Themida Attack

Hi,

I'm a pe-crypter Lover and i really like check all new protections around ,
i recently unpacked SDProtetor , ACprotect , Some Armadillo version and so on.Now i'm on an old friend called 'Themida'.Why i say an old friend , well as all you probably know Themida is the evolution of Xprotector.
I've downloaded Themida from hxxp://www.oreans.com/ today and i've started to check.
Themida use the ring0 .sys (Oreans.sys) as the Xprotector do (xprotector.sys).All the Xprotector stuff is here so dont expect to easy
dump , rebuild and so on.Sice is Realtime Killed :P and no way to read from
Process Memory.
The First think to do is study the Oreans.sys , so we need to decrypt it and then rewrite a new Full Emu Oreans.sys.
Well This is not a joke like others pe-crypters so if someone want to join my work maybe we will go a bit faster.
We can use this thread to write our progress.

Thanks to all.

Yado of Lockless.

yey! Yado!?

about xprot we collected some info & main info is:
(xport is not joke but) xprot IS INCORRECT.
you can use search;

so I'm not playing with incorrectness.
Who knows, maybe they are correct in new version??

better about your Krypton.. in last year started unpacking K05,
but then i stop, bcoz there was bag(K-protected programs crash);
Did you corrected bug &or new version of Krypton?

Hi,
i ask for a collaboration for study themida , all help will be ok , no 'you can use search' , i'm able to use search.
Yes they make a lot of works on themida , and it is a really better pe-crypter than xprotector.
Well a lot of time is passed since i release krypton 0.5 , and well K-execution dont 'crash' all programs' not all works i know , for example krypton.exe itself is protected with all k-execution stuff.
Anyway i've done a lot of works on krypton after 0.5 , i've done a 0.6 personal and a 0.7/0.8 beta.
After this one (0.8) i've stopped krypton and i've Rewrite all code.
Now Krypton is Called : "Krypton GT" and for now is not pubblic.
I Rewrite all K-execution stuff (now i use a full disas. engine and the compatibility is 80/90 %) and add a lot of new feauture.

I've not a Release date , it will be released 'when it's done'.
For now i use for crypt my personal software release.

Yado of Lockless.

hi there yado! nice to know u're still alive...

I already started doing some study on that target but I'll need
to code a tool before continue to help me removing the junk code...

I'm not sure but I think one of xprotector's author used to watch this (or RCE) boards
so...

I cant quarantie that my participation will be high on this (due freetime),
but I'll try

btw, cant wait for your krypton

cya,
coder of Lockless

Yeahh , i'm still alive :P
and with you all ok ?

xprotector's author used to watch this ?
well i want to say him that i really like his works and
when i think to my pe-crypter i want to make like his one,
and he know that he can't clain that his pe-crypter is
really secure if noone have tryed to decrypt it.

You cant quarantie your participation ? no probs , all helps will be ok !

And well for krypton gt all i can say that will released this year =P

See yaa !

Yado of Lockless

[.:hack3r2k:.]

Indeed a nice protector ...

Br

I'll contat you no probs , but why no share knowledge with other people ?

Yado Of Lockless.

becouse its too precious

hey .:hack3r2k , i've contact you but i got no reply.

Btw , i've finished to add to my sys the anti drx & anti int3
probably in next day i'll be able to run it with sice so i'll start to
debug it.

When i've the full working .sys i'll post here.

Yado of Lockless.

[LordGarfio]

Hi, Themida is used in Total Multiserver v1.45 software

cheers.

Quote:

Btw , i've finished to add to my sys the anti drx & anti int3
probably in next day i'll be able to run it with sice so i'll start to
debug it.

You already know what the sys does? I already traced the first ioctl
message sended to the device (ioctl code = 1800h).
It gets some procedures addresses from ntoskrnl:
-PsGetCurrentProcessId
-IoGetCurrentProcess
-Ke386IoSetAccessProcess
-ObReferenceObjectByHandle
-PsProcessType
-Ke386SetIoAccessMap

Saves vector 1 and 3 of IDT. Changes the access flags of
some blocks of memory allocated at runtime and IDT page from
super-visor to user-mode.

The ioctl 1800h returns some data in the 50h chars long buffer,
including locations of those allocated memory blocks.
Besides of other to-study-or-not-facts....

There are other ioctls parsed with id: 1801,1802,1A00.

Making some memory shared between the device and the exe
is an open door to lotsa things I guess...

gotta do more tracing

later

[niom]

Quote:

Originally Posted by jemos

Saves vector 1 and 3 of IDT. Changes the access flags of
some blocks of memory allocated at runtime and IDT page from
super-visor to user-mode.

hm

Code:

kd> !descriptor idt 1
------------------- Interrupt Gate Descriptor --------------------
IDT base = 0x8003F400, Index = 0x01, Descriptor @ 0x8003f408
8003f408 6f ad 08 00 00 8e 4d 80 
Segment is present, DPL = 0, System segment, 32-bit descriptor
Target code segment selector = 0x0008 (GDT Index = 1, RPL = 0)
Target code segment offset = 0x804dad6f
[....]
kd> g
Winlicense driver loaded in memory
kd> !descriptor idt 1
------------------- Interrupt Gate Descriptor --------------------
IDT base = 0x8003F400, Index = 0x01, Descriptor @ 0x8003f408
8003f408 6f ad 08 00 00 ee 4d 80 
Segment is present, DPL = 3, System segment, 32-bit descriptor
Target code segment selector = 0x0008 (GDT Index = 1, RPL = 0)
Target code segment offset = 0x804dad6f

it seems that they change the dpl of int1 from 0 to 3. this makes some sense because they are using some int1 instructions in their usermode code.
and why is there almost no communication between the app and the driver?
do they use the driver only for the handling of exceptions that are generated by their usermode code?
and how the hell do they detect vmware? (they are not using the 'documented' backdoor IO port)

I'm assuming it changes the idt dpl in usermode...
If u have vmware, can u try:
mov ax,ds
test ax,4
jnz ...
And tell me if there's any difference? (in normal NT, bit 100b of ds = 0).
I havent traced much after the ioctl 1800, probably later I might be able to
answer some of those questions
laters

EDIT: according to the thread replies I've received on the other thread,
it seems to be a 9x\NT detection code...
thread link is:
hxxp://www.exetools.com/forum/showthread.php?t=6427

Hi,Yado!
Can you tell me where your homepage is?

Quote:

Originally Posted by niom

and why is there almost no communication between the app and the driver?
do they use the driver only for the handling of exceptions that are generated by their usermode code?

This information I got from xprotector. I'm sure it is still relevant today.
The driver is used to elevate privileges of the usermode application. After the first IO control calls (jemos correctly identified the key elements in it), the application has full read/write access to the driver's memory.
It uses it to do synchronization (ex: wait until some dword in driver = 1) - probably due to the multi-threaded nature of the protection.
I'm not sure if this is still done, but the xprot driver used to give read/write access on the IDT as well; so the user-mode application was able to dynamically change the int1/int3 descriptors.
Another thing which the usermode application has access to is some privileged instructions; mostly for interrupt handling & direct debug register access, like iretd; mov dr0, eax, ...

Quote:

and how the hell do they detect vmware? (they are not using the 'documented' backdoor IO port)

by detect, do you mean crash? that's what it does here under vmware 4.0.x with windows 2k running on it.