|
Themida/WinLicence latest version information
Hi guys,
I'm trying to be able to debug an application that run only in Windows 10 and is packed by Themida. In fact, it's not the main exe file which is packed, it's a dll that after add a lot of new sections to the exe it seems. I can attach to it using ScyllaHide, but when running secure function inside the binary my debugger seems to get trapped and the application crash. I was trying to launch directly from the debugger the application, but even with all ScyllaHide antidebug activated, it seems that themida still find that I'm debugging it. I tried to hook using Frida the NtSetInformationThread in order to block the ThreadHideFromDebugger flag, without success. I've also tried using API Monitor, with the context switch attach. I'm searching for information about some of the protection that this protector can use. Or if you have idea how to detect of search which protection it is using. thanks |
you have to handle this by sure :
KERNELBASE.dll NtSetInformationProcess KERNELBASE.dll NtQueryInformationProcess KERNELBASE.dll NtClose that should work .... windows 10 suck :( , handle API not that easy . try on windows 8.1 or 7 SP2 |
the problem is that it didn't run on Windows 7. msvcr80.dll crash.
Those Api should be handled by ScyllaHide. I tested it with ScyllaTest and it's ok. Do you think that themida is doing kernel hook as well ? |
Quote:
So we need to come up with newer methods to hook and hide our debugging efforts. Or just keep using the older versions of Windows ... |
Jeez, that's crap... What you do when you have no choice on the platform for reversing ?
So I was able to see the ring3 hooks with PC_Hunter, it's only ntdll.DbgUiRemoteBreakin. There is no ring0 hook (oreans driver not loaded). When I restore the ring3 hooks and then attach my debugger it's working. But when starting a "secure" function, then debugee does nothing. |
check if there are single step check , what the target is ?
|
yes, I get some exception for single stepping, I always pass it to the debugee.
I'ts a legit application. Do you think it's possible to totally remove the themida protector from the protected DLL ? The original software is not packed, it's only the "secure dll" that is packed/protected. |
Hey there,
I made some progress. Was able to install the application (after a ton of hack) to a windows 7 x64VM. With x64dbg+ScyllaHide, i get trap and the debuggee closed. I get Exception with "Illegal_INSTRUCTION". This exception I need to pass it to the debuggee right ? I get another exception: "EXCEPTION_PRIV_INSTRUCTION". I also pass it to the application. After this it close. |
mr Exodia recently fixed/udpated the hider - ScyllaHide_2017-10-19_18-54.7z
and yes - you need to pass each & every exception into the dbg engine, think as if there is no debugger at all! what would happen then? :) |
Yes, that what I do. The problem is that when using shift+F9, my debugger get trapped and process exited. Even with ScyllaHide and profile Themida x86 on. How can I trace to find the tricks he is using to detect me ?
|
What OS are you on?
2) try using diff debugger (Olly/ISA) |
x64dbg + ScyllaHide. Tried on windows 10x64 and windows 7
|
Have you already seen the Tm Ultra Unpacker 1.4 script?
eg: https://tuts4you.com/download.php?view.3526 I recommend you to use W7 (if XP not possible) for R.E. |
Yes I've already tried. My debugger get trapped...
|
Could be the Trap Flag in EFLAGS when you single-step the instruction instead of skipping it. Or the push ss; pop ss; pushf trick...
Another guess would be the SetUnhandledExceptionFilter detection trick. Probably not the best link, but still: Quote:
|
| All times are GMT +8. The time now is 05:03. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX