Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-13-2019, 06:27
Sany Sany is offline
Friend
 
Join Date: Oct 2019
Location: r00t
Posts: 11
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 6 Times in 3 Posts
Sany Reputation: 0
unpack Themida/Winlicense 2.x / finding OEP / 64bit

Hello,

I have a packed 64bit Application that is packed/obfuscated with Themida 2.x (or higher) or Winlicense 2.x or higher...

Now, my Problem is, all OllyDbg unpacking scripts for Themida are out, while the application is 64bit. I've tried any Themida 2.x unpacking tools (UnThemida 2x,3x from Coldfever), that are ends in the Anti-Debugger Sequence and a Messagebox, and the application is terminated. The Code for the Anti-Debugger sequence, unpacks its self, and the strings are obfuscated.

because i can start the Application with x64dbg and IdaPro without Anti-Debugger detection and i can analyze the Application, this takes a while, but the original file is 47MB big.

now, after the complete execution of the application, and dumping the application via scylla (with the fake oep from themida, and correct imports without errors, the file checksum is wrong) the application doesn't run without a message... i tried to pe rebuild, but this not works.

when i start the dumped application in x64dbg or ida, i become the exception c0000005 for memory access error. i am not be able to find die orig oep from the application... :/

can anybody give me tips please, to resolve my problem?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 11:05.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX