Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   x64 Themida/Winlicense Unpacking (https://forum.exetools.com/showthread.php?t=19403)

Fyyre 12-16-2019 03:40
x64 Themida/Winlicense Unpacking
 
Hello friends,

I successfully unpacked a x64 game binary protected by Winlicense. However there is one problem. If I restart my system or send the file to another, it stops working (crashes on the same address).

It has been some time since I have work with Themida... could some one kindly nudge me in the right direction?

Edit: I forgot to mention, I am doing this under Windows 10 x64 10.0.18363.535 with x64dbg

Ever so grateful,

-Fyyre

user1 12-16-2019 14:57
if I remember correct in unpacked VMP was such a problem with CPUID related, if I m correct about that.

deepzero 12-16-2019 17:15
Well he says it also happens after a reboot...
But similarly, it's probably Imports are not properly reconstructed. Meaning the address of imported APIs is hardcoded to a specific address in your dump and not in the IAT. This address changes with each reboot thanks to ASLR.


To verify if this is your problem you can turn off ASLR, unpack your file again, and see if it works after a reboot then. Backtracing from the crashsite is probably hard because you dont know what the addresses pointed to back when you first unpacked it.

Conquest 12-16-2019 19:50
Themida and vmp applies artifact based detection. consider searching for themida antidump documents about the details

Fyyre 12-17-2019 01:44
Quote:
Originally Posted by deepzero (Post 118915)
Well he says it also happens after a reboot...
But similarly, it's probably Imports are not properly reconstructed. Meaning the address of imported APIs is hardcoded to a specific address in your dump and not in the IAT. This address changes with each reboot thanks to ASLR.


To verify if this is your problem you can turn off ASLR, unpack your file again, and see if it works after a reboot then. Backtracing from the crashsite is probably hard because you dont know what the addresses pointed to back when you first unpacked it.
Hi deepzero,

I agree ASLR is the only reasonable answer here. The IAT is fine, it is not loading at a different address... the trouble I am seeing is arrising from the combined code+data section of Theminda/WL. In this situation, our crash location is like..

Code:
mov rax, [r8+rdx*8]
or something like this. I will focus on ASLR, as the exe as /TSAWARE set, which controls ASLR, afaik.

Quote:
Originally Posted by Conquest (Post 118917)
Themida and vmp applies artifact based detection. consider searching for themida antidump documents about the details
This has nothing to do with my situation.

adastmin 12-19-2019 18:05
I can help with that. Perhaps we are trying the same file both. https://prnt.sc/qczcbs

MrScotc 01-03-2020 14:52
keep an eye on rbp(v2) and rdi(v3) before it goes into themida section.
themida try to use static constant which called align number by someone to loacate its data.

Fyyre 01-03-2020 20:48
Quote:
Originally Posted by adastmin (Post 118942)
I can help with that. Perhaps we are trying the same file both. https://prnt.sc/qczcbs
Your screenshot shows far too little information to be useful.

Nor am I interested in anything from you or your son of a bitch friend.

P.S.

And if you are inside of NCSoft? Congratulations, and do not attempt to contact me again.


All times are GMT +8. The time now is 19:38.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX