x64 Themida/Winlicense Unpacking

[deepzero]

Well he says it also happens after a reboot...
But similarly, it's probably Imports are not properly reconstructed. Meaning the address of imported APIs is hardcoded to a specific address in your dump and not in the IAT. This address changes with each reboot thanks to ASLR.


To verify if this is your problem you can turn off ASLR, unpack your file again, and see if it works after a reboot then. Backtracing from the crashsite is probably hard because you dont know what the addresses pointed to back when you first unpacked it.

[Fyyre]

Quote:

Originally Posted by deepzero

Well he says it also happens after a reboot...
But similarly, it's probably Imports are not properly reconstructed. Meaning the address of imported APIs is hardcoded to a specific address in your dump and not in the IAT. This address changes with each reboot thanks to ASLR.


To verify if this is your problem you can turn off ASLR, unpack your file again, and see if it works after a reboot then. Backtracing from the crashsite is probably hard because you dont know what the addresses pointed to back when you first unpacked it.

Hi deepzero,

I agree ASLR is the only reasonable answer here. The IAT is fine, it is not loading at a different address... the trouble I am seeing is arrising from the combined code+data section of Theminda/WL. In this situation, our crash location is like..

Code:

mov rax, [r8+rdx*8]

or something like this. I will focus on ASLR, as the exe as /TSAWARE set, which controls ASLR, afaik.

Quote:

Originally Posted by Conquest

Themida and vmp applies artifact based detection. consider searching for themida antidump documents about the details

This has nothing to do with my situation.