#1
|
|||
|
|||
Themida Attack
Hi,
I'm a pe-crypter Lover and i really like check all new protections around , i recently unpacked SDProtetor , ACprotect , Some Armadillo version and so on.Now i'm on an old friend called 'Themida'.Why i say an old friend , well as all you probably know Themida is the evolution of Xprotector. I've downloaded Themida from hxxp://www.oreans.com/ today and i've started to check. Themida use the ring0 .sys (Oreans.sys) as the Xprotector do (xprotector.sys).All the Xprotector stuff is here so dont expect to easy dump , rebuild and so on.Sice is Realtime Killed :P and no way to read from Process Memory. The First think to do is study the Oreans.sys , so we need to decrypt it and then rewrite a new Full Emu Oreans.sys. Well This is not a joke like others pe-crypters so if someone want to join my work maybe we will go a bit faster. We can use this thread to write our progress. Thanks to all. Yado of Lockless. |
#2
|
|||
|
|||
yey! Yado!?
about xprot we collected some info & main info is: (xport is not joke but) xprot IS INCORRECT. you can use search; so I'm not playing with incorrectness. Who knows, maybe they are correct in new version?? better about your Krypton.. in last year started unpacking K05, but then i stop, bcoz there was bag(K-protected programs crash); Did you corrected bug &or new version of Krypton? |
#3
|
|||
|
|||
Hi,
i ask for a collaboration for study themida , all help will be ok , no 'you can use search' , i'm able to use search. Yes they make a lot of works on themida , and it is a really better pe-crypter than xprotector. Well a lot of time is passed since i release krypton 0.5 , and well K-execution dont 'crash' all programs' not all works i know , for example krypton.exe itself is protected with all k-execution stuff. Anyway i've done a lot of works on krypton after 0.5 , i've done a 0.6 personal and a 0.7/0.8 beta. After this one (0.8) i've stopped krypton and i've Rewrite all code. Now Krypton is Called : "Krypton GT" and for now is not pubblic. I Rewrite all K-execution stuff (now i use a full disas. engine and the compatibility is 80/90 %) and add a lot of new feauture. I've not a Release date , it will be released 'when it's done'. For now i use for crypt my personal software release. Yado of Lockless. |
#4
|
|||
|
|||
hi there yado! nice to know u're still alive...
I already started doing some study on that target but I'll need to code a tool before continue to help me removing the junk code... I'm not sure but I think one of xprotector's author used to watch this (or RCE) boards so... I cant quarantie that my participation will be high on this (due freetime), but I'll try btw, cant wait for your krypton cya, coder of Lockless |
#5
|
|||
|
|||
Yeahh , i'm still alive :P
and with you all ok ? xprotector's author used to watch this ? well i want to say him that i really like his works and when i think to my pe-crypter i want to make like his one, and he know that he can't clain that his pe-crypter is really secure if noone have tryed to decrypt it. You cant quarantie your participation ? no probs , all helps will be ok ! And well for krypton gt all i can say that will released this year =P See yaa ! Yado of Lockless |
#6
|
||||
|
||||
Indeed a nice protector ...
Br Last edited by .:hack3r2k:.; 01-11-2005 at 19:52. |
#7
|
|||
|
|||
I'll contat you no probs , but why no share knowledge with other people ?
Yado Of Lockless. |
#8
|
|||
|
|||
becouse its too precious
|
#9
|
|||
|
|||
hey .:hack3r2k , i've contact you but i got no reply.
Btw , i've finished to add to my sys the anti drx & anti int3 probably in next day i'll be able to run it with sice so i'll start to debug it. When i've the full working .sys i'll post here. Yado of Lockless. |
#10
|
|||
|
|||
Hi, Themida is used in Total Multiserver v1.45 software
cheers. |
#11
|
|||
|
|||
Quote:
message sended to the device (ioctl code = 1800h). It gets some procedures addresses from ntoskrnl: -PsGetCurrentProcessId -IoGetCurrentProcess -Ke386IoSetAccessProcess -ObReferenceObjectByHandle -PsProcessType -Ke386SetIoAccessMap Saves vector 1 and 3 of IDT. Changes the access flags of some blocks of memory allocated at runtime and IDT page from super-visor to user-mode. The ioctl 1800h returns some data in the 50h chars long buffer, including locations of those allocated memory blocks. Besides of other to-study-or-not-facts.... There are other ioctls parsed with id: 1801,1802,1A00. Making some memory shared between the device and the exe is an open door to lotsa things I guess... gotta do more tracing later |
#12
|
|||
|
|||
Quote:
Code:
kd> !descriptor idt 1 ------------------- Interrupt Gate Descriptor -------------------- IDT base = 0x8003F400, Index = 0x01, Descriptor @ 0x8003f408 8003f408 6f ad 08 00 00 8e 4d 80 Segment is present, DPL = 0, System segment, 32-bit descriptor Target code segment selector = 0x0008 (GDT Index = 1, RPL = 0) Target code segment offset = 0x804dad6f [....] kd> g Winlicense driver loaded in memory kd> !descriptor idt 1 ------------------- Interrupt Gate Descriptor -------------------- IDT base = 0x8003F400, Index = 0x01, Descriptor @ 0x8003f408 8003f408 6f ad 08 00 00 ee 4d 80 Segment is present, DPL = 3, System segment, 32-bit descriptor Target code segment selector = 0x0008 (GDT Index = 1, RPL = 0) Target code segment offset = 0x804dad6f and why is there almost no communication between the app and the driver? do they use the driver only for the handling of exceptions that are generated by their usermode code? and how the hell do they detect vmware? (they are not using the 'documented' backdoor IO port) |
#13
|
|||
|
|||
I'm assuming it changes the idt dpl in usermode...
If u have vmware, can u try: mov ax,ds test ax,4 jnz ... And tell me if there's any difference? (in normal NT, bit 100b of ds = 0). I havent traced much after the ioctl 1800, probably later I might be able to answer some of those questions laters EDIT: according to the thread replies I've received on the other thread, it seems to be a 9x\NT detection code... thread link is: hxxp://www.exetools.com/forum/showthread.php?t=6427 Last edited by jemos; 01-17-2005 at 22:23. |
#14
|
|||
|
|||
Hi,Yado!
Can you tell me where your homepage is? |
#15
|
|||
|
|||
Quote:
The driver is used to elevate privileges of the usermode application. After the first IO control calls (jemos correctly identified the key elements in it), the application has full read/write access to the driver's memory. It uses it to do synchronization (ex: wait until some dword in driver = 1) - probably due to the multi-threaded nature of the protection. I'm not sure if this is still done, but the xprot driver used to give read/write access on the IDT as well; so the user-mode application was able to dynamically change the int1/int3 descriptors. Another thing which the usermode application has access to is some privileged instructions; mostly for interrupt handling & direct debug register access, like iretd; mov dr0, eax, ... Quote:
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Turbo Attack | UnknwnGaming | Source Code | 2 | 11-20-2022 01:18 |
known-plaintext attack | eychei | General Discussion | 6 | 04-08-2018 06:03 |
Voice attack cracked | H4vC | General Discussion | 5 | 02-01-2017 16:23 |
RC4 Attack | DARKER | General Discussion | 1 | 02-27-2015 02:44 |