Exetools  

Go Back   Exetools > General > General Discussion

Notices

Closed Thread
 
Thread Tools Display Modes
  #1  
Old 12-16-2019, 03:40
Fyyre's Avatar
Fyyre Fyyre is offline
Fyyre
 
Join Date: Dec 2009
Location: 0°N 0°E / 0°N 0°E / 0; 0
Posts: 190
Rept. Given: 47
Rept. Rcvd 67 Times in 31 Posts
Thanks Given: 51
Thanks Rcvd at 219 Times in 79 Posts
Fyyre Reputation: 67
x64 Themida/Winlicense Unpacking

Hello friends,

I successfully unpacked a x64 game binary protected by Winlicense. However there is one problem. If I restart my system or send the file to another, it stops working (crashes on the same address).

It has been some time since I have work with Themida... could some one kindly nudge me in the right direction?

Edit: I forgot to mention, I am doing this under Windows 10 x64 10.0.18363.535 with x64dbg

Ever so grateful,

-Fyyre
__________________
-Fyyre

--
https://github.com/Fyyre
https://twitter.com/Fyyre

Last edited by Fyyre; 12-16-2019 at 03:46.
  #2  
Old 12-16-2019, 14:57
user1's Avatar
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: Romania
Posts: 809
Rept. Given: 413
Rept. Rcvd 111 Times in 59 Posts
Thanks Given: 470
Thanks Rcvd at 429 Times in 257 Posts
user1 Reputation: 32
if I remember correct in unpacked VMP was such a problem with CPUID related, if I m correct about that.
The Following User Says Thank You to user1 For This Useful Post:
niculaita (12-17-2019)
  #3  
Old 12-16-2019, 17:15
deepzero's Avatar
deepzero deepzero is online now
VIP
 
Join Date: Mar 2010
Location: Europe
Posts: 233
Rept. Given: 99
Rept. Rcvd 60 Times in 38 Posts
Thanks Given: 97
Thanks Rcvd at 105 Times in 56 Posts
deepzero Reputation: 60
Well he says it also happens after a reboot...
But similarly, it's probably Imports are not properly reconstructed. Meaning the address of imported APIs is hardcoded to a specific address in your dump and not in the IAT. This address changes with each reboot thanks to ASLR.


To verify if this is your problem you can turn off ASLR, unpack your file again, and see if it works after a reboot then. Backtracing from the crashsite is probably hard because you dont know what the addresses pointed to back when you first unpacked it.
The Following 2 Users Say Thank You to deepzero For This Useful Post:
niculaita (12-17-2019), tekwizz123 (01-23-2020)
  #4  
Old 12-16-2019, 19:50
Conquest Conquest is offline
Friend
 
Join Date: Jan 2013
Location: 0x484F4D45
Posts: 110
Rept. Given: 46
Rept. Rcvd 29 Times in 17 Posts
Thanks Given: 24
Thanks Rcvd at 46 Times in 23 Posts
Conquest Reputation: 29
Themida and vmp applies artifact based detection. consider searching for themida antidump documents about the details
  #5  
Old 12-17-2019, 01:44
Fyyre's Avatar
Fyyre Fyyre is offline
Fyyre
 
Join Date: Dec 2009
Location: 0°N 0°E / 0°N 0°E / 0; 0
Posts: 190
Rept. Given: 47
Rept. Rcvd 67 Times in 31 Posts
Thanks Given: 51
Thanks Rcvd at 219 Times in 79 Posts
Fyyre Reputation: 67
Quote:
Originally Posted by deepzero View Post
Well he says it also happens after a reboot...
But similarly, it's probably Imports are not properly reconstructed. Meaning the address of imported APIs is hardcoded to a specific address in your dump and not in the IAT. This address changes with each reboot thanks to ASLR.


To verify if this is your problem you can turn off ASLR, unpack your file again, and see if it works after a reboot then. Backtracing from the crashsite is probably hard because you dont know what the addresses pointed to back when you first unpacked it.
Hi deepzero,

I agree ASLR is the only reasonable answer here. The IAT is fine, it is not loading at a different address... the trouble I am seeing is arrising from the combined code+data section of Theminda/WL. In this situation, our crash location is like..

Code:
mov rax, [r8+rdx*8]
or something like this. I will focus on ASLR, as the exe as /TSAWARE set, which controls ASLR, afaik.

Quote:
Originally Posted by Conquest View Post
Themida and vmp applies artifact based detection. consider searching for themida antidump documents about the details
This has nothing to do with my situation.
__________________
-Fyyre

--
https://github.com/Fyyre
https://twitter.com/Fyyre
  #6  
Old 12-19-2019, 18:05
adastmin adastmin is offline
Friend
 
Join Date: Dec 2019
Posts: 1
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 1 Time in 1 Post
adastmin Reputation: 0
I can help with that. Perhaps we are trying the same file both. https://prnt.sc/qczcbs
The Following User Says Thank You to adastmin For This Useful Post:
niculaita (12-21-2019)
  #7  
Old 01-03-2020, 14:52
MrScotc MrScotc is offline
Friend
 
Join Date: Dec 2017
Posts: 15
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 12
Thanks Rcvd at 10 Times in 5 Posts
MrScotc Reputation: 0
keep an eye on rbp(v2) and rdi(v3) before it goes into themida section.
themida try to use static constant which called align number by someone to loacate its data.
The Following User Says Thank You to MrScotc For This Useful Post:
niculaita (01-03-2020)
  #8  
Old 01-03-2020, 20:48
Fyyre's Avatar
Fyyre Fyyre is offline
Fyyre
 
Join Date: Dec 2009
Location: 0°N 0°E / 0°N 0°E / 0; 0
Posts: 190
Rept. Given: 47
Rept. Rcvd 67 Times in 31 Posts
Thanks Given: 51
Thanks Rcvd at 219 Times in 79 Posts
Fyyre Reputation: 67
Quote:
Originally Posted by adastmin View Post
I can help with that. Perhaps we are trying the same file both. https://prnt.sc/qczcbs
Your screenshot shows far too little information to be useful.

Nor am I interested in anything from you or your son of a bitch friend.

P.S.

And if you are inside of NCSoft? Congratulations, and do not attempt to contact me again.
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Themida/Winlicense hobferret General Discussion 1 05-10-2013 18:44


All times are GMT +8. The time now is 03:55.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )