Themida Attack

Hi,

I'm a pe-crypter Lover and i really like check all new protections around ,
i recently unpacked SDProtetor , ACprotect , Some Armadillo version and so on.Now i'm on an old friend called 'Themida'.Why i say an old friend , well as all you probably know Themida is the evolution of Xprotector.
I've downloaded Themida from hxxp://www.oreans.com/ today and i've started to check.
Themida use the ring0 .sys (Oreans.sys) as the Xprotector do (xprotector.sys).All the Xprotector stuff is here so dont expect to easy
dump , rebuild and so on.Sice is Realtime Killed :P and no way to read from
Process Memory.
The First think to do is study the Oreans.sys , so we need to decrypt it and then rewrite a new Full Emu Oreans.sys.
Well This is not a joke like others pe-crypters so if someone want to join my work maybe we will go a bit faster.
We can use this thread to write our progress.

Thanks to all.

Yado of Lockless.

yey! Yado!?

about xprot we collected some info & main info is:
(xport is not joke but) xprot IS INCORRECT.
you can use search;

so I'm not playing with incorrectness.
Who knows, maybe they are correct in new version??

better about your Krypton.. in last year started unpacking K05,
but then i stop, bcoz there was bag(K-protected programs crash);
Did you corrected bug &or new version of Krypton?

Hi,
i ask for a collaboration for study themida , all help will be ok , no 'you can use search' , i'm able to use search.
Yes they make a lot of works on themida , and it is a really better pe-crypter than xprotector.
Well a lot of time is passed since i release krypton 0.5 , and well K-execution dont 'crash' all programs' not all works i know , for example krypton.exe itself is protected with all k-execution stuff.
Anyway i've done a lot of works on krypton after 0.5 , i've done a 0.6 personal and a 0.7/0.8 beta.
After this one (0.8) i've stopped krypton and i've Rewrite all code.
Now Krypton is Called : "Krypton GT" and for now is not pubblic.
I Rewrite all K-execution stuff (now i use a full disas. engine and the compatibility is 80/90 %) and add a lot of new feauture.

I've not a Release date , it will be released 'when it's done'.
For now i use for crypt my personal software release.

Yado of Lockless.

hi there yado! nice to know u're still alive...

I already started doing some study on that target but I'll need
to code a tool before continue to help me removing the junk code...

I'm not sure but I think one of xprotector's author used to watch this (or RCE) boards
so...

I cant quarantie that my participation will be high on this (due freetime),
but I'll try

btw, cant wait for your krypton

cya,
coder of Lockless

Yeahh , i'm still alive :P
and with you all ok ?

xprotector's author used to watch this ?
well i want to say him that i really like his works and
when i think to my pe-crypter i want to make like his one,
and he know that he can't clain that his pe-crypter is
really secure if noone have tryed to decrypt it.

You cant quarantie your participation ? no probs , all helps will be ok !

And well for krypton gt all i can say that will released this year =P

See yaa !

Yado of Lockless

[.:hack3r2k:.]

Indeed a nice protector ...

Br

[deXep]

I'm worried about my shitty english.

themida seems that not be *VERY* different from xprot

write a dll for helping, which attach the process and dump the image.

disasm it and find out the OEP,and I believe it's possbile:P

Hook the first extern call in any way, than we have a image which data section is not hurt badly, and...and IAT is a boring work. a superman , dragon, wrote a tools for them, but I don't know if it can still work.

is that all? No, SDK IS HADES ON UNPACKING, muhahaha...

I'm worried about my shitty english again.

In this case I prefer trace and learn from it.
Imho, direct unpacking (if we can call it like that), its always faster / easier.
Also since I already started tracing and got me "addicted" to it...

Looking forward to see some yado reply

[gunterg]

Themida [1.0.0.2] (25-Jan-05)
[!]
Bug fixed when showing nag screen in protected DLLs with Themida demo version

[!]
Bug fixed when showing custom messages for protected DLLs

[!]
Added internal option to disable CRC on some protected blocks

[!]
Fixed system deadlock in some protected applications when launching them many times per second

[!]
Fixed buffer overflow in disassembly screen when macros are too big

[+]
Added support for Adobe After Effects plugins

[+]
Added support for any Windows kernel names (different from ntoskrnl.exe and ntkrnlpa.exe)

[+]
Added support to detect when an imported DLL is not present in the application to protect

BUG is entire Xprot.. can't by fixed.. only discarded..
i will write some text about disabling NT_security by xprot.
Will then m$ restrict it!?