Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-25-2021, 06:06
Reaper Reaper is offline
Friend
 
Join Date: Apr 2021
Posts: 3
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 3
Thanks Rcvd at 1 Time in 1 Post
Reaper Reputation: 0
Winlicense (Themida) 2.4.6 x64 Help for Bypass/Unpack

Hi guys!
Ask for your help as the most skillful reversing community that I know.  Long time I can't find any tools/tuts/help to unpack or even bypass HWID lock of the x64 version of winlicense (themida) packer.
I spent 4 months testing a lot of methods (from runpe dump to writing own hypervisor for full os hardware emulation) but still not defeat this protector - winlicense 2.4.6 x64
So when I found this community, decide to ask, maybe someone had similar experience and can help with unpack or give some advice, links, any info or tools. 
So - target is x64 c++ console application (and i also have working regkey), packed with winlicense 2.4.6 x64 (exeinfope, die 3 detection) and locked to HWID (all 4 options, CPU, HDD, BIOS, MAC). 
I can bypass anti vm and anti debug. Also I can see api calls via external tools (WinApiOveride, Deviare SpyStudio). Also i explore how themida geather HWID, all 4 parts (dwords) and methods (api calls) how it get this. And maybe I will just finish my hook app to bypass HWID but for CPU identification themida use CPUID which is asm mnemonic and cant be hooked from user space (only driver like own hypervisor).
I started searching for intel vt-x most simple working hypervisor, which implements CPUID spoofing, but there are tons of bugs and it's hard to debug and write.

So I still hopes that some had similar experience in the past with unpacking/bypassing x64 version of themida / winlicense and Ask for any help 
Reply With Quote
  #2  
Old 04-29-2021, 23:13
user1's Avatar
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: Romania
Posts: 893
Rept. Given: 432
Rept. Rcvd 115 Times in 63 Posts
Thanks Given: 498
Thanks Rcvd at 475 Times in 285 Posts
user1 Reputation: 36
I m curios about Hwid emulation

can share code?
Reply With Quote
  #3  
Old 04-30-2021, 18:37
Reaper Reaper is offline
Friend
 
Join Date: Apr 2021
Posts: 3
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 3
Thanks Rcvd at 1 Time in 1 Post
Reaper Reputation: 0
Quote:
Originally Posted by user1 View Post
I m curios about Hwid emulation

can share code?
What code exactly ? I still not write own hypervisor , only hook MAC, and NtQueryinformation api , also have projects for disk spoofing, and sm bios,
But the last part of hwid - cpuid , still not intercepted because it need hypervisor and vmexit handling.

Also i find few projects on github for Themida devirtualization and built but it not work for my binary.
Reply With Quote
The Following User Says Thank You to Reaper For This Useful Post:
niculaita (05-02-2021)
Reply

Tags
bypass, themida, unpack, winlicense, x64

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 06:58.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )