Themida Attack
 

Hi,

I'm a pe-crypter Lover and i really like check all new protections around ,
i recently unpacked SDProtetor , ACprotect , Some Armadillo version and so on.Now i'm on an old friend called 'Themida'.Why i say an old friend , well as all you probably know Themida is the evolution of Xprotector.
I've downloaded Themida from hxxp://www.oreans.com/ today and i've started to check.
Themida use the ring0 .sys (Oreans.sys) as the Xprotector do (xprotector.sys).All the Xprotector stuff is here so dont expect to easy
dump , rebuild and so on.Sice is Realtime Killed :P and no way to read from
Process Memory.
The First think to do is study the Oreans.sys , so we need to decrypt it and then rewrite a new Full Emu Oreans.sys.
Well This is not a joke like others pe-crypters so if someone want to join my work maybe we will go a bit faster.
We can use this thread to write our progress.

Thanks to all.

Yado of Lockless.

yey! Yado!?

about xprot we collected some info & main info is:
(xport is not joke but) xprot IS INCORRECT.
you can use search;

so I'm not playing with incorrectness.
Who knows, maybe they are correct in new version??

better about your Krypton.. in last year started unpacking K05,
but then i stop, bcoz there was bag(K-protected programs crash);
Did you corrected bug &or new version of Krypton?

Hi,
i ask for a collaboration for study themida , all help will be ok , no 'you can use search' , i'm able to use search.
Yes they make a lot of works on themida , and it is a really better pe-crypter than xprotector.
Well a lot of time is passed since i release krypton 0.5 , and well K-execution dont 'crash' all programs' not all works i know , for example krypton.exe itself is protected with all k-execution stuff.
Anyway i've done a lot of works on krypton after 0.5 , i've done a 0.6 personal and a 0.7/0.8 beta.
After this one (0.8) i've stopped krypton and i've Rewrite all code.
Now Krypton is Called : "Krypton GT" and for now is not pubblic.
I Rewrite all K-execution stuff (now i use a full disas. engine and the compatibility is 80/90 %) and add a lot of new feauture.

I've not a Release date , it will be released 'when it's done'.
For now i use for crypt my personal software release.

Yado of Lockless.

hi there yado! nice to know u're still alive... :D

I already started doing some study on that target but I'll need
to code a tool before continue to help me removing the junk code...

I'm not sure but I think one of xprotector's author used to watch this (or RCE) boards
so... :confused:

I cant quarantie that my participation will be high on this (due freetime),
but I'll try :)

btw, cant wait for your krypton ;)

cya,
coder of Lockless

Yeahh , i'm still alive :P
and with you all ok ?

xprotector's author used to watch this ?
well i want to say him that i really like his works and
when i think to my pe-crypter i want to make like his one,
and he know that he can't clain that his pe-crypter is
really secure if noone have tryed to decrypt it.

You cant quarantie your participation ? no probs , all helps will be ok !

And well for krypton gt all i can say that will released this year =P

See yaa !

Yado of Lockless

Indeed a nice protector :eek: ...

Br;)

I'll contat you no probs , but why no share knowledge with other people ?

Yado Of Lockless.

becouse its too precious :)

hey .:hack3r2k , i've contact you but i got no reply.

Btw , i've finished to add to my sys the anti drx & anti int3
probably in next day i'll be able to run it with sice so i'll start to
debug it.

When i've the full working .sys i'll post here.

Yado of Lockless.

Hi, Themida is used in Total Multiserver v1.45 software

cheers.

You already know what the sys does? I already traced the first ioctl
message sended to the device (ioctl code = 1800h).
It gets some procedures addresses from ntoskrnl:
-PsGetCurrentProcessId
-IoGetCurrentProcess
-Ke386IoSetAccessProcess
-ObReferenceObjectByHandle
-PsProcessType
-Ke386SetIoAccessMap

Saves vector 1 and 3 of IDT. Changes the access flags of
some blocks of memory allocated at runtime and IDT page from
super-visor to user-mode.

The ioctl 1800h returns some data in the 50h chars long buffer,
including locations of those allocated memory blocks.
Besides of other to-study-or-not-facts....

There are other ioctls parsed with id: 1801,1802,1A00.

Making some memory shared between the device and the exe
is an open door to lotsa things I guess...

gotta do more tracing

later ;)

hm
it seems that they change the dpl of int1 from 0 to 3. this makes some sense because they are using some int1 instructions in their usermode code.
and why is there almost no communication between the app and the driver?
do they use the driver only for the handling of exceptions that are generated by their usermode code?
and how the hell do they detect vmware? (they are not using the 'documented' backdoor IO port)

I'm assuming it changes the idt dpl in usermode...
If u have vmware, can u try:
mov ax,ds
test ax,4
jnz ...
And tell me if there's any difference? (in normal NT, bit 100b of ds = 0).
I havent traced much after the ioctl 1800, probably later I might be able to
answer some of those questions :cool:
laters

EDIT: according to the thread replies I've received on the other thread,
it seems to be a 9x\NT detection code...
thread link is:
hxxp://www.exetools.com/forum/showthread.php?t=6427

Hi,Yado!
Can you tell me where your homepage is?

This information I got from xprotector. I'm sure it is still relevant today.
The driver is used to elevate privileges of the usermode application. After the first IO control calls (jemos correctly identified the key elements in it), the application has full read/write access to the driver's memory.
It uses it to do synchronization (ex: wait until some dword in driver = 1) - probably due to the multi-threaded nature of the protection.
I'm not sure if this is still done, but the xprot driver used to give read/write access on the IDT as well; so the user-mode application was able to dynamically change the int1/int3 descriptors.
Another thing which the usermode application has access to is some privileged instructions; mostly for interrupt handling & direct debug register access, like iretd; mov dr0, eax, ...
by detect, do you mean crash? that's what it does here under vmware 4.0.x with windows 2k running on it.

This new "version" might use a less primitive method, an Event created
by the client, named "XprotEvent".

About the access on the IDT, well it already has read write flags (the
page, at least on my puter) so it just (at least until what I've traced)
changes the super-visor flag to user-mode flag to the reasons we already know.

I havent much time to continue the study... maybe soon :(

"how the hell do they detect vmware"

They don't detect it. It is XProtector bug.

By the way: what for the protection should detect VMWare or VirtualPC? For reverser it gives nothing. If you mean no page access (like XProtector feature) for dumping the memory then it still gives you nothing. Why? Because if you are not able to make a dump of non readable protected memory then virtual like environments will not help you to perform further reversing operations needed to rebuild / analyse the protection.

Regards.

I'm worried about my shitty english.

themida seems that not be *VERY* different from xprot

write a dll for helping, which attach the process and dump the image.

disasm it and find out the OEP,and I believe it's possbile:P

Hook the first extern call in any way, than we have a image which data section is not hurt badly, and...and IAT is a boring work. a superman , dragon, wrote a tools for them, but I don't know if it can still work.

is that all? No, SDK IS HADES ON UNPACKING, muhahaha...

I'm worried about my shitty english again.

In this case I prefer trace and learn from it.
Imho, direct unpacking (if we can call it like that), its always faster / easier.
Also since I already started tracing and got me "addicted" to it...

Looking forward to see some yado reply ;)

I think that XProtector - Themida was attack resistant for 2 years + !
This means that it is a very professional application...
Of course it needs some more development but ...heyyy guys,
it is an excellent work !

I am not from the XProtector Development team but i can give
a great BRAVO to joung and talented programmers!
I've tested every EXE Protector that has appeared on the NET.
Only XProtector was attack resistant for a long period of time.

Hi ,
well i'm looking at themida only to learn , not simple for destroy the rafael
work.I think it's a great work , and themida it's a really good stuff to revers.
I think (but it's a my idea) that a ring0 commercial pe-crypter it's not a good think.No ring0 must be used under a protection , and as we can see ,the os developers are trying to deny this sort of activity (see windows 64).The future is not for ring0 protection but for intelligent protection like the VMProtect that use code emulators.

But , hey for a revers study themida is a really good target.I see that some guy already unpack it (not a full working unpack it crash on load exe ) this is good.
I'll continue to write my tools for themida attack.

nothing good i see in xprot.
it is HARD only because of INCORRECT things it does.

Themida 1.0.0.2
 

Themida [1.0.0.2] (25-Jan-05)
[!]
Bug fixed when showing nag screen in protected DLLs with Themida demo version

[!]
Bug fixed when showing custom messages for protected DLLs

[!]
Added internal option to disable CRC on some protected blocks

[!]
Fixed system deadlock in some protected applications when launching them many times per second

[!]
Fixed buffer overflow in disassembly screen when macros are too big

[+]
Added support for Adobe After Effects plugins

[+]
Added support for any Windows kernel names (different from ntoskrnl.exe and ntkrnlpa.exe)

[+]
Added support to detect when an imported DLL is not present in the application to protect

BUG is entire Xprot.. can't by fixed.. only discarded..
i will write some text about disabling NT_security by xprot.
Will then m$ restrict it!?