Exetools  

Go Back   Exetools > General > General Discussion

Notices

Closed Thread
 
Thread Tools Display Modes
  #1  
Old 12-16-2019, 03:40
Fyyre's Avatar
Fyyre Fyyre is offline
Fyyre
 
Join Date: Dec 2009
Location: 0°N 0°E / 0°N 0°E / 0; 0
Posts: 259
Rept. Given: 75
Rept. Rcvd 85 Times in 38 Posts
Thanks Given: 141
Thanks Rcvd at 335 Times in 113 Posts
Fyyre Reputation: 85
x64 Themida/Winlicense Unpacking

Hello friends,

I successfully unpacked a x64 game binary protected by Winlicense. However there is one problem. If I restart my system or send the file to another, it stops working (crashes on the same address).

It has been some time since I have work with Themida... could some one kindly nudge me in the right direction?

Edit: I forgot to mention, I am doing this under Windows 10 x64 10.0.18363.535 with x64dbg

Ever so grateful,

-Fyyre
__________________
Best Wishes,

Fyyre

--

https://github.com/Fyyre

Last edited by Fyyre; 12-16-2019 at 03:46.
The Following User Says Thank You to Fyyre For This Useful Post:
Reaper (04-17-2021)
  #2  
Old 12-16-2019, 14:57
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: OUT
Posts: 1,041
Rept. Given: 547
Rept. Rcvd 120 Times in 67 Posts
Thanks Given: 695
Thanks Rcvd at 566 Times in 337 Posts
user1 Reputation: 41
if I remember correct in unpacked VMP was such a problem with CPUID related, if I m correct about that.
The Following User Says Thank You to user1 For This Useful Post:
niculaita (12-17-2019)
  #3  
Old 12-16-2019, 17:15
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 300
Rept. Given: 111
Rept. Rcvd 64 Times in 42 Posts
Thanks Given: 178
Thanks Rcvd at 215 Times in 92 Posts
deepzero Reputation: 64
Well he says it also happens after a reboot...
But similarly, it's probably Imports are not properly reconstructed. Meaning the address of imported APIs is hardcoded to a specific address in your dump and not in the IAT. This address changes with each reboot thanks to ASLR.


To verify if this is your problem you can turn off ASLR, unpack your file again, and see if it works after a reboot then. Backtracing from the crashsite is probably hard because you dont know what the addresses pointed to back when you first unpacked it.
The Following 2 Users Say Thank You to deepzero For This Useful Post:
niculaita (12-17-2019), tekwizz123 (01-23-2020)
  #4  
Old 12-16-2019, 19:50
Conquest Conquest is offline
Friend
 
Join Date: Jan 2013
Location: 0x484F4D45
Posts: 125
Rept. Given: 46
Rept. Rcvd 29 Times in 17 Posts
Thanks Given: 31
Thanks Rcvd at 60 Times in 29 Posts
Conquest Reputation: 29
Themida and vmp applies artifact based detection. consider searching for themida antidump documents about the details
  #5  
Old 12-17-2019, 01:44
Fyyre's Avatar
Fyyre Fyyre is offline
Fyyre
 
Join Date: Dec 2009
Location: 0°N 0°E / 0°N 0°E / 0; 0
Posts: 259
Rept. Given: 75
Rept. Rcvd 85 Times in 38 Posts
Thanks Given: 141
Thanks Rcvd at 335 Times in 113 Posts
Fyyre Reputation: 85
Quote:
Originally Posted by deepzero View Post
Well he says it also happens after a reboot...
But similarly, it's probably Imports are not properly reconstructed. Meaning the address of imported APIs is hardcoded to a specific address in your dump and not in the IAT. This address changes with each reboot thanks to ASLR.


To verify if this is your problem you can turn off ASLR, unpack your file again, and see if it works after a reboot then. Backtracing from the crashsite is probably hard because you dont know what the addresses pointed to back when you first unpacked it.
Hi deepzero,

I agree ASLR is the only reasonable answer here. The IAT is fine, it is not loading at a different address... the trouble I am seeing is arrising from the combined code+data section of Theminda/WL. In this situation, our crash location is like..

Code:
mov rax, [r8+rdx*8]
or something like this. I will focus on ASLR, as the exe as /TSAWARE set, which controls ASLR, afaik.

Quote:
Originally Posted by Conquest View Post
Themida and vmp applies artifact based detection. consider searching for themida antidump documents about the details
This has nothing to do with my situation.
__________________
Best Wishes,

Fyyre

--

https://github.com/Fyyre
  #6  
Old 12-19-2019, 18:05
adastmin adastmin is offline
Guest
 
Join Date: Dec 2019
Posts: 1
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 1 Time in 1 Post
adastmin Reputation: 0
I can help with that. Perhaps we are trying the same file both. https://prnt.sc/qczcbs
The Following User Says Thank You to adastmin For This Useful Post:
niculaita (12-21-2019)
  #7  
Old 01-03-2020, 14:52
MrScotc MrScotc is offline
Banned User
 
Join Date: Dec 2017
Posts: 33
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 29
Thanks Rcvd at 34 Times in 12 Posts
MrScotc Reputation: 1
keep an eye on rbp(v2) and rdi(v3) before it goes into themida section.
themida try to use static constant which called align number by someone to loacate its data.
The Following User Says Thank You to MrScotc For This Useful Post:
niculaita (01-03-2020)
  #8  
Old 01-03-2020, 20:48
Fyyre's Avatar
Fyyre Fyyre is offline
Fyyre
 
Join Date: Dec 2009
Location: 0°N 0°E / 0°N 0°E / 0; 0
Posts: 259
Rept. Given: 75
Rept. Rcvd 85 Times in 38 Posts
Thanks Given: 141
Thanks Rcvd at 335 Times in 113 Posts
Fyyre Reputation: 85
Quote:
Originally Posted by adastmin View Post
I can help with that. Perhaps we are trying the same file both. https://prnt.sc/qczcbs
Your screenshot shows far too little information to be useful.

Nor am I interested in anything from you or your son of a bitch friend.

P.S.

And if you are inside of NCSoft? Congratulations, and do not attempt to contact me again.
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Themida/Winlicense hobferret General Discussion 1 05-10-2013 18:44


All times are GMT +8. The time now is 17:56.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )