Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   10 lines code dumped themida (https://forum.exetools.com/showthread.php?t=7408)

pll823 04-21-2005 14:27

10 lines code dumped themida
 
3 Attachment(s)
Here the XprotStripper core code by kernelkiller
Code:

#define BASE 0x00400000
#define SIZE 0x259000

ProcessName "Themida.exe"

LRESULT CALLBACK KeyboardProc(int nCode,WPARAM wParam,LPARAM lParam)
{
  FILE *fp;
  if((nCode==HC_ACTION)&&((lParam & 0xC0000000)!=0)){
    if(g_dwThreadID=::GetCurrentProcessId() != (g_dwProcessId=GetProcessNamePid(ProcessName))){
      return CallNextHookEx(g_hKeyHook, nCode, wParam, lParam );
    }else{
      switch(wParam){
      case VK_F10:
        MessageBox(NULL,"SUCCESS","OK",MB_OK);
        fp=fopen("c:\\Dump.exe","a+b");
        fwrite((const void *)BASE,SIZE,1,fp);
        fclose(fp);
        break;
      default:
        break;
      }
    }
  }
  return CallNextHookEx(g_hKeyHook, nCode, wParam, lParam ); 
}

and other good tool for dump xpr/thmida,source code included

xDREAM 04-21-2005 15:13

Do you know? Most exe files must dump at OEP or near OEP.

dyn!o 04-21-2005 17:55

I am observing Xprotector/Themida noise in last time. Someone wants to make a lot of noise but there is no effect. Strange tools appeared last months but they do not work and there is no description/feature of virtual code recovery. If there are working tools then I understand someone managed to unpack Themida. May I ask where is it?

Dumpers? For what? You can dump each Themida executable in few minutes, without any special tools, in any moment you want (including Themida decryptor stage). So what? It is ~10% of work. How will you deal with memory blocks checksum and virtual instructions?

I wonder what is the point of releasing such tools. So far I see chaos only.

baatazu 04-23-2005 17:36

I can see the point. There is a personal debate between the chinese author of the stripper (which by the way, afaik, is a registered customer of Xprotector/Themida) and the author of XProtector/Themida. That's how the stripper had all the latest registered versions to implement his stripper. If you notice the latest 1 or 2 versions are not supported. Possible author of XProtector/Themida banned him.

Xprotector/Themida is very popular in China, because developers use it to protect mobile applications. They want maximum security to protect their sensitive communication between software + mobiles (you know those SIM and mobile unlocking bring lot of money).

In another point of view, its a "syd" copy (or attempt, or something). :cool:


All times are GMT +8. The time now is 19:04.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX