#1
|
||||
|
||||
x64 Themida/Winlicense Unpacking
Hello friends,
I successfully unpacked a x64 game binary protected by Winlicense. However there is one problem. If I restart my system or send the file to another, it stops working (crashes on the same address). It has been some time since I have work with Themida... could some one kindly nudge me in the right direction? Edit: I forgot to mention, I am doing this under Windows 10 x64 10.0.18363.535 with x64dbg Ever so grateful, -Fyyre
__________________
Best Wishes, Fyyre -- https://github.com/Fyyre Last edited by Fyyre; 12-16-2019 at 03:46. |
The Following User Says Thank You to Fyyre For This Useful Post: | ||
Reaper (04-17-2021) |
#2
|
|||
|
|||
if I remember correct in unpacked VMP was such a problem with CPUID related, if I m correct about that.
|
The Following User Says Thank You to user1 For This Useful Post: | ||
niculaita (12-17-2019) |
#3
|
||||
|
||||
Well he says it also happens after a reboot...
But similarly, it's probably Imports are not properly reconstructed. Meaning the address of imported APIs is hardcoded to a specific address in your dump and not in the IAT. This address changes with each reboot thanks to ASLR. To verify if this is your problem you can turn off ASLR, unpack your file again, and see if it works after a reboot then. Backtracing from the crashsite is probably hard because you dont know what the addresses pointed to back when you first unpacked it. |
The Following 2 Users Say Thank You to deepzero For This Useful Post: | ||
niculaita (12-17-2019), tekwizz123 (01-23-2020) |
#4
|
|||
|
|||
Themida and vmp applies artifact based detection. consider searching for themida antidump documents about the details
|
#5
|
||||
|
||||
Quote:
I agree ASLR is the only reasonable answer here. The IAT is fine, it is not loading at a different address... the trouble I am seeing is arrising from the combined code+data section of Theminda/WL. In this situation, our crash location is like.. Code:
mov rax, [r8+rdx*8] This has nothing to do with my situation.
__________________
Best Wishes, Fyyre -- https://github.com/Fyyre |
#6
|
|||
|
|||
I can help with that. Perhaps we are trying the same file both. https://prnt.sc/qczcbs
|
The Following User Says Thank You to adastmin For This Useful Post: | ||
niculaita (12-21-2019) |
#7
|
|||
|
|||
keep an eye on rbp(v2) and rdi(v3) before it goes into themida section.
themida try to use static constant which called align number by someone to loacate its data. |
The Following User Says Thank You to MrScotc For This Useful Post: | ||
niculaita (01-03-2020) |
#8
|
||||
|
||||
Quote:
Nor am I interested in anything from you or your son of a bitch friend. P.S. And if you are inside of NCSoft? Congratulations, and do not attempt to contact me again. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Themida/Winlicense | hobferret | General Discussion | 1 | 05-10-2013 18:44 |