Jump to content
Moopler
Sign in to follow this  
Guest

Information Unpacking Themida

Recommended Posts

Guest

This thread was made since there isn't much newer documentation for learning how themida works. Hopefully, my research will help others out.  :) Feel free to exchange information about themida here. For those who don't know information is being uploaded here due to a few requests to keep it all a bit more organized: https://github.com/evodz/tea

I'll fill up the git repo time goes on. Don't have much time to update and dislike writing lengthy topics / tutorials to spell everything out. Information maybe scattered because of it.

 

Edited by Guest
updated.

Share this post


Link to post
Guest

Finished Part 2 - Themida Entry Peel

I posted a video, notes, and a script.

Yes, I did notice after I finsished that I pressed wrong button in the beginning. It cut the mic. I hope everyone can still understand what I'm explaining.

 

Edited by Guest

Share this post


Link to post

I must say this is some impressive work :) while there is lcf script ;( the most sad part is the vm checks and obstructed code that mostly prevents most of it I think they are still using CISC ? :x 

Share this post


Link to post
Guest
10 minutes ago, NewSprux2.0? said:

You forget to shift the entry-length. 0x1000 >> 2 == 0x400.

Thanks and good catch. As you saw, my notepad goofed the arrows in my notes, so >> became <>. I guess I didn't think of it as a shift when recording haha. I added the fix to my notes.

Edited by Guest

Share this post


Link to post
Guest

I talked with @Taku recently and will be continuing it once I am able. I have a lot of information that I would like to continue to share to others and see grow throughout the community. @maplefreak200 it was never my intention to fully delete anything to everything online or locally; I just figured others got what they needed and continued on in their own self studies. The amount of pms / emails I have gotten have mostly just been requesting myself to provide free services for others and rarely did I ever get questions from anything I have posted. In some regard it seemed like it was pointless to continue hence the deletion of my other github account(s) https://github.com/f-ve and the removal of such projects like continuing to update https://github.com/67-6f-64/rebecca online and a few more. The amount of drama which followed online just seemed to just sway my opinion to stop attempting to contribute and focus on other things in life.

tl;dr - will continue again

Edited by Guest

Share this post


Link to post
3 hours ago, Ezekiel said:

I talked with @Taku recently and will be continuing it once I am able. I have a lot of information that I would like to continue to share to others and see grow throughout the community. @maplefreak200 it was never my intention to fully delete anything to everything online or locally; I just figured others got what they needed and continued on in their own self studies. The amount of pms / emails I have gotten have mostly just been requesting myself to provide free services for others and rarely did I ever get questions from anything I have posted. In some regard it seemed like it was pointless to continue hence the deletion of my other github account(s) https://github.com/f-ve and the removal of such projects like continuing to update https://github.com/67-6f-64/rebecca online and a few more. The amount of drama which followed online just seemed to just sway my opinion to stop attempting to contribute and focus on other things in life.

tl;dr - will continue again

I managed to finish my CISC devirtualizer 100%. It now has full support for all virtual handlers and can produce almost all cases of x86 instructions:

f50ab8e055ba193ea53f19d36e06d532.png

 

I have also finished the (in my opinion) biggest steps of FISH, by figuring out how to identify and group handlers of the complex mutating engine. I can now print all the virtual opcodes of the FISH machine using their own internal syntax on older FISH-machines.

Additionally to all that, I have started the development of an IDA plugin to perform these tasks for me, instead of the local unmapper/remapper:

6351e39f8b5e23f29b251580a719a682.png

Edited by NewSprux2.0?
  • Like 3
  • Thanks 1

Share this post


Link to post

Such a shame... For the longest time I've been looking to learn how Themida works and consequently, how to unpack it. Thanks for posting this great resource, however, it's such a shame that it has since been removed :(

Share this post


Link to post
On 7/24/2017 at 04:18, NewSprux2.0? said:

I managed to finish my CISC devirtualizer 100%. It now has full support for all virtual handlers and can produce almost all cases of x86 instructions:

f50ab8e055ba193ea53f19d36e06d532.png

 

I have also finished the (in my opinion) biggest steps of FISH, by figuring out how to identify and group handlers of the complex mutating engine. I can now print all the virtual opcodes of the FISH machine using their own internal syntax on older FISH-machines.

Additionally to all that, I have started the development of an IDA plugin to perform these tasks for me, instead of the local unmapper/remapper:

6351e39f8b5e23f29b251580a719a682.png

can you make unpacked unvmed version of latest maple please? 

Share this post


Link to post

so lets say i want to start learning more about all this. surely there was a point when each of you were once in my shoes with a need to understand more but the information available is to complex or to basic. where the hell do i go to start learning how to make use of this. can anyone please point me in the right direction

Share this post


Link to post
Guest
3 hours ago, db4206910 said:

so lets say i want to start learning more about all this. surely there was a point when each of you were once in my shoes with a need to understand more but the information available is to complex or to basic. where the hell do i go to start learning how to make use of this. can anyone please point me in the right direction

Research papers are your friends. I been making some tutorial snippets to explain some concepts have yet to post them but the idea of virtual machines is really straight forward the best example I can give you that you can probably practice on is the gchq can you crack it  challenge from 2011 and the fe-ddis challenge from this spring 2017 both are fairly similar if you compare the two. However commercial virtualization takes it a step further from these job hiring challenges and implements joy and happiness. I'm kidding, obfuscation, cycle redundancy, and encryption are typically more heavily focused on and beef'd up. The logic of the machine however, doesn't really change. Stay tuned to the following weeks. 

Share this post


Link to post
14 hours ago, Ezekiel said:

Research papers are your friends. I been making some tutorial snippets to explain some concepts have yet to post them but the idea of virtual machines is really straight forward the best example I can give you that you can probably practice on is the gchq can you crack it  challenge from 2011 and the fe-ddis challenge from this spring 2017 both are fairly similar if you compare the two. However commercial virtualization takes it a step further from these job hiring challenges and implements joy and happiness. I'm kidding, obfuscation, cycle redundancy, and encryption are typically more heavily focused on and beef'd up. The logic of the machine however, doesn't really change. Stay tuned to the following weeks. 

ive recently started messing around a little with olly trying to unpack some simple executable that was on there site. But should i lean more towards ida seeing as it has alot more functions that may make it easier in the future? i would love to get help and see resources put out there for those that want to learn but just dont know where to start.

Share this post


Link to post
On 2/23/2017 at 05:54, Ezekiel said:

You might go mad doing this. This thread was made since there isn't much newer documentation for learning how themida works. Hopefully, my research will help others out.  :) Feel free to exchange information about themida here.

Part 1 - Themida Overview:

Part 2 - Themida Entry Peel:

Part 3 - Themida Demangler:

Part 4 - Overlaying Deobfuscation:

  Reveal hidden contents

Video: TODO

Notes: TODO

Script: TODO

Sample: MapleStory.exe

Part 5 - Internal Deobfusction:

  Reveal hidden contents

Video: TODO

Notes: TODO

Script: TODO

Sample: MapleStory.exe

can you reupload the links ??

 

 

Share this post


Link to post
Guest

@db4206910 and @Ful3NN you can find some of the info on github now. Sorry for taking a while, been busy / haven't been feeling well. Look at thread header for link. @db4206910 work in whatever enviroment floats your boat the best. Personally I dislike using ida constantly since their "analysis algorithm" makes alot of mistakes and Cheat Engine is no better and worse. Currently I have been sticking to x64dbg to do everything after falling in love with the code behind it and the ease of usage with the api. Regardless you need to touch up on your knowledge a bit before hand before cracking at it. Not saying you can't at the moment. Heck you could start fiddling with it right now and probably understand quite a bit from the traces unpacking section. All-in-all, it just takes time to understand things.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×