View Single Post
  #1  
Old 10-13-2019, 06:27
Sany Sany is offline
Friend
 
Join Date: Oct 2019
Location: r00t
Posts: 39
Rept. Given: 0
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 19
Thanks Rcvd at 40 Times in 7 Posts
Sany Reputation: 2
unpack Themida/Winlicense 2.x / finding OEP / 64bit

Hello,

I have a packed 64bit Application that is packed/obfuscated with Themida 2.x (or higher) or Winlicense 2.x or higher...

Now, my Problem is, all OllyDbg unpacking scripts for Themida are out, while the application is 64bit. I've tried any Themida 2.x unpacking tools (UnThemida 2x,3x from Coldfever), that are ends in the Anti-Debugger Sequence and a Messagebox, and the application is terminated. The Code for the Anti-Debugger sequence, unpacks its self, and the strings are obfuscated.

because i can start the Application with x64dbg and IdaPro without Anti-Debugger detection and i can analyze the Application, this takes a while, but the original file is 47MB big.

now, after the complete execution of the application, and dumping the application via scylla (with the fake oep from themida, and correct imports without errors, the file checksum is wrong) the application doesn't run without a message... i tried to pe rebuild, but this not works.

when i start the dumped application in x64dbg or ida, i become the exception c0000005 for memory access error. i am not be able to find die orig oep from the application... :/

can anybody give me tips please, to resolve my problem?
Reply With Quote