Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-21-2005, 14:27
pll823
 
Posts: n/a
10 lines code dumped themida

Here the XprotStripper core code by kernelkiller
Code:
#define BASE 0x00400000
#define SIZE 0x259000

ProcessName "Themida.exe"

LRESULT CALLBACK KeyboardProc(int nCode,WPARAM wParam,LPARAM lParam)
{
  FILE *fp;
  if((nCode==HC_ACTION)&&((lParam & 0xC0000000)!=0)){
    if(g_dwThreadID=::GetCurrentProcessId() != (g_dwProcessId=GetProcessNamePid(ProcessName))){
      return CallNextHookEx(g_hKeyHook, nCode, wParam, lParam );
    }else{
      switch(wParam){
      case VK_F10:
        MessageBox(NULL,"SUCCESS","OK",MB_OK);
        fp=fopen("c:\\Dump.exe","a+b");
        fwrite((const void *)BASE,SIZE,1,fp);
        fclose(fp);
        break;
      default:
        break;
      }
    }
  }
  return CallNextHookEx(g_hKeyHook, nCode, wParam, lParam );  
}
and other good tool for dump xpr/thmida,source code included
Attached Images
File Type: jpg inject.jpg (81.6 KB, 69 views)
Attached Files
File Type: rar Adump.rar (338.7 KB, 51 views)
File Type: rar dllinject.rar (33.7 KB, 45 views)

Last edited by pll823; 04-21-2005 at 14:36.
Reply With Quote
  #2  
Old 04-21-2005, 15:13
xDREAM
 
Posts: n/a
Do you know? Most exe files must dump at OEP or near OEP.
Reply With Quote
  #3  
Old 04-21-2005, 17:55
dyn!o's Avatar
dyn!o dyn!o is offline
Friend
 
Join Date: Nov 2003
Location: Own mind
Posts: 214
Rept. Given: 1
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 8
Thanks Rcvd at 0 Times in 0 Posts
dyn!o Reputation: 1
I am observing Xprotector/Themida noise in last time. Someone wants to make a lot of noise but there is no effect. Strange tools appeared last months but they do not work and there is no description/feature of virtual code recovery. If there are working tools then I understand someone managed to unpack Themida. May I ask where is it?

Dumpers? For what? You can dump each Themida executable in few minutes, without any special tools, in any moment you want (including Themida decryptor stage). So what? It is ~10% of work. How will you deal with memory blocks checksum and virtual instructions?

I wonder what is the point of releasing such tools. So far I see chaos only.

Last edited by dyn!o; 04-21-2005 at 17:58.
Reply With Quote
  #4  
Old 04-23-2005, 17:36
baatazu
 
Posts: n/a
I can see the point. There is a personal debate between the chinese author of the stripper (which by the way, afaik, is a registered customer of Xprotector/Themida) and the author of XProtector/Themida. That's how the stripper had all the latest registered versions to implement his stripper. If you notice the latest 1 or 2 versions are not supported. Possible author of XProtector/Themida banned him.

Xprotector/Themida is very popular in China, because developers use it to protect mobile applications. They want maximum security to protect their sensitive communication between software + mobiles (you know those SIM and mobile unlocking bring lot of money).

In another point of view, its a "syd" copy (or attempt, or something).
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to reduce the size of dumped exe atest General Discussion 5 09-28-2003 18:41
Dumped File / DLL Missing rf1911 General Discussion 7 08-24-2003 06:19


All times are GMT +8. The time now is 22:54.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )