#1
|
|||
|
|||
10 lines code dumped themida
Here the XprotStripper core code by kernelkiller
Code:
#define BASE 0x00400000 #define SIZE 0x259000 ProcessName "Themida.exe" LRESULT CALLBACK KeyboardProc(int nCode,WPARAM wParam,LPARAM lParam) { FILE *fp; if((nCode==HC_ACTION)&&((lParam & 0xC0000000)!=0)){ if(g_dwThreadID=::GetCurrentProcessId() != (g_dwProcessId=GetProcessNamePid(ProcessName))){ return CallNextHookEx(g_hKeyHook, nCode, wParam, lParam ); }else{ switch(wParam){ case VK_F10: MessageBox(NULL,"SUCCESS","OK",MB_OK); fp=fopen("c:\\Dump.exe","a+b"); fwrite((const void *)BASE,SIZE,1,fp); fclose(fp); break; default: break; } } } return CallNextHookEx(g_hKeyHook, nCode, wParam, lParam ); } Last edited by pll823; 04-21-2005 at 14:36. |
#2
|
|||
|
|||
Do you know? Most exe files must dump at OEP or near OEP.
|
#3
|
||||
|
||||
I am observing Xprotector/Themida noise in last time. Someone wants to make a lot of noise but there is no effect. Strange tools appeared last months but they do not work and there is no description/feature of virtual code recovery. If there are working tools then I understand someone managed to unpack Themida. May I ask where is it?
Dumpers? For what? You can dump each Themida executable in few minutes, without any special tools, in any moment you want (including Themida decryptor stage). So what? It is ~10% of work. How will you deal with memory blocks checksum and virtual instructions? I wonder what is the point of releasing such tools. So far I see chaos only. Last edited by dyn!o; 04-21-2005 at 17:58. |
#4
|
|||
|
|||
I can see the point. There is a personal debate between the chinese author of the stripper (which by the way, afaik, is a registered customer of Xprotector/Themida) and the author of XProtector/Themida. That's how the stripper had all the latest registered versions to implement his stripper. If you notice the latest 1 or 2 versions are not supported. Possible author of XProtector/Themida banned him.
Xprotector/Themida is very popular in China, because developers use it to protect mobile applications. They want maximum security to protect their sensitive communication between software + mobiles (you know those SIM and mobile unlocking bring lot of money). In another point of view, its a "syd" copy (or attempt, or something). |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
How to reduce the size of dumped exe | atest | General Discussion | 5 | 09-28-2003 18:41 |
Dumped File / DLL Missing | rf1911 | General Discussion | 7 | 08-24-2003 06:19 |