Themida Attack

Quote:

Originally Posted by doug

It uses it to do synchronization (ex: wait until some dword in driver = 1) - probably due to the multi-threaded nature of the protection.
I'm not sure if this is still done, but the xprot driver used to give read/write access on the IDT as well; so the user-mode application was able to dynamically change the int1/int3 descriptors.

This new "version" might use a less primitive method, an Event created
by the client, named "XprotEvent".

About the access on the IDT, well it already has read write flags (the
page, at least on my puter) so it just (at least until what I've traced)
changes the super-visor flag to user-mode flag to the reasons we already know.

I havent much time to continue the study... maybe soon

[dyn!o]

"how the hell do they detect vmware"

They don't detect it. It is XProtector bug.

By the way: what for the protection should detect VMWare or VirtualPC? For reverser it gives nothing. If you mean no page access (like XProtector feature) for dumping the memory then it still gives you nothing. Why? Because if you are not able to make a dump of non readable protected memory then virtual like environments will not help you to perform further reversing operations needed to rebuild / analyse the protection.

Regards.

[deXep]

I'm worried about my shitty english.

themida seems that not be *VERY* different from xprot

write a dll for helping, which attach the process and dump the image.

disasm it and find out the OEP,and I believe it's possbile:P

Hook the first extern call in any way, than we have a image which data section is not hurt badly, and...and IAT is a boring work. a superman , dragon, wrote a tools for them, but I don't know if it can still work.

is that all? No, SDK IS HADES ON UNPACKING, muhahaha...

I'm worried about my shitty english again.

In this case I prefer trace and learn from it.
Imho, direct unpacking (if we can call it like that), its always faster / easier.
Also since I already started tracing and got me "addicted" to it...

Looking forward to see some yado reply

I think that XProtector - Themida was attack resistant for 2 years + !
This means that it is a very professional application...
Of course it needs some more development but ...heyyy guys,
it is an excellent work !

I am not from the XProtector Development team but i can give
a great BRAVO to joung and talented programmers!
I've tested every EXE Protector that has appeared on the NET.
Only XProtector was attack resistant for a long period of time.

Hi ,
well i'm looking at themida only to learn , not simple for destroy the rafael
work.I think it's a great work , and themida it's a really good stuff to revers.
I think (but it's a my idea) that a ring0 commercial pe-crypter it's not a good think.No ring0 must be used under a protection , and as we can see ,the os developers are trying to deny this sort of activity (see windows 64).The future is not for ring0 protection but for intelligent protection like the VMProtect that use code emulators.

But , hey for a revers study themida is a really good target.I see that some guy already unpack it (not a full working unpack it crash on load exe ) this is good.
I'll continue to write my tools for themida attack.

nothing good i see in xprot.
it is HARD only because of INCORRECT things it does.

[gunterg]

Themida [1.0.0.2] (25-Jan-05)
[!]
Bug fixed when showing nag screen in protected DLLs with Themida demo version

[!]
Bug fixed when showing custom messages for protected DLLs

[!]
Added internal option to disable CRC on some protected blocks

[!]
Fixed system deadlock in some protected applications when launching them many times per second

[!]
Fixed buffer overflow in disassembly screen when macros are too big

[+]
Added support for Adobe After Effects plugins

[+]
Added support for any Windows kernel names (different from ntoskrnl.exe and ntkrnlpa.exe)

[+]
Added support to detect when an imported DLL is not present in the application to protect

BUG is entire Xprot.. can't by fixed.. only discarded..
i will write some text about disabling NT_security by xprot.
Will then m$ restrict it!?