Thinstall unpacking
 

Hi all,

are the any tutorials or other informations about unpacking a thinstall-packed program out there?

Thanks in advance.

bKACK oUT

You have a target I can try?

Hi SvensK,

i want to reverse Reason 2.5 from Propellerhead, sorry, dont have a smaller target.

I know the packer works only when connected to the internet and uses eliptical-curve algo and other funny stuff.

I havent had a deep look at Thinstall internally....but my few tests tell me that it leaves the EXE almost untouched when decrypted, so you can make a dump (by regions) and construct the original EXE without suffering much ;)

It's true that they use a local file system inside the EXE and that makes .NET application to be run without problems after protecting (no mangling any structures)...but, well, I think this is another story.... ;)

Thanks alot peleon. :)

Ihave unpacked Reason 2.5 demo with no-problem >> dump and fix some import > is there any diference betweam demo and full version ?

Sorry 4 my bad English iam only human :cool:

so ... and what about several exe's and dll's? how it dump? ... I try to unpack Thinstall.exe and get only first .exe file :confused:

thinstall create virtual filestystem an hook some function such as CreateFile ReadFile ... you could BPX on it and dump ...

I also unpacked Reason demo, really all you have to do it look thru memory, every file needed is unpacked in memory. PE Files start with "MZ", just keep looking for PE headers, and when you find one, get the PE size, and then select the whole memory block that you need. Them dump it using LordPE. The filename will usually be contained inside the particular EXE / DLL you are dumping as well, so you can name it correctly.

So with Olly or SoftICE (SoftICE might be easier) you can just scroll up thru memory of the Reason process and see each seperate EXE/DLL and dump them one at a time.

-Lunar