF7510FF750CFF75086AFFE809000 0005DC21000#
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,”x”

iatloop:
esto
mov tmp,[esp]
find dllimg,#50516033C0#
cmp $RESULT,0
jne iatpatch
jmp iatloop

iatpatch:
bphwc tmpbp
find eip,#C21000#
bphws $RESULT,”x”
esto
bphwc $RESULT
sti
mov tmpbp,tmp
find tmpbp,#0F850A000000C785#
mov tmpbp,$RESULT
mov [tmpbp],0A0EEB
find tmpbp,#0F84390000003B8D#
mov tmpbp,$RESULT
mov [tmpbp],3928EB

alloc 1000
mov mem, $RESULT
log mem
mov tmp,mem
mov [tmp],#A3000000008908ADC746FC00000000E90000000050A10000 00008907807FFFE8750866C747FEFF15EB0666C747FEFF2558 E90000000050A100000000894701807FFFE8750866C747FFFF 15EB0666C747FFFF25580F8500000000E90000000083C704E9 00000000#
mov memtmp,tmp
add memtmp,100
add tmp,1
mov [tmp],memtmp
add tmp,15
mov [tmp],memtmp
add tmp,22
mov [tmp],memtmp
mov tmp,mem

find tmpbp,#8908AD#
mov tmpbp,$RESULT
mov addr1,tmpbp
add addr1,0A
eval “jmp {tmp}”
asm tmpbp, $RESULT

find tmpbp,#E92400000058#
mov tmpbp,$RESULT
add tmp,14
eval “jmp {tmp}”
asm tmpbp, $RESULT

find tmpbp,#0F851800000083BD#
mov tmpbp,$RESULT
mov addr3,tmpbp
add addr3,06
add tmp,22
eval “jmp {tmp}”
asm tmpbp, $RESULT

find tmpbp,#884704#
mov tmpbp,$RESULT
mov addr2,tmpbp
add addr2,03
mov [tmpbp],#909090#

find tmpbp,#ABAD#
mov tmpbp,$RESULT
mov [tmpbp],#90#

add tmpbp,9
add tmp,29
eval “jmp {tmp}”
asm tmpbp, $RESULT

mov memtmp,mem
add memtmp,0F
eval “jmp {addr1}”
asm memtmp, $RESULT
add memtmp,22
eval “jmp {addr2}”
asm memtmp, $RESULT
add memtmp,23
eval “jne {addr2}”
asm memtmp, $RESULT
add memtmp,06
eval “jmp {addr3}”
asm memtmp, $RESULT
add memtmp,08
eval “jmp {addr1}”
asm memtmp, $RESULT

find eip,#C7010000000083C104#
mov tmpbp,$RESULT
add tmpbp,14
bphws tmpbp,”x”
esto
bphwc tmpbp

mov tmp,cbase
add tmp,csize

findoep:
bprm cbase,csize
esto
bpmc
cmp eip,tmp
ja findoep
msg “script finished,check the oep place by yourself~”
ret

stop:
pause

apierror:
pause"

[rwkeith]

This relates to the assembly section. Other than that this is the most useful tut I have seen yet. Bravo...

Edit: What do settings do you need for the Phantom plugin under the options for it?

[cnttuchme]

grazie! Mods can move if they please
Let me add the picture forgot sorry

[rwkeith]

Np, and thanks for adding how to configure the plug-in =)

[cnttuchme]

Il tuo benvenuto

[BooYa]

Nice copy and paste, credits go to richy86

[cnttuchme]

Nice copy and paste, credits go to richy86

Didnt i put that there?? i was just adding it to the forum and i never claimed i made it nor asked for thanks.

[rwkeith]

Where is the okdodo script?

[cnttuchme]

Where is the okdodo script?

Its near the bottom its in quotes

[BooYa]

Didnt i put that there?? i was just adding it to the forum and i never claimed i made it nor asked for thanks.

Oh sorry, didn't see it usually credits are on the top of a post

[cnttuchme]

Oh sorry, didn't see it usually credits are on the top of a post

No problems next time ill post them on top

[rwkeith]

How do I use that code? I need an asm compiler wont I?

[Hell_Demon]

Cpp1.exe has been detected as a Downloader.MisleadApp o__O

[B1ackAnge1]

this won't work with 'newer' themida packed apps

[why06]

Thanks for the info BA. Well I was wondering how cnttuchme came up with this, but that's fine as long as he gave credits. I hope you don't mind, but I took th liberty of putting th credits in a more notable spot. I'm going to move this to assembly now.